Zero trust is not a product you buy. The problem that most organizations have is that they are still not doing the fundamentals well. CIS has a community defense model. I did a detailed webinar on it where I covered a lot of these fundamentals. https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/

Let's look at inventory management, asset management, change management, onboarding and offboarding.

You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught.

Fundamentally, the most effective thing in zero trust are the protections that are in an always on state. Like for example the recent revelation about flaws in UEFI and SecureBoot. These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!!

FUNDAMENTALS MUST BE MASTERED

When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems. Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy.

Procurement policy must include vetting and testing of cloud app integrations. Monitoring and technical controls must be in place to restrict or eliminate the ability of an end user to buy shadow IT and authorize it on their own. Azure AD has controls for this, but they are not on by default.