Zero trust: "Never trust, always verify." No user, device, or network segment is inherently trusted — even inside the perimeter. Verify every request explicitly.
Zero trust replaces castle-and-moat perimeter security. Pillars: verify identity (MFA), verify device (posture), verify network (micro-segmentation), verify applications (ZTNA), assume breach (minimal blast radius). NIST SP 800-207 is the authoritative reference.