Zero trust is one of the most-cited terms in security and one of the most-misused, so the useful starting point is the authoritative definition rather than a vendor's framing. The National Institute of Standards and Technology defines it in Special Publication 800-207, "Zero Trust Architecture". NIST describes zero trust (ZT) as the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources, and a zero trust architecture (ZTA) as an enterprise's use of those principles to plan infrastructure and workflows.

The defining commitment of the model is the removal of trust-by-location. NIST states it in the publication's abstract, and the sentence is the one worth quoting because every other zero-trust control follows from it.

"Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established."— NIST SP 800-207, Zero Trust Architecture, source

Read that against the perimeter model it replaces. In a traditional perimeter architecture, a user or device that is inside the corporate network — past the firewall, on the LAN, on the VPN — is implicitly trusted, and lateral movement once inside is comparatively unguarded. NIST's definition removes exactly that implicit trust: being on the internal network grants nothing. Authentication and authorization of both the subject (the user) and the device are performed as discrete functions before a session to a resource is established, and they are performed per request rather than once at the network edge. That is why zero trust is sometimes summarized as "never trust, always verify" — but NIST's precise formulation, no implicit trust based on location or ownership, is the version a document-grounded explainer should anchor on.

The components NIST names

SP 800-207 also gives zero trust a concrete logical architecture, which is what distinguishes the NIST model from a slogan. At its center is a policy decision point (PDP) paired with a policy enforcement point (PEP). NIST frames zero trust as a set of principles and concepts around moving the PDP and PEPs closer to the resource, so that the decision to grant access and the enforcement of that decision happen near what is being protected rather than at a distant network boundary. The PDP evaluates each access request against policy — using signals about the user, the device, and context — and the PEP enforces the resulting allow-or-deny for that specific session. Because the decision is made per session and per resource, an attacker who compromises one credential or one device does not inherit broad network access the way they would inside a perimeter model.

NIST is also careful about what zero trust is not. The publication notes that many discussions of ZT stress removing wide-area perimeter defenses such as enterprise firewalls as a factor, but it does not frame zero trust as simply deleting the firewall. The shift is in where and how trust decisions are made — toward per-session, per-resource authentication and authorization of subject and device — not the wholesale abandonment of existing controls. Zero trust is an architecture and a set of principles applied across users, assets, and workflows, not a single product a defender installs.

NIST frames the model as a set of principles around moving the policy decision point and policy enforcement points closer to the resource. That spatial language is deliberate. In a perimeter design, the trust decision is made once, at a distant boundary, and everything inside inherits it. Zero trust relocates the decision next to the thing being protected, so each resource gets its own gate. The PDP draws on signals — identity, device posture, and contextual factors — to evaluate a request against policy, and the PEP enforces that evaluation for the specific session. Because each resource is independently gated, compromise of one credential or one device does not cascade into broad access the way it does once an attacker is "inside" a perimeter.

The model is also explicitly evolutionary rather than a fixed endpoint. NIST calls zero trust an "evolving set" of paradigms, and SP 800-207 describes ZTA as something an enterprise plans toward across its infrastructure and workflows. That matters for honest reading of vendor and disclosure language: "we implement zero trust" is not a binary certification but a description of how far an organization has moved authentication and authorization toward the per-session, per-resource model NIST defines. The publication's logical components — the PDP/PEP split, plus the data sources that feed policy decisions — give a defender a concrete checklist for assessing how much of the model is actually in place, rather than relying on the label alone.

Why the definition matters for reading breach disclosures

The practical reason to hold the NIST definition precisely is that "zero trust" appears constantly in incident post-mortems and risk disclosures, and the term is only meaningful if it carries NIST's content. When a breach involves an attacker moving laterally after an initial foothold, the relevant question against the zero-trust model is whether access to each resource was independently authenticated and authorized — subject and device, per session — or whether internal network position conferred implicit trust. The NIST definition supplies the yardstick: a zero trust architecture is one in which no asset or account is trusted based solely on its location or ownership, and every resource session is gated by discrete authentication and authorization. For any explainer, comparison, or disclosure analysis that turns on the term, SP 800-207 is the citable primary source, and its abstract sentence on implicit trust is the load-bearing claim.