Risk-Based Zero Trust and the Case for a Cyber Risk Security Broker

Zero Trust was supposed to fix cybersecurity. It was supposed to eliminate implicit trust, stop lateral movement, and make breaches irrelevant. Yet, despite widespread adoption, cyberattacks are still succeeding at an alarming rate. Organizations that have implemented Zero Trust principles—strict authentication, micro-segmentation, least privilege—are still getting compromised. Why? Because Zero Trust today is largely static, lacking real-time risk-based context.

Most Zero Trust deployments still operate on rigid, pre-defined policies that fail to adjust dynamically to evolving threats. Access rules, network segmentation, and authentication policies are often based on assumptions that don’t account for the real-world risk of a given moment. If a user’s credentials are compromised, if a device is suddenly exhibiting suspicious behavior, or if a known exploit is being actively targeted—shouldn’t Zero Trust react in real time?

Instead, many organizations are enforcing the same security controls for every access request, regardless of actual risk. A login from an administrator accessing a critical database from an unpatched device may be treated the same as an intern logging into an internal portal. Without continuous, adaptive risk assessment, Zero Trust fails to prevent breaches in progress—and worse, it creates unnecessary friction for low-risk activities while leaving high-risk actions under-protected.

NIST and CISA: Zero Trust Must Be Risk-Based

Leading cybersecurity frameworks recognize the need for real-time, risk-driven decision-making within Zero Trust. The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) both emphasize that Zero Trust cannot be a static framework—it must continuously evaluate risk and adjust policies accordingly.

NIST: Zero Trust as a Risk Management Strategy

NIST’s Special Publication 800-207 (Zero Trust Architecture) explicitly calls for dynamic, risk-based policies for resource access. The document states that a Zero Trust deployment should be integrated with an organization’s Risk Management Framework (RMF) to ensure security policies align with business risk tolerance.

? NIST emphasizes that Zero Trust is not an end-goal, but an ongoing risk-based process that requires continuous adjustments based on evolving threats.

? NIST defines a trust algorithm within the Zero Trust policy engine that calculates risk scores in real time, using inputs such as identity attributes, device posture, threat intelligence, and behavioral analytics.

? Organizations should implement continuous risk assessments rather than relying solely on pre-configured policies, which may become outdated in the face of new attack techniques.

NIST essentially frames Zero Trust as a real-time risk management exercise rather than a set of static security controls. Without risk-driven decision-making, Zero Trust fails to achieve its purpose.

CISA: Zero Trust Maturity Requires Continuous Risk Evaluation

CISA’s Zero Trust Maturity Model (ZTM) also acknowledges the importance of risk-based decision-making within Zero Trust architectures. In its model, CISA describes how organizations should progress from basic identity verification toward a more dynamic and risk-aware security posture.

? At early maturity levels, organizations perform minimal risk analysis and rely on static access policies.

? At optimal maturity, security teams must determine identity risk in real time based on continuous analysis and dynamic rules.

? Zero Trust policies should adapt to evolving risks, ensuring that security controls dynamically shift in response to new vulnerabilities, compromised credentials, or active threat campaigns.

CISA also highlights that Zero Trust must be a living framework—it should continuously incorporate risk intelligence, ensuring that security teams focus on the right threats at the right time.

The Bottom Line: NIST and CISA Expect Zero Trust to Be Dynamic

Both NIST and CISA make it clear: Zero Trust cannot be a “set it and forget it” model. Organizations that fail to implement risk-based adjustments are effectively running a broken Zero Trust framework—one that fails to recognize when risks change and fails to prevent breaches that could have been stopped.

The Missing Piece: Risk-Based Zero Trust

To truly deliver on its promise, Zero Trust must become risk-based—meaning every access request, authentication attempt, and security control must be dynamically adjusted based on real-time risk signals. This requires a new architectural component that traditional Zero Trust frameworks do not fully address: a Cyber Risk Security Broker (CRSB).

The CRSB serves as the brain of a risk-based Zero Trust model, continuously analyzing a Cyber Risk Index (CRI) that aggregates contextual data from identity management, device posture, threat intelligence, behavioral analytics, and external cyber risk factors. It ensures that security controls are applied proportionally to the risk at hand, dynamically tightening or relaxing access policies based on live conditions.

Why Zero Trust Needs a Cyber Risk Security Broker

Current Zero Trust implementations struggle with several critical weaknesses:

1. Static Policies in a Dynamic Threat Landscape: Traditional Zero Trust policies don’t adjust in real-time to emerging threats. Security teams define access rules once, but attackers don’t follow static playbooks—they evolve, change tactics, and exploit gaps in rigid policies.

2. Lack of Unified Risk Context: Organizations often have multiple security tools generating risk signals—identity providers, SIEMs, EDRs, and cloud security platforms—but these signals aren’t automatically feeding into Zero Trust policies. As a result, risk is assessed in silos, instead of holistically across the enterprise.

3. Overly Strict Controls That Hinder Productivity: When Zero Trust policies are too rigid, they create unnecessary friction for legitimate users, slowing down productivity and frustrating employees. This often leads to security workarounds, making the organization less secure overall.

4. Blind Spots in Legacy Systems and Third-Party Access: Many legacy applications and third-party integrations don’t support modern Zero Trust controls, creating exceptions that weaken the entire security model. Without risk-aware compensating controls, these weak links become prime attack vectors.

How a CRSB Fixes These Gaps

A Cyber Risk Security Broker (CRSB) serves as the missing orchestration layer in modern Zero Trust frameworks. Here’s how it works:

Real-Time Risk Scoring with a Cyber Risk Index (CRI): The CRSB continuously ingests data from across the security stack—identity analytics, endpoint security, network telemetry, and external threat intelligence—to compute a real-time risk score for every user, device, and access request.

Dynamic Access Policies Based on Live Risk Signals. Instead of enforcing static rules, a CRSB enables adaptive policies:

? Low-risk requests proceed with minimal friction.

? Medium-risk requests may trigger additional authentication (e.g., step-up MFA).

? High-risk requests can be automatically blocked, quarantined, or escalated to security teams.

Seamless Integration with Existing Zero Trust Controls: A CRSB doesn’t replace existing Zero Trust tools—it orchestrates them. It acts as a decision broker, feeding risk insights to identity providers (IdPs), Secure Access Service Edge (SASE), network segmentation tools, and SIEMs to harmonize enforcement across all security layers.

Regulatory Compliance and Risk Governance: A CRSB aligns Zero Trust with compliance frameworks like NIST, CISA, and DORA, ensuring that security policies are continuously updated to reflect regulatory risk requirements.

Integrating the Cyber RiskOps Framework: The Cyber Risk Scoring System as a Cyber Risk Security Broker

One of the key challenges in implementing risk-based Zero Trust is defining a consistent, real-time risk scoring mechanism that can dynamically inform security decisions across the enterprise. The Cyber RiskOps Framework, with its Cyber Risk Scoring System, provides a strong foundation for this function. By leveraging the Cyber RiskOps model, organizations can implement a Cyber Risk Security Broker (CRSB) that serves as the central intelligence hub for adaptive Zero Trust enforcement.

The Cyber RiskOps framework introduces a structured approach to cyber risk scoring, allowing organizations to quantify and prioritize security risks based on real-time data. This scoring system already integrates multiple dimensions of cyber risk, making it well-suited to act as the decision engine for a Cyber Risk Security Broker.

Zero Trust, But Smarter

Zero Trust is not failing because it’s a bad model—it’s failing because organizations aren’t applying it with real-time risk intelligence.

A Cyber Risk Security Broker is the missing piece that transforms Zero Trust from a check-the-box compliance exercise into a truly adaptive, risk-driven security model. It ensures that security teams focus on real threats, rather than wasting time on false positives or unnecessary user friction.

In an era where attackers are constantly adapting, Zero Trust must adapt faster. Risk-based Zero Trust—powered by a Cyber Risk Security Broker—is the only way forward.

Zero Trust is not enough. Zero Trust with risk-based intelligence is the future.

NIST. (2020). Special Publication 800-207 (Zero Trust Architecture). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf DOI:10.6028/NIST.SP.800-207

CISA. Zero Trust Maturity Model. (2023) https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf

Castro, J. (2025). Cyber RiskOps: Bridging Strategy and Operations in Cybersecurity. ResearchGate. https://www.researchgate.net/publication/388194428 DOI:10.13140/RG.2.2.36216.97282/1

Castro, J. (2024). Why a Transparent and Public Cyber Risk Scoring Methodology is Critical for Trust in Cybersecurity. ResearchGate. https://www.researchgate.net/publication/388682497 DOI:10.13140/RG.2.2.27248.37120