Trust Without Borders: Why Static Rules No Longer Cut It

Ten years ago, an enterprise might grant full access when a user connected via a corporate VPN, on a corporate laptop. Access policies were brittle but simple: you were either inside or outside. If inside, you passed; if outside, you needed VPN or blocked.

But that model is breaking down fast. Devices are personal. Users shift between locations. Credentials get phished. Apps live in cloud data centers far from traditional boundaries. An “always-on” trust model is one where attackers only need to mimic the right credentials or environment to move laterally. One compromised machine or stolen session token often becomes enough.

It’s no longer safe to assume that because someone has credentials and is pushing traffic through what you once believed was “safe,” that everything’s okay.

Trust without borders relies on signals — live, contextual indicators that help you decide whether to allow or deny access. These signals are plentiful: device posture, geographic location, network characteristics, browser version, recent behavior, anomaly flags, time of access, frequency of resource usage, and more.

SGNL (2025) wrote about how device posture is only half the story, but an essential half. When you know a device is patched, running endpoint detection, encrypted, with a healthy security configuration, you can treat access differently. But if the device fails posture, you trigger extra checks, limit functionality, or restrict access entirely.¹ 

Likewise, StrongDM has launched “Device Trust” in its Zero Trust / Privileged Access Management solution, integrating with tools like CrowdStrike or SentinelOne. The idea is not just that the user is legitimate—but the device is legit, too. Only devices that meet security hygiene thresholds get access to sensitive infrastructure or systems.² 

In a borderless enterprise, static role‑based access or network location checks are inadequate. Trust has to be a dynamic, ever‑evolving calculation.

Imagine this: a user normally logs in from their home office on a fully managed, encrypted laptop. Their behavior is predictable: email, SaaS apps, internal dashboards. One day, the same credentials are used from a borrowed laptop, from a hotel network, late in the evening, to access sensitive resources. That should trigger suspicion. Maybe MFA is required, maybe access is limited, maybe the action is denied until review.

Dynamic trust models allow rules to adapt — tightening or relaxing based on risk. They’re powered by shared signals, continuous evaluation, and often, machine learning to build baselines of what “normal” looks like. MOJOAuth’s research into dynamic trust highlights this shift: evaluating not just who the user is, but where, how, what device, and when. ³

One example of this in action comes from SGNL. They describe how integrating real‑time device posture signals (e.g., from mobile device management or endpoint detection tools) lets organizations enforce policies that react immediately when devices fall out of compliance. A mispatched device or missing security agent triggers a downstream change: access is limited or revoked, even mid‑session, rather than waiting for the next quarterly review.⁴ 

Then there’s StrongDM’s device trust example: combining user and device risk data to decide whether a session should continue or be blocked. Such systems make explicit checks: Is the device healthy now? If not, even if the user is authenticated properly, access is gated or further verified. This is trust “with borders” of device and risk, not with walls. ⁵

Implementing this kind of adaptive, signal‑based trust isn’t easy.

For many, admin teams are tied into legacy systems that assume trust in the network. Many apps don’t support modern authentication, device risk assessment, or shared signal standards. Identity and device posture tools may live in separate silos. Logging and monitoring may be incomplete or delayed.

User experience is also a concern. No one wants to be constantly prompted for MFA or have their sessions disrupted. There’s a balance to find between security and friction. If dynamic trust is misconfigured, you frustrate users; if too lenient, you lose security.

Finally, many orgs lack visibility: they don’t have baseline data for “normal” behavior. Without that, anomalies are hard to define, thresholds are arbitrary, and false positives proliferate.

To do this well, identity teams must reimagine what “access policy” means.

First, policies need to accept signals. You need systems that can ingest data on posture, device health, location, behavior, and network state. These signals need to be trusted, timely, and reliable.

Second, access decision paths must branch. A login request might take one path (fast pass) when all signals are green. If any signal is weak (device unpatched, unusual location, first time login from that device), then the flow changes: require MFA, limit privilege, or require supervisor approval.

Third, continuous monitoring and revocation become essential. If a device loses compliance mid‑session (for example, malware detected, or a software patch issue), access shouldn’t just remain wide open until the next manual check. Shared signals allow real‑time revocation or session drop.

Fourth, observation and feedback loops must exist. Every time a trust model denies or restricts access, someone (or something) should evaluate whether it was correct. Did the user complain unjustly? Was the risk real? Adjust thresholds, refine baselines, and reduce friction where possible.

Tools and platforms already helping with this include SGNL, StrongDM for device trust, and others that offer context-aware access and continuous risk evaluation.⁶  ( Relax, cynic,s these aren’t the only platforms that offer this; there are others out there. I just used these two for examples in this article.

Trust without borders means trust that flows, adapts, and never sleeps.

You’re never truly “inside” anymore. Every time someone or something tries to access your systems, it’s a new moment of truth. The question is no longer “Did we grant access once?” but “Do we continue to allow it?”

The perimeter is no longer geography, network, or IP range. It’s identity plus environment plus risk plus time. That’s the trust model that works in borderless environments.

If you’re not building trust this way, you’re building on assumptions that will eventually crumble under their own weight.