Generative AI is undermining zero trust cybersecurity

A global team of cybersecurity researchers from RMIT University, Massey University, and industry partners has warned that generative artificial intelligence (AI) is rapidly eroding the core assumptions of Zero Trust Architecture (ZTA), one of the world's most widely adopted cybersecurity frameworks.

Their comprehensive review, titled "The Erosion of Cybersecurity Zero-Trust Principles Through Generative AI: A Survey on the Challenges and Future Directions," was published in the Journal of Cybersecurity and Privacy. The study systematically analyzed 10 existing Zero Trust surveys and 136 primary research papers from 2022 to 2024, exposing what the authors describe as an "empirical vacuum" at the heart of cybersecurity research in the AI age.

Generative AI is breaking the 'Never Trust, Always Verify' rule

Zero Trust, a security model built around the principle of "never trust, always verify," assumes that no entity, internal or external, should be granted access without continuous validation. But the study finds that this foundation is collapsing under the pressure of AI-driven identity fraud, data manipulation, and automated deception.

The authors discovered that 98% of all Zero Trust studies lack real-world validation, making them theoretical rather than practical. This failure, they warn, leaves organizations unprepared for the reality of AI-generated threats that mimic human behavior, forge digital credentials, and exploit trust algorithms faster than policies can adapt.

Generative AI's ability to produce synthetic identities, falsified context, and adversarial telemetry undermines the core "verify explicitly" and "assume breach" principles of ZTA. These tools allow attackers to manipulate authentication signals, craft convincing phishing vectors, and bypass behavioral checks designed to verify legitimate users.

To illustrate this systemic breakdown, the researchers propose a new framework called the Cyber Fraud Kill Chain (CFKC) — a seven-stage model that maps how generative AI infiltrates, deceives, and monetizes its attacks while bypassing traditional Zero Trust controls. The CFKC demonstrates that AI-powered deception campaigns are extending attacker dwell time, raising false-negative detection rates, and destroying audit trails across industries.

Why most zero trust research fails the reality test

The paper's most striking revelation is the disconnect between academic research and operational cybersecurity. Out of 136 primary studies reviewed, nearly all showed "partial or no validation" of their proposed trust mechanisms in live environments.

Most Zero Trust models focus on static, policy-based frameworks that do not evolve fast enough to counter AI-driven threats. The authors note that identity governance, trust algorithms, and continuous monitoring infrastructures are the weakest links.

Three major research gaps stand out:

• Lack of behavior-based trust algorithms. None of the analyzed studies investigated dynamic behavioral trust models capable of detecting insider threats or advanced persistent threats (APTs).
• Absence of continuous monitoring and validation frameworks. No study adequately examined real-time adaptive verification, even though these are central to Zero Trust's effectiveness.
• Minimal integration with AI governance frameworks. Emerging regulatory tools such as the EU AI Act and NIST AI Risk Management Framework were rarely referenced or operationalized in Zero Trust studies.

The review also found that existing ZTA deployments remain heavily reliant on human-verifiable credentials and static policy rules. In contrast, attackers armed with diffusion models, large language models, and deepfake generators can bypass these systems through synthetic resumes, fake facial scans, or fabricated telemetry data.

As AI models evolve weekly, the paper warns that Zero Trust frameworks risk turning into "static checklists" rather than living security postures, leaving organizations perpetually behind in the defensive cycle.

Toward adaptive, AI-aware cybersecurity frameworks

To address the growing divide between policy and practice, the authors call for a fundamental redesign of Zero Trust - one that integrates AI literacy, adaptive trust computation, and verifiable auditing for AI-generated content. Incremental updates, they argue, will not suffice in an era where attackers use the same machine learning tools as defenders.

The proposed research roadmap includes:

• Developing behavior-based trust algorithms capable of detecting subtle deviations in user behavior over time.
• Embedding AI-specific compliance auditing to track and verify interactions with synthetic data or generative models.
• Implementing federated and explainable AI systems to preserve privacy while enabling real-time monitoring of distributed networks.
• Creating cross-platform validation standards that can evaluate Zero Trust deployments in live enterprise environments.

The authors stress that the integration of adaptive learning, context awareness, and continuous verification will define the next generation of Zero Trust systems. This would transform ZTA from a reactive policy model into a proactive, data-driven security ecosystem capable of defending against adversarial AI.