Instead of legacy security models that differentiate a "trusted" interior from an untrusted external one, zero trust instead assumes that all networks and hosts are equally untrustworthy. Once this fundamental shift in assumptions is made, you start to make different decisions about what, who, and when to trust, and acceptable validation methods to confirm a request or transaction is allowed.