pith. sign in

arxiv: 2604.06272 · v1 · submitted 2026-04-07 · 💻 cs.CR

Zero Trust in the Context of IoT: Industrial Literature Review, Trends, and Challenges

Laurent Bobelin (INSA CVL) This is my paper

Pith reviewed 2026-05-10 19:23 UTC · model grok-4.3

classification 💻 cs.CR
keywords zero trustIoTcybersecurityliterature reviewindustrial trendssecurity challengesNIST standardsdevice integration
0
0 comments X

The pith

Many vendor IoT solutions labeled as zero-trust show little actual compliance with the model or standards.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper conducts a literature review of non-academic, industry-focused publications on integrating IoT and smart peripheral devices into zero-trust architectures. It compares these sources to NIST standards and academic research to consolidate knowledge on current offerings. The review finds that many solutions tagged as zero-trust IoT integrations fail to achieve effective compliance, often due to device constraints and unspecified practical requirements. A reader would care because this clarifies where marketing claims diverge from workable implementations in real-world cybersecurity for connected systems.

Core claim

The central claim is that industrial literature on IoT integration into zero-trust models shows widespread labeling of solutions without substantial adherence to the model's requirements or NIST guidelines, with gaps arising from device energy and computation limits, lifecycle management, and dependencies on the surrounding platform.

What carries the argument

Comparative literature review of non-academic publications contrasted against zero-trust standards and academic work to identify compliance levels and open challenges.

If this is right

  • Practitioners receive a clearer picture of where current industrial solutions fall short of zero-trust requirements.
  • Device-specific factors such as power, computation, and lifecycle must be addressed before efficient IoT adoption in zero-trust setups.
  • NIST unspecified aspects for IoT require targeted research to enable practical implementation.
  • Trends in practice-oriented literature diverge from standards, indicating a need for better alignment mechanisms.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Widespread mislabeling could create overconfidence in IoT security deployments and slow development of genuinely compliant systems.
  • A follow-up study applying quantitative compliance scoring to the reviewed materials would make the gap measurements more precise and actionable.
  • Similar labeling issues may appear in adjacent areas like edge computing or 5G device security, suggesting a pattern across constrained environments.

Load-bearing premise

A review of non-academic publications without stated search criteria or scope limits will reliably consolidate current knowledge and reveal representative trends and challenges.

What would settle it

A systematic search using explicit criteria that uncovers a substantial number of industrial IoT solutions demonstrating full, verifiable compliance with all core zero-trust principles would contradict the observed lack of effective adherence.

Figures

Figures reproduced from arXiv: 2604.06272 by Laurent Bobelin (INSA CVL).

Figure 1
Figure 1. Figure 1: Zero Trust Architecture PDP itself in NIST standard includes the Policy Engine (PE) component, which is the decision￾making component, and the Policy Administration (PA) component, which is responsible for coordinating the actions of the PEP so as to reflect the decisions of the PE. Some authors and companies (see for instance [6]) adds a Trust Engine component (TE). TE is responsible for running a Trust A… view at source ↗
Figure 2
Figure 2. Figure 2: Brownfield device gateway 3.2.2. Digital Twins Digital twins are used to predict behavior, and by doing so, evaluate the potential abnormal behavior of a device. While further analysis may be mandatory to determine the root causes of the abnormal behavior, device twins are sometimes associated with quarantine groups that isolate potentially compromised devices. Some vendors may name it those device twins w… view at source ↗
read the original abstract

The Zero-trust (ZT) model is an increasingly popular model that relies on the idea that no trust should be granted to any entity (network, persons, devices) by default. ZT model is gaining attention from both research and practice, with various levels of adequation between research developed and real-life applications. NIST provided a standard to fulfill requirements of ZT architecture of network core but many practical aspects remain unspecified, some of them requiring solving first research challenges in order to be implemented efficiently. An example of such an unspecified field is the integration of IoT/Smart Peripheral Devices (SPD). Various reasons explain this gap: specificities of such resources (possibly lower energy/computation power), their lifecycle, and their use, strongly depending on the use of the whole platform IoT devices are part of. Moreover, additional difficulty to have a good understanding is induced by the fact that both Zero Trust and IoT are identified as promising trends in cybersecurity: many vendors/researchers tag their solutions as IoT integration into the ZT model, with little to no effective compliance to ZT model or standard. Industry is providing many practice-oriented literature, that has to be compared to academic work and standards, in order to consolidate the current state of knowledge and solutions offered to realize this integration. In this paper, we conduct a literature review of non-academic publications, in order to consolidate current knowledge, trends, and future challenges for the industrial integration of IoT devices in ZT architecture.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper conducts a literature review of non-academic (industrial) publications on integrating IoT and Smart Peripheral Devices (SPD) into Zero Trust (ZT) architectures. It notes that NIST provides a ZT standard for network cores but leaves IoT aspects unspecified due to device constraints (energy, computation, lifecycle), and observes that many vendors and researchers label solutions as ZT-IoT integrations despite little effective compliance with the model or standard. The review aims to consolidate current knowledge, identify trends, and outline future challenges for industrial IoT-ZT integration.

Significance. If the sampled literature proves representative, the work could usefully document the gap between industry marketing claims and substantive adherence to ZT principles in IoT settings, helping to prioritize research on device-specific challenges and informing updates to standards like NIST SP 800-207 for constrained environments.

major comments (1)
  1. [Abstract] Abstract: The central claim that 'many vendors/researchers tag their solutions as IoT integration into the ZT model, with little to no effective compliance' rests on the review of non-academic publications, yet the abstract supplies no search strategy, databases, date range, inclusion/exclusion criteria, number of sources, or compliance-evaluation rubric. Without these, the representativeness of the observed trends and challenges cannot be assessed.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback. We agree that the abstract would be strengthened by including key methodological details to allow better assessment of the review's scope and representativeness. We will revise the abstract accordingly while preserving its conciseness.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that 'many vendors/researchers tag their solutions as IoT integration into the ZT model, with little to no effective compliance' rests on the review of non-academic publications, yet the abstract supplies no search strategy, databases, date range, inclusion/exclusion criteria, number of sources, or compliance-evaluation rubric. Without these, the representativeness of the observed trends and challenges cannot be assessed.

    Authors: We acknowledge the value of this observation. Although the full methodology—including search strategy across industrial sources (vendor whitepapers, reports, and standards documents), date range, inclusion/exclusion criteria, number of sources reviewed, and the rubric for evaluating compliance with NIST SP 800-207 principles—is detailed in Section 2 of the manuscript, these elements are not summarized in the abstract. We will revise the abstract to concisely incorporate this information so that readers can immediately evaluate the basis for the identified trends and challenges. revision: yes

Circularity Check

0 steps flagged

No circularity: purely descriptive literature review with no derivations or fitted claims.

full rationale

This manuscript is a narrative literature review of non-academic sources on Zero Trust and IoT integration. It contains no equations, quantitative models, predictions, or first-principles derivations. The central observation—that many vendor solutions claim IoT-ZT integration with limited compliance—rests on the review's synthesis rather than any self-referential fitting, renaming, or self-citation chain that reduces to its own inputs. Absence of disclosed search criteria is a methodological limitation but does not constitute circularity under the enumerated patterns, as there are no load-bearing steps that equate outputs to inputs by construction. The paper is self-contained as a descriptive consolidation and receives the default non-circularity finding.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

As a literature review the paper introduces no free parameters, new axioms, or invented entities; it references existing NIST standards and prior academic/industrial work as background.

pith-pipeline@v0.9.0 · 5568 in / 994 out tokens · 52240 ms · 2026-05-10T19:23:59.310285+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

46 extracted references · 46 canonical work pages

  1. [1]

    S. Rose, O. Borchert, S. Mitchell, S. Connelly, Zero trust architecture, 2020. URL: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=930420. doi:https://doi.org/ 10.6028/NIST.SP.800-207

    work page doi:10.6028/nist.sp.800-207 2020

  2. [2]

    NSA, Security Guidance for 5G Cloud Infrastructures, Technical Re- port, CISA NSA, 2021

    C. NSA, Security Guidance for 5G Cloud Infrastructures, Technical Re- port, CISA NSA, 2021. URL: https://www.cisa.gov/resources-tools/resources/ security-guidance-5g-cloud-infrastructures

    work page 2021

  3. [3]

    Azure, Zero trust cybersecurity for the internet of things,

    M. Azure, Zero trust cybersecurity for the internet of things,

    work page

  4. [4]

    URL: https://azure.microsoft.com/mediahandler/files/resourcefiles/ zero-trust-cybersecurity-for-the-internet-of-things/Zero%20Trust%20Security% 20Whitepaper_4.30_3pm.pdf

    work page

  5. [5]

    URL: https://www.zscaler.com/

    Zscaler, Zscaler website, 2023. URL: https://www.zscaler.com/

    work page 2023

  6. [6]

    URL: https://cloud.google.com/beyondcorp

    Google, Beyondcorp, 2023. URL: https://cloud.google.com/beyondcorp

    work page 2023

  7. [7]

    G. Evan, B. Doug, Zero Trust Networks: Building Secure Systems in Untrusted Networks 1st Edition, O’Reilly, 2021

    work page 2021

  8. [8]

    T. A. of Service, Zero Trust Security A Complete Guide, Zero Trust Security Publishing, 2020

    work page 2020

  9. [9]

    Chabaud, Setting Hardware Root-of-Trust from Edge to Cloud, and How to Use it, in: [44], 2022, pp

    F. Chabaud, Setting Hardware Root-of-Trust from Edge to Cloud, and How to Use it, in: [44], 2022, pp. 115–130. URL: http://ceur-ws.org/Vol-3329/paper-07.pdf

    work page 2022

  10. [10]

    URL: https://corsha.com/

    Corsha, Corsha: Mfa for api, 2023. URL: https://corsha.com/

    work page 2023

  11. [11]

    Chadwick, Banning chinese companies huawei and zte from 5g networks ’justified’, eu says, 2023

    L. Chadwick, Banning chinese companies huawei and zte from 5g networks ’justified’, eu says, 2023. URL: https://www.euronews.com/embed/2298228

    work page arXiv 2023

  12. [12]

    Compastié, S

    M. Compastié, S. Sisinni, S. Gurung, C. Fernández, L. Jacquin, I. Mlakar, V. Šafran, A. Lioy, I. Pedone, PALANTIR: Zero-Trust Architecture for Managed Security Service Provider, in: [44], 2022, pp. 83–98. URL: http://ceur-ws.org/Vol-3329/paper-05.pdf

    work page 2022

  13. [13]

    SentinelOne, Moving to an endpoint-centric zero trust security model with sentinelone,

    work page

  14. [14]

    URL: https://assets.sentinelone.com/zero-trust-security/zero-trust-security-model# page=1

    work page

  15. [15]

    URL: https://www.freertos.org/

    FreeRTOS, Freertos, 2023. URL: https://www.freertos.org/

    work page 2023

  16. [16]

    security group, OneM2M Security Solutions, Technical Report, ONEM2M, 2023

    O. security group, OneM2M Security Solutions, Technical Report, ONEM2M, 2023. URL: https://onem2m.org/technical/published-specifications/release-4

    work page 2023

  17. [17]

    Research, Top 10 leading cybersecurity companies in the world, 2023

    E. Research, Top 10 leading cybersecurity companies in the world, 2023. URL: https://www. emergenresearch.com/blog/top-10-leading-cybersecurity-companies-in-the-world

    work page 2023

  18. [18]

    Infra, Top 10 cloud service providers, 2022

    D. Infra, Top 10 cloud service providers, 2022. URL: https://dgtlinfra.com/ top-10-cloud-service-providers-2022/

    work page 2022

  19. [19]

    URL: https://www.paloaltonetworks.com/resources/whitepapers/ right-approach-zero-trust-iot

    PaloAlto, The right approach to zero trust security for enterprise iot de- vices, 2022. URL: https://www.paloaltonetworks.com/resources/whitepapers/ right-approach-zero-trust-iot

    work page 2022

  20. [20]

    URL: https://www.fortinet.com/

    Fortinet, Fortinet, 2023. URL: https://www.fortinet.com/

    work page 2023

  21. [21]

    URL: https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/ sb-zero-trust-network-access-for-visibility-and-control.pdf

    Fortinet, Zero-trust access for comprehensive visibility and control, 2023. URL: https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/ sb-zero-trust-network-access-for-visibility-and-control.pdf

    work page 2023

  22. [22]

    Network-Access-Control, Fortinac, 2023

    F. Network-Access-Control, Fortinac, 2023. URL: https://www.fortinet.com/products/ network-access-control

    work page 2023

  23. [23]

    URL: https://netfoundry.io/

    NetFoundry, Netfoundry website, 2023. URL: https://netfoundry.io/

    work page 2023

  24. [24]

    URL: https://netfoundry.io/ iot-zero-trust-networking/

    NetFoundry, Simple, secure iot networking, 2023. URL: https://netfoundry.io/ iot-zero-trust-networking/

    work page 2023

  25. [25]

    URL: https://github.com/openziti

    OpenZiti, Openziti on github, 2023. URL: https://github.com/openziti

    work page 2023

  26. [26]

    R. Ward, B. Beyer, Beyondcorp: A new approach to enterprise security, USENIX Vol. 39, No. 6 (2014) 6–11

    work page 2014

  27. [27]

    security intelligence, Bringing it all back home: Why you should apply enterprise network security policies to your smart home, 2023

    I. security intelligence, Bringing it all back home: Why you should apply enterprise network security policies to your smart home, 2023. URL: https://securityintelligence.com/ bringing-it-all-back-home-why-you-should-apply-enterprise-network-security-policies-to-your-smart-home/

    work page 2023

  28. [28]

    web site, The evolution of zero trust and the frame- works that guide it, 2023

    I. web site, The evolution of zero trust and the frame- works that guide it, 2023. URL: https://www.ibm.com/cloud/blog/ the-evolution-of-zero-trust-and-the-frameworks-that-guide-it

    work page 2023

  29. [29]

    web site, Zero trust solutions, 2023

    K. web site, Zero trust solutions, 2023. URL: https://www.kyndryl.com/us/en/services/ cyber-resilience/zero-trust

    work page 2023

  30. [30]

    K. G. Paul Toal, Approaching zero trust security with oracle cloud infrastructure, 2022. URL: https://www.oracle.com/a/ocom/docs/whitepaper-zero-trust-security-oci.pdf

    work page 2022

  31. [31]

    URL: https://www.juniper.net/us/en/solutions/ data-center/secure-data-center.html

    Juniper, Juniper zero trust data center, 2023. URL: https://www.juniper.net/us/en/solutions/ data-center/secure-data-center.html

    work page 2023

  32. [32]

    URL: https://www.juniper.net/us/en/ products/security/advanced-threat-prevention.html

    Juniper, Juniper advanced threat prevention, 2023. URL: https://www.juniper.net/us/en/ products/security/advanced-threat-prevention.html

    work page 2023

  33. [33]

    URL: https://www.synopsys.com/

    Synopsys, Synopsys website, 2023. URL: https://www.synopsys.com/

    work page 2023

  34. [34]

    URL: https://www.mcafee.com/

    McAfee, Mcafee website, 2023. URL: https://www.mcafee.com/

    work page 2023

  35. [35]

    URL: https://www.skyhighsecurity.com/ wp-content/uploads/2023/01/sb-private-access.pdf

    Skyhigh, Skyhigh security private access, 2023. URL: https://www.skyhighsecurity.com/ wp-content/uploads/2023/01/sb-private-access.pdf

    work page 2023

  36. [36]

    URL: https://www.cyberark.com/

    CyberArk, Cyberark website, 2023. URL: https://www.cyberark.com/

    work page 2023

  37. [37]

    URL: https://www.cyberark.com/resources/white-papers/ the-ciso-view-protecting-privileged-access-in-a-zero-trust-model

    cyberark, The ciso view: Protecting privileged access in a zero trust model, 2022. URL: https://www.cyberark.com/resources/white-papers/ the-ciso-view-protecting-privileged-access-in-a-zero-trust-model

    work page 2022

  38. [38]

    Cloud, Overview of zero trust security, 2022

    A. Cloud, Overview of zero trust security, 2022. URL: https://www.alibabacloud.com/help/ en/alibaba-cloud-service-mesh/latest/zerotrustsecurityoverview

    work page 2022

  39. [39]

    Cloud, Iot solution, 2023

    A. Cloud, Iot solution, 2023. URL: https://www.alibabacloud.com/solutions/IoT

    work page 2023

  40. [40]

    URL: https://www.ovhcloud.com/en-gb/ enterprise/products/hosted-private-cloud/safety-compliance/sddc/

    OVH, Sddc advanced security pack, 2023. URL: https://www.ovhcloud.com/en-gb/ enterprise/products/hosted-private-cloud/safety-compliance/sddc/

    work page 2023

  41. [41]

    URL: https://www.digitalocean.com/

    DigitalOcean, Digitalocean, 2023. URL: https://www.digitalocean.com/

    work page 2023

  42. [42]

    URL: https://docs.digitalocean.com/ products/marketplace/categories/network-tools/

    DigitalOcean, Digitalocean network tools, 2023. URL: https://docs.digitalocean.com/ products/marketplace/categories/network-tools/

    work page 2023

  43. [43]

    URL: https://www.akamai

    Akamai, Zero trust security model, Our thinking blog, 2023. URL: https://www.akamai. com/our-thinking/zero-trust/zero-trust-security-model

    work page 2023

  44. [44]

    URL: https://www.sentinelone.com/

    SentinelOne, Sentinelone website, 2023. URL: https://www.sentinelone.com/

    work page 2023

  45. [45]

    URL: https: //www.zscaler.com/blogs/product-insights/zero-trust-exchange-only-road-zero-trust

    Zscaler, The zero trust exchange – the only road to zero trust, Zscaler Blog, 2023. URL: https: //www.zscaler.com/blogs/product-insights/zero-trust-exchange-only-road-zero-trust

    work page 2023

  46. [46]

    G. Le Guernic (Ed.), Proceedings of the 29th Computer & Electronics Security Application Rendezvous (C&ESAR): Ensuring Trust in a Decentralized World, number 3329 in CEUR Workshop Proceedings, Aachen, 2022. URL: http://ceur-ws.org/Vol-3329/

    work page 2022