Zero-trust: what I actually enforce, and what I only designed

Most security write-ups blur the line between what's enforced in code and what's on a slide. For a defense-grade console that line IS the deliverable — so here's mine, drawn explicitly. Naming the gap is the point.

The fastest way to lose a security reviewer's trust is to claim a control you can't point to in the code. So this post does the opposite of a marketing page: it draws the line between enforced, designed-but-not-wired, and roadmap — and puts the gap in writing.

Zero-trust here follows the public references everyone cites: NIST SP 800-207 and the DoD Zero Trust Reference Architecture. The premise is simple and unforgiving: the link is hostile, and nothing is trusted because it "came from the drone." Trust is established per session, per message, per command — never assumed.

That's the principle. Ang totoo, iba yun sa reality (the truth is, that's different from reality) — so here's mine, split three ways.

Why write the gap down

Two reasons, and they're the same reason from different angles.

A senior reviewer is going to find the boundary between real and aspirational whether or not I mark it. If I've marked it, that's a point in my favor — it reads as someone who knows the difference between architecture and enforcement. If I've hidden it, the first uncomfortable question torpedoes everything else I claimed.

And for me: the table is a worklist. "Designed-but-not-wired" is exactly the set of things to turn into "enforced," in priority order. The honesty isn't just ethics — it's the backlog.

A security claim you can't point to in the code is marketing. The architecture is real and pervasive, several controls are genuinely live, and the rest is written down as designed — not done. Drawing that line is not a weakness in the story. It is the story.

The enforced / designed / roadmap breakdown

Same password as the other GCS posts — or request access below.

Build log entry. Apache-2.0. Part of the multi-domain GCS build log.