Estimated reading time: 4 minutes
Security Shortcuts Are the Norm, Not the Exception –
It’s like locking your car, but leaving the keys in the ignition so you can get going a bit faster next time you head out. Technically locked, practically useless. That’s the state of cybersecurity today, according to Tailscale’s State of Zero Trust 2025 report. The new research paints a grim and revealing picture of modern access systems. There is a disconnect between cybersecurity policy and practice that puts entire organizations at risk.
Security Shortcuts Are the Norm
In a survey of 1,000 IT, security, and engineering professionals, 83% confessed to bypassing security controls to get their work done. Even more concerning, 68% admitted they still had access to internal systems from a previous employer.
These aren’t isolated incidents. They reveal a deeper flaw in how companies approach secure access. Zero Trust, the model designed to prevent this kind of exposure, is often treated as a checkbox rather than a functioning system.
Tailscale CEO Avery Pennarun summed it up, “When developers, engineers, and IT all say the current system is broken — and worse, start working around it — that’s a sign the tools need to change, not the people.”
VPNs Still Dominate, Despite Widespread Frustration
The report’s biggest villain? Legacy VPNs. Only 10% of professionals say their VPN works without issue. The rest face latency, limited scalability, and high operational overhead.
VPNs offer broad network access but little control. Once inside, users can often reach far more than they need. This “too much trust” approach undermines security at its core, a fatal contradiction to Zero Trust principles.
“The tools need to change, not the people.”
Tailscale CEO Avery Pennarun
Old Habits, Long Access
The numbers on offboarding are damning. Over two-thirds of professionals retained privileged access after leaving a company. In 13% of cases, that access remained for months or longer.
These lapses are symptoms of outdated identity management systems and manual provisioning. Nearly 70% of companies still manage access manually, resulting in slow updates, delays, and potentially hazardous oversights.
Zero Trust in Theory, Not in Practice
Only 29% of companies have adopted identity-based access as their main model. Most are stuck in hybrid setups — some identity controls layered awkwardly on top of IP-based firewalls and legacy hardware.
“Most C-levels don’t really understand what Zero Trust is,” the report notes. Many companies invested in “Zero Trust” products without a clear plan, resulting in confusion and partial implementation.
ONE Minute Watch Zero Trust Meltdown
Security That Blocks Work Becomes a Risk Itself
Developers and engineers face delays, confusion, and friction when trying to do their jobs. At companies still relying on VPNs, workarounds are rampant. Nearly a third of employees report seeing others actively bypassing the infrastructure.
This is not defiance. It’s a survival mechanism. Slow systems create shadow IT. Users turn to unapproved tools and personal devices, not out of rebellion, but because they need to move fast.
Broken Trust, Broken Systems
Security vs. productivity is the most cited challenge in the report. 32% of IT leaders say they struggle to balance both. Another 31% say enforcing policies and fighting unauthorized tools is exhausting their teams.
The report hammers this point: when security is hard to use, people stop using it.
Get The Cyber Insurance News Upload Delivered
Every Sunday!
Subscribe to our newsletter
What’s Working: Identity-First, Just-in-Time, and AI
But it’s not all bleak. Many organizations are beginning to shift toward smarter, adaptive systems. Nearly half are consolidating tools and replacing clunky VPNs with identity-aware access models, such as mesh VPNs and Zero Trust Network Access (ZTNA).
AI and automation are emerging as crucial tools. They enable systems to respond to context — granting or denying access based on behavior and risk — rather than relying on static rules. It’s a shift from “never trust, always verify” to “verify constantly, but intelligently.”
Summing It All Up
Tailscale’s State of Zero Trust 2025 report exposes a critical failure in cybersecurity practices. Despite widespread adoption of Zero Trust principles in theory, real-world implementation is falling dangerously short. Most companies still rely on outdated VPNs and manual processes that create friction, delay productivity, and encourage risky workarounds. Engineers routinely bypass controls, and offboarding gaps leave sensitive systems vulnerable to exposure long after employees leave. As AI-driven security gains traction, the path forward lies in identity-based access, automation, and user-centric design, not just more tools, but more intelligent systems.
RELATED POSTS
