Research: The Security Gap You Can't Patch
By Krista Lyons
What your employees don't know about access security — and how Zero Trust gives IT the control to protect what users can't.

Introduction
The perimeter has moved. Remote work, cloud apps, and contractor access have made the old castle-and-moat model obsolete. But employee behavior hasn't kept pace.
Most IT teams already know this intuitively. What's harder to quantify is exactly how wide the gap is between what security policies say and what employees actually do — and how little they understand about the tools designed to protect them.
To find out, OpenVPN surveyed 45 IT professionals and business leaders about their organizations' access practices, familiarity with Zero Trust, and comfort with AI in security tools. The findings are both instructive and sobering.
Want a copy of the research emailed to you? Download it here.
|
The core finding Employees regularly access systems and data beyond what their job requires. Most organizations are slow to revoke that access when roles change. A significant share of IT professionals still treat Zero Trust as jargon. Zero Trust doesn't ask users to behave better — it removes the assumption that they will. |
About This Research
OpenVPN invited 177 businesses to participate. 45 completed the survey between April 7 and May 27, 2026 — a 25.4% response rate. 75% of respondents are IT-focused; findings are most representative of how IT and security leaders perceive Zero Trust.
Fig. 1 — Respondent breakdown by role (n=45)
|
IT / security leadership |
42% |
|
IT admin or engineer |
33% |
|
Company leadership / exec |
18% |
|
Non-technical employee |
4% |
|
Other |
2% |
Role distribution skews heavily toward IT — findings reflect how security practitioners think about access and Zero Trust.
SECTION 01
The Access Problem: What Employees Actually Do
Before evaluating a Zero Trust solution, it helps to see clearly what the alternative looks like in practice. The survey data paints a familiar — and uncomfortable — picture.
Employees Sit On Access They Shouldn't Have
Respondents were asked whether they'd ever had access to sensitive information — financials, customer data, employee records — that they didn't need for their job. Among those who answered:
Fig. 2 — "Have you ever had access to sensitive information you didn't need?" (n=10)
|
Not that I know of |
50% |
|
Yes — but didn't look at it |
40% |
|
Not sure |
10% |
|
40% had access to data beyond their job scope Even among IT professionals — the people who design access policies — 4 out of 10 admitted to having access to sensitive data they didn't need. The correct answer isn't "yes, but I didn't look." The access itself is the vulnerability. |
Access Doesn't Update When Roles Change
Stale access — permissions not revoked after a role change — is one of the most common and exploited breach vectors. When asked how quickly access is updated:
Fig. 3 — "When your job responsibilities change, how quickly is your access updated?" (n=11)
|
It usually takes a while |
27% |
|
Immediately |
27% |
|
Within a few days |
18% |
|
I'm not sure |
18% |
|
It's rarely updated |
9% |
Only 27% of organizations revoke access immediately after a role change. The other 73% are running on implicit trust — the exact condition Zero Trust is designed to eliminate. Zero Trust enforces least-privilege access per-session, continuously verified, without waiting for a helpdesk ticket.
SECTION 02
Zero Trust: Misunderstood, Underestimated
If your users don't understand Zero Trust, they can't advocate for it internally. If leadership thinks it's a buzzword, it won't get budget. The comprehension data reveals how much definitional work remains — even among technical audiences.
A Technical Audience, Still Divided on the Definition
Fig. 4 — "How do you view Zero Trust?" (n=11, respondents who expressed a view)
|
Completely different approach to secure access |
46% |
|
A marketing buzzword |
36% |
|
A more secure type of VPN |
9% |
|
Never heard of it |
9% |
|
36% of technical respondents called Zero Trust a marketing buzzword In a survey of IT and security professionals, the share treating Zero Trust as marketing language nearly equals the share treating it as a genuine paradigm shift. One in three decision-makers may need to be convinced it's real before they'll consider it a priority. |
What Zero Trust Is — In Plain Language
Zero Trust is not a product. It's an architecture built on one principle: never trust, always verify. Every access request — internal or external — is authenticated, authorized, and continuously validated. No implicit trust. No standing permissions.
What Zero Trust replaces:
|
Traditional VPNs |
Broad network access granted once; user sees everything on the segment |
|
Perimeter firewalls |
Trust assumed inside the perimeter; attackers who breach it move freely |
|
Static permissions |
Access granted at onboarding, rarely revisited until an incident forces review |
Survey respondents identified traditional VPNs (34%) and perimeter firewalls (16%) as the top candidates for replacement.
SECTION 03
What Drives Zero Trust Adoption — and What Blocks It
Compliance Is the #1 Driver — By a Wide Margin
Despite being marketed as a security architecture, Zero Trust is being bought as a compliance instrument. Compliance outranks breach protection nearly 2-to-1:
Fig. 5 — "What would make you more likely to prioritize Zero Trust?" (n=34)
|
Helps meet compliance requirements |
41% |
|
Protects data even after a breach |
21% |
|
Modern replacement for legacy VPNs |
18% |
|
Simplifies access for remote teams |
12% |
|
I wouldn't prioritize it right now |
9% |
For IT leaders building internal business cases: frame Zero Trust in terms of audit readiness, regulatory frameworks, and liability reduction.
The Hesitations Are Real — But Addressable
The top barrier isn't price — it's time.
Fig. 6 — "What's your biggest hesitation about switching to Zero Trust?" (n=32)
|
Not enough time |
28% |
|
Too expensive |
22% |
|
Not a priority right now |
19% |
|
We already use it |
19% |
|
I don't know what it is |
6% |
|
Too complicated |
6% |
"Not enough time" (28%) beats "too expensive" (22%). Implementation complexity — not sticker price — is the friction point.
The Blockers Reveal a Guidance Gap
Fig. 7 — "What's stopping your company from implementing Zero Trust?" (n=34)
|
Budget constraints |
24% |
|
We already have it |
18% |
|
Don't know where to start |
18% |
|
System already works for us |
15% |
|
Leadership isn't on board |
9% |
|
Too many vendor options |
9% |
|
Seems too technical |
6% |
A combined 35%+ say they already have a system — the addressable opportunity is ~65%. Of those, "we don't know where to start" ties budget as the top blocker. This is a clarity problem as much as a cost problem.
SECTION 04
Where IT Teams Stand on AI in Security
AI is moving fast in the security industry. How does the audience that evaluates and deploys security tools actually feel about it? The results reveal nuanced optimism, conditional comfort, and surprisingly high willingness to use AI features.
General AI Sentiment: Net Positive, Not Effusive
Fig. 8 — "How do you feel about the growing use of AI in business software?" (n=43)
|
Somewhat positive — useful in certain cases |
40% |
|
Neutral — no strong opinion |
23% |
|
Very positive — significantly improves value |
16% |
|
Very negative — prefer software without AI |
14% |
|
Somewhat negative — adds unnecessary complexity |
7% |
56% hold a positive view. The 23% neutral segment represents the swing vote — respondents who haven't yet seen a compelling AI use case in their domain.
AI in Cybersecurity: Comfortable — With Conditions
When the question shifts to AI specifically in cybersecurity tasks, sentiment becomes more measured:
Fig. 9 — "How comfortable are you with AI assisting in cybersecurity tasks?" (n=44)
|
Somewhat comfortable (human oversight required) |
55% |
|
Neutral / unsure |
25% |
|
Very uncomfortable (decisions stay human) |
9% |
|
Somewhat uncomfortable |
7% |
|
Very comfortable (trust AI to assist) |
5% |
The dominant response — 55% — is "somewhat comfortable, with human oversight." Only 5% fully trust AI in security decisions. AI is welcome in the security stack, but it needs to be assistive, not autonomous.
SECTION 05
The AI Willingness Paradox
Here's the most counterintuitive finding in the entire dataset.
|
5% fully trust AI to assist in security decisions |
vs. |
68% would use AI features in their security platform |
Despite only 5% saying they fully trust AI in cybersecurity decisions, 68% say they'd try or actively use AI features if their security platform offered them. This shows a major gap between abstract trust and concrete willingness.
Fig. 10 — "How likely to use AI features in your VPN/security platform?" (n=41)
|
Likely — would try them |
46% |
|
Unsure |
24% |
|
Very likely — would actively use |
22% |
|
Unlikely |
5% |
|
Very unlikely — would disable/avoid |
2% |
What This Means for Evaluating AI-Powered Security Tools
- Assistive beats autonomous. Features framed as "policy suggestions," "anomaly alerts," and "usage insights" will outperform anything positioned as AI making decisions. Respondents want AI in the loop, not in the seat.
- Even skeptics convert for the right use case. Among those who said they feel "very negative" about AI in business software, several still indicated they'd likely use AI features in a security context.
- The neutral 24% is opportunity. These respondents aren't skeptics — they just haven't seen a compelling enough demo yet.
|
The key positioning insight Frame AI capabilities as a force multiplier for your IT team — not a replacement for human judgment. "AI that surfaces what humans act on" maps directly to how 55% of this audience already thinks about the technology. |
SECTION 06
What This Means for Your Organization
The data points in this report describe conditions that exist right now in organizations like yours. Here's how to apply them.
|
1 |
Your users are the risk surface. 40% of employees had access to sensitive data beyond their role. 73% work in organizations where that access is slow to be revoked. Zero Trust enforces least-privilege automatically, session by session — no helpdesk ticket required. |
|
2 |
Frame the conversation around compliance. 41% of IT buyers say compliance requirements are the top reason to prioritize Zero Trust. If you're building an internal business case, regulatory alignment will outperform breach scenarios. |
|
3 |
Address time-to-value, not just TCO. The #1 hesitation isn't price — it's time. Prioritize solutions that offer fast deployment and minimal configuration overhead. An 18-month rollout doesn't solve the problem; it adds to it. |
|
4 |
Don't let "we already have something" end the conversation. 35%+ said they have a system in place. But what they have is often a traditional VPN — broad access rather than verified, least-privilege access. The question isn't whether you have a tool; it's whether that tool matches today's threat environment. |
|
5 |
Evaluate AI features — but evaluate how they're designed. 68% of your peers would use AI features in their security platform. But they want assistance, not automation. Seek capabilities that surface insights for human review, not black-box decisions that bypass your team. |
Methodology: 45 of 177 invited businesses (25.4%) completed this survey between April 7 and May 27, 2026. One AI-generated response was excluded. Branching logic was used for several questions; denominators are noted throughout. Percentages rounded to the nearest whole number.
About OpenVPN
OpenVPN's network security platforms provide secure remote access through both self-hosted and cloud-delivered VPN solutions for business with the core tenets of Zero Trust Network Access (ZTNA), creating peace of mind for organizations with remote and hybrid employees. Built on the high-performance, enterprise-trusted open-source OpenVPN protocol, OpenVPN's solutions for business, Access Server and CloudConnexa®, help teams securely access company resources, SaaS platforms, the web, and data via cloud environments (AWS, Azure, Google Cloud, etc.). With over 90 million downloads and nearly 20,000 business customers, OpenVPN products are trusted for their security, speed, and simplicity.
