John Kindervag—the analyst who coined “zero trust” back in 2010—joins Alan Shimel to talk about how the idea has grown from a heretical memo into standard security doctrine. Kindervag, now at a microsegmentation vendor, still starts every project with the same question: what exact data or system are you trying to protect? His shorthand for that target is the “protect surface,” and he argues you build a micro-perimeter around it before touching anything else.

Too many teams flip the order. They buy a shiny product, point it at the whole network and hope a strategy emerges. That almost always fails, Kindervag warns, because zero trust is a design process, not a SKU. The other common pitfall is trying to secure everything at once; successful rollouts tackle one protect surface at a time and expand only after lessons are learned.

AI inevitably enters the chat, and Kindervag is unfazed. He’s “not losing sleep” over smarter attacks because defenders can use the same technology to automate visibility and policy enforcement long before bad packets reach their target. His mantra: if “only a machine can defeat another machine,” zero trust supplies the blueprint for wiring those machines together—micro-perimeters, segmentation policies and continuous validation combine to raise an attacker’s cost until they move on to softer targets.

The conversation’s takeaway is pragmatic. Zero trust hasn’t morphed into a single product or a one-click wizard, and AI won’t magically fix design mistakes. Start with a modest, low-sensitivity protect surface; learn by doing; then iterate. Treat technology changes—be it smart NICs, GPUs or generative models—as modular parts that plug into the same strategy. Do that, Kindervag says, and you’ll turn big-picture principles into day-to-day security wins long before the next buzzword hits your inbox.