Zero trust is no longer a strategic ambition for banks — it is an active regulatory expectation. With the FFIEC CAT retired as of August 2025 and NIST CSF 2.0 now the dominant successor framework, the question for bank technology leaders is not whether to implement zero trust but how to sequence it without stalling across all five pillars at once.
Zero trust implementations in banking fail more often than they succeed — not because the framework is wrong, but because institutions treat it as a product purchase rather than an architecture shift. Banking accounts for 28 percent of the global zero trust market, yet most implementations stall trying to move all five pillars at once. What follows is a sequenced plan designed to survive examiner scrutiny and produce measurable outcomes at each phase.
The Regulatory Ground Has Shifted
The FFIEC CAT sunset on August 31, 2025 consolidated expectations around three successor frameworks: NIST CSF 2.0, CISA's Cross-Sector Cybersecurity Performance Goals, and the Cyber Risk Institute Profile 2.0 — all of which align to zero trust principles. For NYDFS-regulated institutions, the connection is more direct: the Phase 2 amendments and October 2024 AI industry letter — covered in our piece on NYDFS 23 NYCRR 500 and AI compliance — both reflect a regulatory posture built on zero trust principles: least-privilege access, continuous authentication, rigorous third-party controls, and comprehensive audit trails.
The Five Pillars in a Banking Context
Identity. No user, device, or system should be trusted by default. For banks, this means phased MFA across all access and adaptive authentication that assesses risk in real time. Non-human identities — service accounts, AI agents, and API connections — are the most commonly overlooked access control gap at financial institutions.
Devices. Every device must be verified and monitored continuously via endpoint detection and response tools, mobile device management, and device health attestation. Vendor personnel and branch staff frequently access systems from devices that do not meet enterprise security standards.
Network. Micro-segmentation divides the network into isolated zones so a compromised system cannot move laterally. SASE architectures from Zscaler, Palo Alto Networks Prisma, and Cisco Umbrella are the primary implementation vehicles.
Applications. Zero Trust Network Access replaces VPN-based remote access with application-level controls that verify identity and device posture before granting access to specific applications. Over 70 percent of credit union cybersecurity incidents in 2025 were tied to third-party vendor access. ZTNA is the direct architectural response.
Data. Classify sensitive data and apply controls that follow it regardless of where it resides — DLP tools, encryption in transit and at rest, and AI-powered data discovery to catch what legacy systems miss.
The Right Sequence
Attempting all five pillars simultaneously is the most common failure pattern. The defensible starting point for most banks is a three-phase sequence.
Phase 1 (Months 1–6): Identity and Access Foundation. Begin with identity — every other pillar depends on it. Implement MFA across privileged access first, then expand to all users. Conduct a service account inventory: most institutions find a significant population of over-privileged accounts accumulated over years.
Phase 2 (Months 7–12): Network Micro-Segmentation and ZTNA. Introduce network segmentation for highest-risk environments — core banking systems, data warehouses, and environments housing sensitive customer data — while replacing VPN access for remote workers and contractors with ZTNA. Lateral movement prevention most directly reduces breach impact once a compromise has occurred.
Phase 3 (Months 13–24): Device, Application, and Data Controls. Extend device health verification to all endpoints, implement application-level controls for highest-risk systems, and begin data classification and DLP buildout. Microsoft's Total Economic Impact study found up to 197 percent three-year ROI from zero trust for financial services organizations, driven by breach cost reduction and security operations efficiency.
What Examiners Are Looking For
For institutions subject to NIST CSF 2.0 or the CRI Profile 2.0, examiners want evidence of control implementation, not framework adoption statements. Can you demonstrate MFA across all privileged and remote access with documented exceptions? Can you show segmentation that would limit lateral movement in a breach? Do your third-party access reviews cover AI systems and service accounts — not just human users?
The governance infrastructure supporting AI deployment — covered in our piece on the FS AI RMF and the SR 11-7 governance gap — intersects directly with zero trust in the identity and access control pillars. Institutions that treat these as one workstream will move faster and examine better. Those building zero trust systematically, starting with identity and documenting each phase, are positioned to scale securely into the next AI deployment cycle.
Key Takeaways
- Zero trust is now an active regulatory expectation for banks; the FFIEC CAT sunset (August 2025) and NIST CSF 2.0 successor frameworks all align to zero trust principles.
- The five pillars — Identity, Device, Network, Application, Data — should be sequenced rather than implemented simultaneously; Identity is the correct starting point for most institutions.
- Third-party access is the most undermanaged zero trust risk in banking: over 70% of credit union incidents in 2025 were tied to third-party vendors; ZTNA is the direct architectural response.
- Financial services organizations implementing zero trust have documented up to 197% three-year ROI, driven primarily by breach cost reduction and security operations efficiency.
- Examiner readiness requires documented evidence of control implementation — MFA coverage, segmentation, third-party access reviews — not framework adoption statements.
The Risk Dispatch covers the regulatory and technology developments that matter most to financial services technology leaders. For related AI governance coverage, see our pieces on the FS AI RMF and NYDFS 23 NYCRR 500 and AI compliance.