Research: The Security Gap You Can't Patch

Share
Research: The Security Gap You Can't Patch
12:49

What your employees don't know about access security — and how Zero Trust gives IT the control to protect what users can't.

Screenshot 2026-07-09 at 9.43.09 AM

Introduction

The perimeter has moved. Remote work, cloud apps, and contractor access have made the old castle-and-moat model obsolete. But employee behavior hasn't kept pace.

Most IT teams already know this intuitively. What's harder to quantify is exactly how wide the gap is between what security policies say and what employees actually do — and how little they understand about the tools designed to protect them.

To find out, OpenVPN surveyed 45 IT professionals and business leaders about their organizations' access practices, familiarity with Zero Trust, and comfort with AI in security tools. The findings are both instructive and sobering.

Want a copy of the research emailed to you? Download it here.

The core finding

Employees regularly access systems and data beyond what their job requires. Most organizations are slow to revoke that access when roles change. A significant share of IT professionals still treat Zero Trust as jargon. Zero Trust doesn't ask users to behave better — it removes the assumption that they will.

 

About This Research

OpenVPN invited 177 businesses to participate. 45 completed the survey between April 7 and May 27, 2026 — a 25.4% response rate. 75% of respondents are IT-focused; findings are most representative of how IT and security leaders perceive Zero Trust.

Fig. 1 — Respondent breakdown by role (n=45)

IT / security leadership

42%

IT admin or engineer

33%

Company leadership / exec

18%

Non-technical employee

4%

Other

2%

Role distribution skews heavily toward IT — findings reflect how security practitioners think about access and Zero Trust.

 

SECTION 01

 

The Access Problem: What Employees Actually Do

Before evaluating a Zero Trust solution, it helps to see clearly what the alternative looks like in practice. The survey data paints a familiar — and uncomfortable — picture.

 

Employees Sit On Access They Shouldn't Have

Respondents were asked whether they'd ever had access to sensitive information — financials, customer data, employee records — that they didn't need for their job. Among those who answered:

 

Fig. 2 — "Have you ever had access to sensitive information you didn't need?" (n=10)

Not that I know of

50%

Yes — but didn't look at it

40%

Not sure

10%

 

40% had access to data beyond their job scope

Even among IT professionals — the people who design access policies — 4 out of 10 admitted to having access to sensitive data they didn't need. The correct answer isn't "yes, but I didn't look." The access itself is the vulnerability.

 

Access Doesn't Update When Roles Change

Stale access — permissions not revoked after a role change — is one of the most common and exploited breach vectors. When asked how quickly access is updated:

Fig. 3 — "When your job responsibilities change, how quickly is your access updated?" (n=11)

It usually takes a while

27%

Immediately

27%

Within a few days

18%

I'm not sure

18%

It's rarely updated

9%

 

Only 27% of organizations revoke access immediately after a role change. The other 73% are running on implicit trust — the exact condition Zero Trust is designed to eliminate. Zero Trust enforces least-privilege access per-session, continuously verified, without waiting for a helpdesk ticket.

 

SECTION 02

 

Zero Trust: Misunderstood, Underestimated

If your users don't understand Zero Trust, they can't advocate for it internally. If leadership thinks it's a buzzword, it won't get budget. The comprehension data reveals how much definitional work remains — even among technical audiences.

 

A Technical Audience, Still Divided on the Definition

Fig. 4 — "How do you view Zero Trust?" (n=11, respondents who expressed a view)

Completely different approach to secure access

46%

A marketing buzzword

36%

A more secure type of VPN

9%

Never heard of it

9%

 

36% of technical respondents called Zero Trust a marketing buzzword

In a survey of IT and security professionals, the share treating Zero Trust as marketing language nearly equals the share treating it as a genuine paradigm shift. One in three decision-makers may need to be convinced it's real before they'll consider it a priority.

 

What Zero Trust Is — In Plain Language

Zero Trust is not a product. It's an architecture built on one principle: never trust, always verify. Every access request — internal or external — is authenticated, authorized, and continuously validated. No implicit trust. No standing permissions.

 

What Zero Trust replaces:

Traditional VPNs

Broad network access granted once; user sees everything on the segment

Perimeter firewalls

Trust assumed inside the perimeter; attackers who breach it move freely

Static permissions

Access granted at onboarding, rarely revisited until an incident forces review

Survey respondents identified traditional VPNs (34%) and perimeter firewalls (16%) as the top candidates for replacement.

 

SECTION 03

 

What Drives Zero Trust Adoption — and What Blocks It

Compliance Is the #1 Driver — By a Wide Margin

Despite being marketed as a security architecture, Zero Trust is being bought as a compliance instrument. Compliance outranks breach protection nearly 2-to-1:

 

Fig. 5 — "What would make you more likely to prioritize Zero Trust?" (n=34)

Helps meet compliance requirements

41%

Protects data even after a breach

21%

Modern replacement for legacy VPNs

18%

Simplifies access for remote teams

12%

I wouldn't prioritize it right now

9%

 

For IT leaders building internal business cases: frame Zero Trust in terms of audit readiness, regulatory frameworks, and liability reduction.

 

The Hesitations Are Real — But Addressable

The top barrier isn't price — it's time.

Fig. 6 — "What's your biggest hesitation about switching to Zero Trust?" (n=32)

Not enough time

28%

Too expensive

22%

Not a priority right now

19%

We already use it

19%

I don't know what it is

6%

Too complicated

6%

 

"Not enough time" (28%) beats "too expensive" (22%). Implementation complexity — not sticker price — is the friction point.

 

The Blockers Reveal a Guidance Gap

Fig. 7 — "What's stopping your company from implementing Zero Trust?" (n=34)

Budget constraints

24%

We already have it

18%

Don't know where to start

18%

System already works for us

15%

Leadership isn't on board

9%

Too many vendor options

9%

Seems too technical

6%

 

A combined 35%+ say they already have a system — the addressable opportunity is ~65%. Of those, "we don't know where to start" ties budget as the top blocker. This is a clarity problem as much as a cost problem.

 

SECTION 04

 

Where IT Teams Stand on AI in Security

AI is moving fast in the security industry. How does the audience that evaluates and deploys security tools actually feel about it? The results reveal nuanced optimism, conditional comfort, and surprisingly high willingness to use AI features.

 

General AI Sentiment: Net Positive, Not Effusive

Fig. 8 — "How do you feel about the growing use of AI in business software?" (n=43)

Somewhat positive — useful in certain cases

40%

Neutral — no strong opinion

23%

Very positive — significantly improves value

16%

Very negative — prefer software without AI

14%

Somewhat negative — adds unnecessary complexity

7%

 

56% hold a positive view. The 23% neutral segment represents the swing vote — respondents who haven't yet seen a compelling AI use case in their domain.

 

 

AI in Cybersecurity: Comfortable — With Conditions

When the question shifts to AI specifically in cybersecurity tasks, sentiment becomes more measured:

 

Fig. 9 — "How comfortable are you with AI assisting in cybersecurity tasks?" (n=44)

Somewhat comfortable (human oversight required)

55%

Neutral / unsure

25%

Very uncomfortable (decisions stay human)

9%

Somewhat uncomfortable

7%

Very comfortable (trust AI to assist)

5%

 

The dominant response — 55% — is "somewhat comfortable, with human oversight." Only 5% fully trust AI in security decisions. AI is welcome in the security stack, but it needs to be assistive, not autonomous.

 

SECTION 05

 

The AI Willingness Paradox

Here's the most counterintuitive finding in the entire dataset.

 

5%

fully trust AI to assist in security decisions

vs.

68%

would use AI features in their security platform

 

Despite only 5% saying they fully trust AI in cybersecurity decisions, 68% say they'd try or actively use AI features if their security platform offered them. This shows a major gap between abstract trust and concrete willingness.

 

Fig. 10 — "How likely to use AI features in your VPN/security platform?" (n=41)

Likely — would try them

46%

Unsure

24%

Very likely — would actively use

22%

Unlikely

5%

Very unlikely — would disable/avoid

2%

 

What This Means for Evaluating AI-Powered Security Tools

  • Assistive beats autonomous. Features framed as "policy suggestions," "anomaly alerts," and "usage insights" will outperform anything positioned as AI making decisions. Respondents want AI in the loop, not in the seat.
  • Even skeptics convert for the right use case. Among those who said they feel "very negative" about AI in business software, several still indicated they'd likely use AI features in a security context.
  • The neutral 24% is opportunity. These respondents aren't skeptics — they just haven't seen a compelling enough demo yet.

 

The key positioning insight

Frame AI capabilities as a force multiplier for your IT team — not a replacement for human judgment. "AI that surfaces what humans act on" maps directly to how 55% of this audience already thinks about the technology.

 

SECTION 06

 

What This Means for Your Organization

The data points in this report describe conditions that exist right now in organizations like yours. Here's how to apply them.

 

1

Your users are the risk surface.

40% of employees had access to sensitive data beyond their role. 73% work in organizations where that access is slow to be revoked. Zero Trust enforces least-privilege automatically, session by session — no helpdesk ticket required.

 

2

Frame the conversation around compliance.

41% of IT buyers say compliance requirements are the top reason to prioritize Zero Trust. If you're building an internal business case, regulatory alignment will outperform breach scenarios.

 

3

Address time-to-value, not just TCO.

The #1 hesitation isn't price — it's time. Prioritize solutions that offer fast deployment and minimal configuration overhead. An 18-month rollout doesn't solve the problem; it adds to it.

 

4

Don't let "we already have something" end the conversation.

35%+ said they have a system in place. But what they have is often a traditional VPN — broad access rather than verified, least-privilege access. The question isn't whether you have a tool; it's whether that tool matches today's threat environment.

 

5

Evaluate AI features — but evaluate how they're designed.

68% of your peers would use AI features in their security platform. But they want assistance, not automation. Seek capabilities that surface insights for human review, not black-box decisions that bypass your team.



Methodology: 45 of 177 invited businesses (25.4%) completed this survey between April 7 and May 27, 2026. One AI-generated response was excluded. Branching logic was used for several questions; denominators are noted throughout. Percentages rounded to the nearest whole number.

openvpn_ztna-research-report_email_800x200

About OpenVPN

OpenVPN's network security platforms provide secure remote access through both self-hosted and cloud-delivered VPN solutions for business with the core tenets of Zero Trust Network Access (ZTNA), creating peace of mind for organizations with remote and hybrid employees. Built on the high-performance, enterprise-trusted open-source OpenVPN protocol, OpenVPN's solutions for business, Access Server and CloudConnexa®, help teams securely access company resources, SaaS platforms, the web, and data via cloud environments (AWS, Azure, Google Cloud, etc.). With over 90 million downloads and nearly 20,000 business customers, OpenVPN products are trusted for their security, speed, and simplicity.

Related posts from OpenVPN

Subscribe for Blog Updates