The reason zero trust stalls in big enterprises is not technology — it is change. Identity, device posture, and network policy each touch every employee, partner, and contractor.
A pragmatic sequence 1. Identity first. SSO and conditional access for every system. 2. Device posture next. Compliance signals into access decisions. 3. Network last. Microsegmentation where it actually buys risk reduction.
The teams that succeed do this on a calendar, not a dependency chain.