Zero Trust starts like many other strategic initiatives do: an executive (likely the CISO) sets a bold vision to implement a new model, framework or technology across the enterprise. Typically, the leader gets buy-in, the security team develops a plan, and architects get to sketching out and designing the architecture. However, as months or years go by, progress slows. Meetings turn into debates. Ownership remains unclear. In the case of Zero Trust, segmentation initiatives are stalled because no one knew who was accountable. Data classification is delayed because business units were not consulted. Thus, the Zero Trust journey, with all of its promise, is stymied by misalignment between teams.

This is an all-too-common scenario that organizations contend with today. Despite the urgency to implement Zero Trust, organizations often underestimate the complexity of coordinating across all of its domains — and more importantly, across people.

Address The Alignment Gap In Zero Trust

As we’ve stated many times previously, Zero Trust is not a product — it’s a strategy that spans multiple domains. As such, each domain requires collaboration across technical and non-technical stakeholders. Yet, many organizations have been treating Zero Trust as a purely IT or Security only initiative. This results in a siloed approach that leads to delays, duplicated efforts, and governance breakdowns. The root cause? A lack of clarity on who does what.

Enter The Zero Trust RASCI Matrix

Forrester’s latest report introduces The Zero Trust RASCI Matrix a tool for defining roles and responsibilities as they relate to essential activities across the core domains of Zero Trust. The RASCI Matrix assigns the following roles for Zero Trust implementation: Responsible, Accountable, Supportive, Consulted, and Informed. These roles are assigned based on the nature of the initiative tied to a project and at what stage of the lifecycle the project is in.

By applying RASCI to each Zero Trust aligned initiative across various domains, organizations can clarify ownership, reduce friction, and accelerate execution. Make the RASCI chart actionable, by mapping roles across the project lifecycle for each domain, for example:

  1. Discover. Identify current state, gaps, and dependencies. This also includes engaging business units early to understand data flows and user access needs.

** RASCI Tip: Make business stakeholders Consulted and Informed to ensure alignment.

  1. Plan. Define scope, success metrics, and governance. Align with enterprise architecture, compliance teams as well as industry and regional requirements.

** RASCI Tip: Assign Accountable roles to domain leads and Supportive roles to PMO.

  1. Design. Architect solutions for desirable outcomes such as segmentation, identity, and workload protection. Ensure cross-domain integrations (e.g., network + identity) are well defined to achieve outcomes.

** RASCI Tip: Include architects and security engineers as Responsible and Consulted.

  1. Implement. Deploy controls, configure tools, and onboard users or BYO. Coordinate with change management and training teams to

** RASCI Tip: Make IT operations Responsible, with business units Informed.

  1. Monitor & Evaluate. Track KPIs, audit controls, and adapt to threats. Review governance and update policies.

** RASCI Tip: Assign Accountable roles to governance leads and Consulted roles to risk teams.

Forrester clients can access the full report and RASCI Matrix tool here.

Include Stakeholders Beyond IT and Security

Understand that Zero Trust impacts how people access data, how applications are built, and how decisions are made. That’s why it’s critical to include stakeholders from across the organization outside of IT and security. These can include HR (for identity lifecycle) Legal & Compliance (for data governance) Finance (for budget and risk tolerance), and Business Units (for operational alignment). This broader inclusion ensures that Zero Trust supports business objectives to ensure intent behind its strategic adoption — not solely as technical change.

Adapt The RASCI Chart To Fit Your Organizational Structure.

Technology, threats, and business priorities are constantly evolving — which means your governance model must evolve with them. A static RASCI chart can quickly become outdated, leading to misalignment and inefficiencies. Stay resilient and responsive. This means organizations should regularly revisit and refine their RASCI assignments to reflect:

  • Adoption of new tools or platforms
  • Shifts in organizational structure or roles
  • Emerging threats and evolving compliance requirements

By embracing an adaptive approach, you ensure that your Zero Trust strategy remains aligned with both operational realities and strategic objectives.

Use The RASCI Matrix As A Strategic Enabler

Zero Trust is a journey — and like any journey, it needs a map. The RASCI Matrix helps to clarify roles, align stakeholders, and enable execution in a manner that gets the ball rolling for creating a map to govern your Zero Trust implementation. When applied thoughtfully across domains and lifecycle stages, the RASCI Matrix helps transform Zero Trust from a vision into a reality.

Connect With Me

Forrester clients can reach out to schedule an inquiry or guidance session to discuss more about how to effectively adopt the Zero Trust RASCI matrix and discuss the activities highlighted within the template.

I will also be in Austin, Texas, on November 5–7 with a host of colleagues for the Forrester Security & Risk Summit. I’m leading a session on establishing a governance framework for Zero Trust. The event agenda includes tracks not only focused on Zero Trust, but also a variety of keynotes, breakouts, workshops, roundtables, and special programs curated to help you master whatever new challenge your teams are facing today. We hope to see you there!