In 2020, the cybersecurity world adopted a phrase that has since reshaped how every serious organisation thinks about digital security: zero trust. The principle is simple. Never assume a user, device, or connection is legitimate because of where it comes from or what it claims to be. Always verify. Every time.
Before zero trust, network security worked like a castle with a moat. Get past the perimeter — the firewall, the VPN, the login screen — and you were trusted. Move freely. Access anything. The assumption was that anyone inside the walls was authorised to be there.
That assumption was catastrophically wrong. Breach after breach demonstrated that attackers who got past the perimeter — through phishing, credential theft, or compromised devices — could move laterally through organisations with impunity. The castle-and-moat model was replaced by a model where every access request is verified independently, regardless of where it originates.
The parallel to physical and employment identity is exact. And most businesses have not yet made the transition.
The castle-and-moat model of business identity
Consider how most UK businesses handle identity today:
-
"They have a badge." A person wearing a staff lanyard is assumed to be staff. A person wearing a contractor badge is assumed to be an authorised contractor. The badge is the perimeter. Once past it, the person is trusted.
-
"They're on the calendar." A visitor scheduled in the calendar system is assumed to be the person they claim to be. When they arrive at reception, they give a name. The receptionist checks the calendar. The name matches. They are given a visitor pass. No identity verification takes place.
-
"The agency sent them." An agency worker arrives for a shift. The site manager was told to expect a worker called Sarah. A person arrives and says they are Sarah. Sarah is checked in. Nobody verifies that the person is actually the individual the agency intended to send.
-
"They were on the Zoom call." A remote meeting participant joins with a name that matches the expected attendee. They have their camera on. They look like a professional. They are treated as the verified person for the duration of the meeting — including when sensitive information is shared, decisions are made, or contracts are discussed.
-
"They passed the check at onboarding." An employee was verified when they were hired. Right to work check conducted, documents reviewed, records filed. That check is now eighteen months old. The employee's circumstances may have changed — visa expired, permissions revoked, identity compromised — but the original check is treated as perpetual validation.
Each of these scenarios operates on the castle-and-moat principle. One moment of apparent verification — a badge, a calendar entry, a name, a document check — creates a zone of assumed trust that extends indefinitely.
This is exactly the model that cybersecurity abandoned because it does not work.
Why the old model is breaking down
Several converging factors are making assumed-trust identity models increasingly dangerous for businesses.
AI-generated documents are defeating visual inspection. As AI document generation tools become more accessible, the ability to produce convincing fraudulent identity documents is no longer limited to sophisticated criminal operations. The assumption that "the document looked genuine" is an adequate verification standard is collapsing.
Deepfake technology undermines video and voice verification. Real-time face-swapping and voice cloning mean that the person you see on a video call, or hear on a phone, may not be who they claim to be. Every interaction that relies on "I recognised them" or "they sounded right" is vulnerable.
Remote and hybrid work has eliminated physical presence as a verification factor. When employees, contractors, and partners can participate in business activities from anywhere, the physical checkpoint — being in the building, showing your face, presenting documents in person — no longer exists as a default safeguard.
Regulatory expectations are rising. The Fair Work Agency has consolidated enforcement powers and the ability to conduct unannounced inspections. The Home Office expects ongoing compliance, not one-time checks. The direction of regulation is towards continuous verification, not periodic validation.
Identity fraud is systematic, not opportunistic. According to Cifas, identity fraud cases in the UK exceeded 237,000 in 2025. These are not isolated incidents. They represent a systematic exploitation of trust-based identity systems by organised criminal operations.
What zero trust identity looks like
Zero trust identity applies the same principle as zero trust cybersecurity: never assume, always verify. Every person, every interaction, every access request is verified independently, regardless of prior trust or assumed legitimacy.
Here is what that looks like in practice across different business contexts.
Right to work compliance
Castle-and-moat approach: Check the employee's documents once at onboarding. File the copies. Assume compliance continues until someone raises a concern.
Zero trust approach: Conduct the initial check with verified identity matching — confirming the person presenting documents is the person those documents belong to. Set automated reminders for visa expiry dates. Conduct follow-up checks on the prescribed schedule. Treat every status change as an event requiring re-verification. Do not assume that a check conducted twelve months ago reflects reality today.
Contractor and agency worker access
Castle-and-moat approach: The agency says they are sending a worker. A worker arrives. The worker gives the expected name. Access is granted.
Zero trust approach: Every agency worker verifies their identity at the point of arrival, every shift. The verification confirms they are the specific individual whose right to work was checked, whose DBS was completed, and whose qualifications were verified. If the person arriving is not the person expected, they do not gain access — regardless of operational pressure.
Meeting and visitor verification
Castle-and-moat approach: A visitor arrives and says they have a meeting with Sarah in Legal. Reception calls Sarah. Sarah confirms she is expecting a visitor. The visitor is given a badge.
Zero trust approach: The visitor verifies their identity before or at the point of arrival. The meeting host confirms the verification. The visitor's identity is recorded in an auditable log. If the visitor cannot verify their identity, the meeting does not proceed — regardless of how important it seems.
Remote meeting authentication
Castle-and-moat approach: A participant joins a video call with the expected name. They have their camera on. They are treated as verified for the duration of the call.
Zero trust approach: Before sensitive information is shared or decisions are made, each participant completes a verification step — biometric, code-based, or device-authenticated. The assumption that "they joined the call so they must be who they say they are" is replaced by actual confirmation. This is particularly critical in contexts where deepfake technology can impersonate participants in real time.
Employee lifecycle management
Castle-and-moat approach: An employee is verified at hiring. Their access, permissions, and trust level remain constant throughout their tenure.
Zero trust approach: Verification is continuous. Access to sensitive systems requires re-authentication. Changes in role, location, or employment status trigger re-verification. Departure from the organisation triggers immediate revocation of all access and trust — not a gradual wind-down.
The cultural shift
Zero trust identity is not primarily a technology challenge. It is a cultural one.
It requires accepting that trust is not the default. This feels uncomfortable. Asking a long-standing employee to re-verify their identity feels bureaucratic. Requiring a regular visitor to confirm who they are every time feels excessive. Verifying that the person on the video call is actually that person feels paranoid.
But consider the alternative. A care home that trusts a person wearing a uniform to be a qualified carer — without verification — is one substitution away from a safeguarding failure. A business that trusts a person on a video call to be a client — without verification — is one deepfake away from authorising a fraudulent transaction. A company that trusts a director's visa status has not changed — without checking — is one expiry away from a compliance penalty.
Trust is not a security control. It is the absence of one.
It requires making verification frictionless. Zero trust only works if verification is fast enough to be practical. If verifying identity takes thirty minutes and requires three forms of documentation, people will find workarounds. The cybersecurity world solved this with single sign-on, biometric authentication, and device trust — making verification near-instant while maintaining rigour.
The same principle applies to physical and employment identity. Verification must be a thirty-second process, not a thirty-minute one. It must work on a phone, at a door, before a meeting, at a shift change. If it creates friction, it will be circumvented.
It requires treating exceptions as signals, not inconveniences. In a zero trust model, a failed verification is not an annoyance. It is information. The person who cannot verify their identity at the door may be the wrong person. The document that fails automated checking may be fraudulent. The participant who will not authenticate before a meeting may not be who they claim.
Castle-and-moat organisations treat verification failures as friction to be overcome. Zero trust organisations treat them as threats to be investigated.
The business case
Beyond risk reduction, zero trust identity creates tangible business value.
Regulatory readiness. Businesses with continuous, verified compliance records are better positioned for walk-in audits, Home Office visits, and FWA inspections. The records show not just that checks were conducted, but that verification was rigorous and ongoing.
Insurance and liability. Demonstrating a zero trust identity posture may reduce insurance premiums and limit liability in the event of an incident. The question "what did you do to prevent this?" has a substantially better answer under zero trust than under assumed trust.
Client confidence. For businesses that handle sensitive data, operate in regulated sectors, or serve enterprise clients, a demonstrable zero trust identity posture is a competitive advantage. It answers the question that every serious client now asks: how do you know the people accessing our data are who they claim to be?
Operational clarity. When identity is verified rather than assumed, ambiguity decreases. You know who is on site. You know who was in the meeting. You know who performed the work. This clarity has value beyond compliance — it supports accountability, performance management, and operational efficiency.
Certifyd brings zero trust identity to every business interaction — from right to work checks to meeting verification to real-time deepfake detection. Never assume. Always verify. Every person, every time.