Zero trust has been marketed to death. Every vendor has a product that does it. Every analyst has a framework for it. And almost every mid-market company that tries to “adopt zero trust” ends up twelve months later with a pile of tooling, a confused identity team, and no measurable improvement.

This is what an actual, fundable, ninety-day rollout looks like. Not a theoretical architecture. Not a multi-year transformation. A concrete sequence of moves a security team of three-to-eight people can execute, alongside a functioning business, with real legacy systems and a real budget ceiling.

What zero trust actually means, in one paragraph

Zero trust is a design principle, not a product. It says: do not trust any user, device, service, or network segment implicitly. Verify every request against current identity, device posture, and context. Grant least privilege for the shortest useful duration. Assume the attacker is already inside, and design accordingly.

Practically, that translates into four control families you need to operate in concert: identity, device, network access, and workload segmentation. A ninety-day rollout will not complete all four — but it can make measurable, defensible progress on the first two, which is where 70% of the risk lives.

Days 1–15: Establish the control plane

Before you change anything, you need a single source of truth for identity and device state. If you do not have this, you are not doing zero trust. You are just buying products.

• Consolidate to one identity provider — Okta, Entra ID, or JumpCloud — and federate every SaaS application to it. Disable local accounts everywhere you can.
• Deploy or validate MDM on 100% of company-owned devices (Intune, Jamf, Kandji). Personal devices go into a separate bucket with explicit, narrower rules.
• Inventory your applications into three tiers: Tier 1 (customer data, financial, source code), Tier 2 (internal business systems), Tier 3 (marketing, creative).
• Define four device-posture signals you will enforce: encryption on, OS version current, EDR running, MDM-managed.

Days 16–30: Rebuild MFA as phishing-resistant

The single highest-ROI move in a zero-trust program is replacing TOTP and SMS-based MFA with phishing-resistant factors — platform authenticators (Windows Hello for Business, Apple Passkeys) and hardware security keys (YubiKey, Titan).

The rollout path we use:

1. Week 3: Deploy hardware keys to all administrators and engineers with production access. Two keys per person, one used, one stored off-site.
2. Week 4: Enroll all employees onto platform authenticators. Ship the rollout through a short (eight-minute) training video and a scheduled office-hours block.
3. Week 4 (end): Turn on a conditional-access rule that requires phishing-resistant MFA on all Tier 1 applications. TOTP continues for Tier 2 and 3 for now.

Done properly, this phase eliminates approximately 80% of credential-phishing risk for the most sensitive accounts. In our incident response data from 2024–2025, it would have prevented five of seven business email compromise cases we investigated.

Days 31–60: Conditional access and device posture

Now combine the identity you standardized in phase one with the device state you standardized alongside it.

• Block legacy authentication protocols (basic auth, IMAP, POP, SMTP auth) at the IdP. This closes an entire class of attacks that every modern attacker toolkit still leverages.
• Require managed-device posture on every Tier 1 application. If the device is not MDM-enrolled, not encrypted, or running a known-vulnerable OS version, deny the session.
• Implement just-in-time privileged access using your IdP’s native PIM (Entra P2, Okta Privileged Access) or a lightweight third-party (Teleport, Opal). No persistent “break-glass” admins.
• Session-lifetime policy: administrative sessions expire in four hours; standard user sessions in eight; unmanaged devices in one.

If your business uses personal devices for any Tier 1 access, use a browser-based session-isolation layer (Island, Talon, Microsoft Edge for Business) instead of trying to MDM personal hardware. It is cleaner for everyone and legally simpler.

Days 61–80: Segmentation where it actually matters

Network segmentation at the VPC/VNet layer is usually the longest and most invasive part of a zero-trust program. For a ninety-day plan, focus on three narrow wins, not a full microsegmentation build-out.

• Isolate the production administrative plane: bastion, deploy pipelines, and privileged workstations go into their own subnet / VNet with restricted ingress.
• Egress filter production subnets to only the destinations they need. This alone breaks most commodity command-and-control channels.
• Replace flat VPN access with an identity-aware proxy (Cloudflare Access, Google IAP, Tailscale, Twingate) for at least the top ten internal applications.

Deeper east-west microsegmentation between workloads is a quarter-two or quarter-three project. Do not try to do it now.

Days 81–90: Measure, document, and hand off

A zero-trust initiative that does not produce measurable numbers is indistinguishable from theater. In the final fortnight, capture and report:

1. Percentage of Tier 1 applications requiring phishing-resistant MFA.
2. Percentage of endpoints MDM-enrolled, encrypted, and with EDR running.
3. Percentage of administrative access granted just-in-time vs persistent.
4. Percentage of legacy-auth traffic blocked at the IdP.
5. Mean time from onboarding to full access, and from offboarding to access revocation.

Publish these numbers to the executive team with a trailing twelve-month target. Zero trust is a program, not a project. The hand-off at day ninety is not the end — it is the start of the operating model.

What not to do

• Do not buy a “zero trust platform” on day one. You are buying marketing.
• Do not try to retire your VPN in phase one. Reduce its attack surface first.
• Do not roll out hardware keys without a key-loss process, a replacement stock, and a lost-key runbook.
• Do not let a vendor tell you that TOTP is “still acceptable.” In 2026, it is not, for administrative access.
• Do not enforce device-posture rules before you have MDM coverage at 95%. You will lock out your own business.

What good looks like at day 91

At the end of a well-executed ninety-day rollout, an administrator cannot log in to a Tier 1 application without a phishing-resistant factor, on a managed and compliant device, with a time-bound privileged session, from a network segment that logs every outbound request. Every one of those properties is enforced by policy, not by memory, and every one is measurable.

That is what zero trust actually looks like when it works. No vendor sold it to you as a box. Your team built it, one control at a time, in a quarter.

If you want a partner that has run this rollout before — and who will produce the metrics your board needs to see at day ninety-one — this is what our vCIO and IT advisory practice does every quarter.