Zero-trust policies for identity implemented at 27.3% of organizations

Keeper Security on Aug. 15 released a study that demonstrated a real disconnect between the urgency of identity security and the slow pace of real-world implementation.

Among the 110 cybersecurity professionals surveyed in-person at Black Hat 2025 from Aug. 2 to Aug. 7, just 27.3% said their organization had effectively implemented zero trust.

Nearly as many reported major gaps, while others cited stalled or partial rollouts due to complexity, integration challenges, limited budgets or a lack of executive buy-in.

The top obstacles to implementation included the following;

“The real challenge teams face isn’t recognizing that identity is critical – it’s translating that awareness into consistent action across all users, systems, devices and access levels,” said Darren Guccione, co-founder and CEO at Keeper Security.

Guccione added that success comes from developing clear and enforceable policies, visibility into privileged accounts, and automated controls that make secure access the default without adding complexity.

“When organizations get this right, they can stay ahead of emerging threats and protect both people and infrastructure,” said Guccione.

Lawrence Pingree, technical evangelist at Dispersive.io, said the challenge in most enterprises is how to prioritize the most important items within security with limited staff and often gaps in security because of new projects or older outdated systems that teams must retrofit with security.

“The crux of the reason identity systems remain problematic is that when they become integrated, these systems are super-important to the functioning of all aspects of a business,” said Pingree. “So, they tend to be handled with kid-gloves because of the potential negative side effects of changing and disrupting the wider enterprise. This leads to gaps in defense because of the fear of making changes. Obviously, mandates require patching so if you are negligent, it can be legally impactful.”