The tenets of zero trust are well defined in NIST SP 800-207, but have organizations and security architects really taken them on-board? Are we exhibiting a familiarity bias: over-trusting certain network and software components, while ignoring others that may represent security vulnerabilities? Are we looking too much at the actual network we are trying to protect, and disregarding unmanaged devices, such as IoT/OT/ICS, BYOD? Is EDR the solution or just an initial step towards a solution on the road? Join us as we explore these issues and offer suggestions on how to address them.