──  Focus Area 05

Never Trust, Always Verify — And Rebuild Your Architecture Accordingly

Zero Trust is no longer a framework on a slide. In 2026, it's an operational requirement. Identity is the new perimeter. The CISO-CTO-EA alignment problem is the defining governance challenge of this decade.

$10.2M

Average US data breach cost in 2026 — highest worldwide, up 9% YoY

75%

Of breaches now exploiting legitimate credentials — identity is the battleground

76%

Fewer successful breaches at orgs with Zero Trust + AI-powered security ops

── The Moment We're In

2026: Zero Trust becomes operational

2026 marks a structural shift: from conceptual frameworks to operational architecture. The perimeter is gone — 82% of organizations now operate in hybrid or multi-cloud environments and the corporate network boundary no longer exists.

Gartner predicts only 10% of large enterprises will have a mature Zero Trust program by end of 2026, up from less than 1% in 2023. The conversation ILF can lead on EA governance, ARB design, and agentic AI security is critically timely.

Cybersecurity & EA — Express Your Interest

We are shaping this pillar community now. Express your interest and help set the agenda.

→ 84% of organizations experienced an identity-related breach in 2025, yet most EA governance frameworks still treat identity as an IT problem rather than a business architecture problem.

→ How do enterprise architects govern agentic AI workloads that cross cloud boundaries, vendor APIs, and regulatory jurisdictions simultaneously?

→ The CISO-CTO-EA alignment problem: who owns Zero Trust architecture in a matrixed enterprise, and what does the governance model look like?

🔴 Urgent

Zero Trust architecture

NIST SP 800-207 and CISA's Zero Trust Maturity Model v2.0. Seven pillars: identity, devices, networks, applications, data, infrastructure, and visibility — moving from framework to real enforcement.

Enterprise architecture governance

Building ARBs, AI governance committees, and Automation Centers of Excellence in regulated industries. The CTO-to-EA relationship and how EA functions evolve as agentic systems proliferate.

Cloud & AI security patterns

Securing agentic AI workloads, multi-cloud posture management, sovereign architecture models, and the data residency question when agents act across regulatory boundaries.

Resilience & business continuity

Air-gapped recovery assets, minimum viable company planning, and the governance architecture for critical business services across AWS, CoLo, mainframe, and SaaS environments in regulated enterprises.