Zero trust still matters. It's just not enough.

A field guide for banking and financial services leaders on what AI, machines, and multicloud have changed—and what security must do next.
image of man standing in front of a laptop
Can your bank's security keep up?

Security teams are struggling to maintain consistent control as multicloud growth, rising machine identities, and rapid AI adoption increase complexity. Fragmented configurations, uneven policy enforcement, and uncontrolled machine‑to‑machine access widen the gap between business speed and security oversight.

At the same time, sanctioned and shadow AI systems introduce poorly governed decision‑making surfaces. Weak or missing controls remain the primary failure point—highlighting the need for a unified, automated approach to securing identities, workloads, and AI‑driven operations.
An overhead view shows a professional working on a laptop while seated on sunlit steps in a modern atrium.

36% of cloud breaches trace back to a single root cause: misconfiguration.1

Why security falls behind

In today’s multicloud and hybrid environments, the attack surface is the environment. As financial institutions scale, four structural forces consistently erode security posture. Compounding each other, they create systemic gaps that traditional perimeter controls were never designed to handle.

Identity sprawl

Machine identities far outnumber humans and often fall outside governance models, creating unowned risk that is difficult to inventory, audit, or explain to regulators.
Hybrid and multicloud complexity

Each cloud enforces controls differently, creating configuration drift and uneven policies that are difficult to standardize and carry out across environments.
Overprivileged access

Broad roles and long‑lived credentials grant excessive access, increasing blast radius and complicating investigation and accountability after incidents.
Non-scalable manual processes

Provisioning, exceptions, and key rotation don’t scale to banking‑grade volumes or regulatory demands, leaving security gaps automation could prevent.
Zero trust wasn't the problem

At this point, it’s fair to ask: is zero trust still relevant for modern banking and financial services?

For IBM, the answer is clear: zero trust has evolved from a security framework into a foundational operating model for regulated, multicloud enterprises.

The pillars remain the same: consistent enforcement, continuous verification, and end-to-end visibility, but financial institutions struggle not with strategy, but with execution at scale, auditability, and proof of control.

As software, services and agents take on more responsibility, zero trust must evolve. Least privilege must extend to models and agents, while assume breach must emphasize continuous assurance—not point-in-time audits. Many strategies fail here because real progress depends on controls that can be demonstrated, audited, and trusted continuously—requirements that align directly with regulatory expectations in banking and financial services.

For zero trust to deliver on its promise, it must be executed through a unified, identity‑driven approach that makes secure behavior measurable, enforceable and reviewable by default. This is where IBM helps financial institutions move from policy concepts to operational reality.
View of a candid moment of a group meeting discussion at a modern office.
Zero trust as an enabler—not a speed bump

Zero trust only becomes a speed bump when it’s bolted on. When embedded into identity and access decisions, zero trust can help accelerate the business while strengthening auditability and executive oversight. For banks and financial institutions, this means faster digital delivery without increasing supervisory risk.

Turning zero trust principles from theory into day-to-day operations requires a set of capabilities that work together, not in isolation. 

Authentication and authorization

 

Human identities

 

Users move constantly across SaaS platforms, internal systems, cloud infrastructure, and development pipelines—introducing friction and unmanaged risk when no unified identity layer exists. Without a consistent identity foundation, every transition becomes a new access decision, a new policy, and a new opportunity for friction or risk.

Zero trust addresses this by anchoring human access in a unified identity source. By integrating with existing identity providers such as Active Directory, Okta, Ping, or LDAP, banks and financial institutions can enforce phishing‑resistant multifactor authentication (MFA), issue short‑lived tokens, and make access decisions that adapt to risk—incorporating behavioral signals and device posture in real time.

As users move across environments, policy travels with them. Instead of re‑authenticating through disconnected controls, access is evaluated consistently—closing common lateral‑movement paths, reducing account sprawl, and giving security teams control without slowing builders down.

With this foundation in place, identities are managed in one place, MFA is enforced by default, access to environments and pipelines is governed through clear roles, and isolation and approvals happen automatically in the background—so staff moves faster, while the institution reduces exposure.

 

Machine Identities

 

Machine identities now outnumber human identities by orders of magnitude, creating silent and compounding risk when poorly governed. Long‑lived secrets, unmanaged API keys, and implicit trust between systems create quiet but expansive risk.

Zero trust treats machine identity as a first-class control surface, enforcing short-lived credentials, automated rotation, and policy-as-code by default. Workloads, platforms, CI/CD stages, and AI agents are required to authenticate before accessing resources, using short‑lived, scoped credentials instead of static secrets.

With policy defined as code and enforced automatically, teams gain end‑to‑end traceability without manual effort. Audit logs become tamper‑evident, and compliance can be continuously evidenced from how access is granted, giving banks and other regulated financial institutions a defensible, end-to-end record of access decisions.

In practice, credentials are issued and rotated automatically, secrets are pulled only when needed, and TLS certificates are managed end‑to‑end. Together, these patterns give systems a consistent way to prove who they are—and limit what they can access.

 

Access

 

Human-to-human

 

Traditional infrastructure access was built around static network trust—VPNs, bastion hosts, and standing credentials that linger long after they’re needed. These models create friction for engineers and blind spots for security teams.

Zero trust replaces that model with session‑based authorization. Instead of granting persistent access, engineers authenticate, request a specific target, and receive a single‑use authorization token. Credentials are brokered per session and revoked automatically when that session ends.

The result reduces standing permissions, password sharing, and unmanaged tunnels. Engineers can gain fast, reliable access without ticketing delays, while security teams gain comprehensive audit trails—and session recordings where required, fulfilling audit, risk, and supervisory expectations without introducing workflow friction.

 

Machine-to-machine

 

As applications become more distributed, service‑to‑service communication transforms into one of the hardest areas to secure. IP allowlists and network boundaries don’t scale across clouds and environments—and they’re brittle by design.

Zero trust applies identity‑based controls to every interservice connection by default. Once services have identities, authentication and authorization are enforced on every call, allowing least‑privilege access rules to be applied consistently—regardless of where a service runs.

This approach enables:

  • Mutual TLS (mTLS) to provide cryptographic proof of service identity.
  • Identity‑based traffic policies that centrally define which services may communicate, and under what conditions—eliminating per‑environment exceptions that cause zero trust drift.
  • Automated certificate issuance and renewal, keeping systems current without manual handoffs, while identity‑aware routing enforces least‑privilege access end to end.

Data protection and continuous assurance

 

Zero trust assumes breach—a principle that aligns directly with modern banking and financial risk management. The final line of defense is the data itself.

By extending zero trust principles to the data layer, organizations move beyond periodic audits to continuous assurance, enforcing data protections persistently to limit blast radius even when identities are compromised.

This includes:

  • Encryption as a service with fine‑grained access controls.
  • Transparent data encryption backed by managed keys.
  • Continuous discovery and remediation of leaked or unmanaged secrets across repositories, images, and pipelines.
  • Ongoing compliance scanning using policy as code to detect drift early and trigger closed‑loop remediation.

 

The result is a security posture where compliance is no longer a separate initiative—it’s a measurable outcome of how access and data protection are enforced every day.
Minimize risks. Maximize gains.

Banks and financial institutions that move from a perimeter‑based zero trust model to a modern identity‑based approach for people, machines and AI workloads—across all environments—report measurable operational improvements in addition to stronger security:

  •  Organizations using AI and automation driven controls cut breach costs by an average of USD 1.9 million.2
  •  AI and automation also shorten containment by 80 days versus organizations that don’t use them.2
  • Internal security teams now detect 50% of breaches (up from 42% year-over-year).2
  • Earlier identification lowers cost compared to attacker disclosures.2

These outcomes are not accidental. They’re the result of treating zero trust as an operating model. Automation removes the manual friction of credential management. Unified policy replaces brittle, one‑off controls across clouds. And an identity-driven posture aligned to regulatory, internal audit and AI governance requirements enables security to move at the speed of the business, not slow it down.

 
image of city building at night
See zero trust in action

Learn how the Commercial International Bank modernized their security posture by automating identity, access and infrastructure controls.

 Read the story
Zero trust only works when it’s everywhere

The industry agrees: zero trust is the right strategy and is now the standard3 . The institutions pulling ahead treat it as an operational discipline—not as a destination. When security is built into how access is granted, verified and reviewed by default, teams move faster, audits become simpler and trust becomes demonstrable.
See how IBM helps banks move from zero‑trust intent to zero‑trust execution

Zero trust only delivers value when it’s enforced consistently across people, machines and AI. IBM helps banks turn zero‑trust strategy into operational reality—through enterprise security solutions with IBM, and end‑to‑end execution support from IBM Consulting®.

  1. Explore security solutions
  2. Scale security with Consulting
Footnotes

 CrowdStrike. Global Threat Report 2024: Top 5 Cloud Security Challenges of 2024 and How to Mitigate Them.

 IBM. Cost of a Data Breach Report 2025.

3 The National Institute of Standards and Technology (NIST) formalized it when they published their famous guide, SP 800-207, :Zero Trust Architecture” in 2020.