Your Employees Are the Security Gap That Zero Trust Network Access Closes
By Krista Lyons
You can write the policy. You can run the training. But you probably can’t make your employees stop accumulating access they don’t need.
That’s not cynicism — it’s what the data says.
OpenVPN recently surveyed 45 IT and business leaders about their organizations’ network access practices, Zero Trust adoption, and attitudes toward AI in security tools. What came back wasn’t surprising to most IT professionals. But seeing it in numbers has a way of making an uncomfortable reality hard to ignore.
Here’s a preview of what we found — and why it points directly to zero trust network access (ZTNA) as the control layer IT teams have been looking for.
The Access Problem Is Bigger Than Most Organizations Admit
Let’s start with a question most security audits don’t ask directly: have your employees ever had access to sensitive information — financials, customer records, HR data — that they didn’t actually need to do their jobs?
The survey asked it. The answers were uncomfortable.
—40% admitted they had access to sensitive data beyond what their role required.
Among respondents who answered the question, 40% admitted they had access to sensitive data beyond what their role required. The most common response? “Yes, but I didn’t look at it.”
Reassuring isn't the word we'd use to describe those results.
The second finding is where it gets operationally messy: when employees change roles, most organizations are slow — sometimes very slow — to update their access. Only a fraction of respondents said access is revoked immediately after a role change. The majority described a process that takes a while, takes days, is rarely revisited, or in some cases, they simply didn’t know.
This is the access hygiene problem in its clearest form. And it’s not a user behavior problem. It’s an architecture problem.
Zero trust network access solves it by design. Rather than granting broad, persistent access at login, ZTNA verifies every request against current role, device health, and context — continuously, not just at the gate. When a role changes, access changes with it. No ticket required. No lag.
Most Technical Audiences Still Can’t Agree on What Zero Trust Is
Here’s where the research gets more nuanced — and more useful for IT leaders building internal buy-in.
When survey respondents who expressed a view were asked how they’d describe Zero Trust, the results split almost evenly between two positions: those who called it “a completely different approach to secure access” and those who called it a marketing buzzword.
In a survey skewed heavily toward IT professionals, that finding matters. If nearly a third of your potential internal advocates view Zero Trust as vendor noise, the path to implementation isn’t just technical — it’s definitional.
The research unpacks why this gap exists and what messaging actually moves the needle with skeptical audiences. (Hint: the answer has more to do with compliance than with breach scenarios, and the data behind it is specific enough to be useful in your next budget meeting.)
The Single Biggest Barrier to ZTNA Adoption Isn’t What You Think
Most vendors assume the primary obstacle to zero trust network access adoption is cost. The survey data says otherwise.
We won’t give the full breakdown here — that’s in the report — but the top hesitation respondents cited wasn’t price. And the second-largest category of respondents who said they weren’t pursuing Zero Trust? They have a different problem entirely, one that better onboarding and vendor guidance could solve directly.
For IT leaders who’ve hit walls making the ZTNA case internally, this data offers a useful reframe. The objections you’re hearing may not be the objections that actually matter.
The AI Finding No One Predicted
Alongside the Zero Trust research, the survey explored where IT teams stand on AI in security tools. The headline numbers were expected: a majority hold a positive or neutral view of AI in business software.
What wasn’t expected was what happened when respondents were asked whether they’d actually use AI features inside their VPN or network security platform.
The gap between how comfortable people say they are with AI in cybersecurity — and how willing they actually are to use it — is the most counterintuitive finding in the entire dataset. It has direct implications for how security vendors should position AI capabilities, and for how IT leaders should evaluate them.
We’ve pulled this thread out into its own section of the report, because the practical implications for procurement and vendor evaluation are significant.
What This Means for Your Network Access Strategy
Across the Zero Trust and AI findings, a few through-lines are consistent:
- The access hygiene problem is real, pervasive, and invisible until it isn’t. Organizations running on implicit trust aren’t waiting for a breach to happen — in many cases, the conditions for one already exist. Zero Trust network access removes the assumption that a valid login equals appropriate access.
- Comprehension is still a barrier, but it’s surmountable. The survey identifies the specific framing that moves skeptical IT and business audiences — and it’s not what most ZTNA marketing leads with.
- AI in security is more welcome than vendors assume, if positioned correctly. The data reveals a specific posture that IT teams are comfortable with — and one they’re not. Getting this framing right will matter as AI features become standard in network security platforms.
The full report covers all of this in detail: the access hygiene data, the Zero Trust comprehension and adoption findings, the AI readiness picture, and six specific recommendations for IT teams evaluating their network access strategy.
Ready to see how OpenVPN can help protect your organization from attacks?
Try the self-hosted Access Server solution or the managed CloudConnexa service for free, no credit card required.
See Which One is Right for You