Skip to main content

The risk that takes an organization down is rarely the one it decided to accept. It is the temporary fix nobody signed for, the workaround that quietly became permanent while everyone forgot it was there. Nick F. Hernandez has spent his career securing legacy environments in healthcare and other unforgiving settings, and he has watched this pattern hold across every breach worth studying.

The dangerous system is rarely the oldest one on the network. It is the one whose risk was relocated instead of owned. “We bolt the compensating controls and tell ourselves we will handle the risk even though we really have not,” Hernandez says. “We have just moved it.” Zero trust in a legacy environment, in his telling, is not a product or a project. It is the discipline of refusing to let risk go unowned.

Your Documentation Is Fiction. Go Read the Traffic

Owning risk starts with an uncomfortable admission, and that is you do not actually know what you have. Before touching a single legacy system, Hernandez insists on visibility. “Your documentation is fiction.” Every environment he has walked into contains a legacy system talking to more things than anyone believed, wired to those connections by someone who understood them three reorganizations ago and walked out the door with the only copy of the context. The diagram on the wall describes a system that stopped existing years ago.

The work is to map what connects in reality, by reading the actual traffic. It is tedious, wins no applause, and holds up everything that follows, because you cannot segment, broker, or contain a system whose real behavior you have never seen. A security program built on inherited diagrams is a program built on a flattering lie, and the first move worth anything is trading that lie for what the system is doing right now.

Stop Asking the Old Box to Defend Itself

Once you can see the system, the reflex is to make it enforce modern security. It cannot. It was built when the network itself was the security boundary, back when being inside the perimeter counted as being trusted. Hernandez stops arguing with that limitation and routes around it. Instead of begging a decades-old application to authenticate, authorize, and log, he wraps it by standing a modern gateway in front that does the enforcement the system never could. The legacy application does not change. Everything reaching it now runs through a policy the organization can control.

“You are not really protecting the legacy system,” Hernandez explains. “You are accepting you probably cannot.” The goal shifts from defending the old system to containing its blast radius, penning it inside a tight segment where access is brokered just in time. He is just as disciplined about where to begin, which is not the crown-jewel clinical system but one where a mistake is survivable. One clean win builds the muscle and buys organizational trust, because nothing kills a zero-trust program faster than taking down a critical system in week two and being remembered for it forever.

The Machines Already Outnumber You, and the Agents Are Feral

The fastest-growing unowned risk is one most organizations have not realized yet. Twenty years of identity security were built for humans, joiners, movers, leavers, and access reviews. None of it survives contact with machines. Service accounts never get fired, and workloads never change departments. They already outnumber human identities 10 to 1, running on long-lived, over-permissioned credentials that are not rotated. Zero trust has to treat every workload and application programming interface (API) call as an identity that proves itself on each call.

The worst-governed identity of all is the newest one. AI agents are being handed broad API access and standing credentials, while most organizations cannot say which agents are even running, let alone what they can reach. That 10-to-1 ratio predates agentic AI. Whatever your machine-identity story is, it is about to be tested harder than anything the field has seen, and the window to get ahead of it is closing.

All of it comes back to the same discipline. Passing the audit and being defensible are different achievements, and compliance is the floor, not the ceiling. The failure mode was never the risk you accepted on purpose. It was the temporary wrapper nobody owned, and everybody forgot. Zero trust in a legacy environment is not a product you buy or a project you finish. It is the practice of naming your risk, signing it, and watching it. As Hernandez puts it, the bridge is only worth building if you keep walking across it. 

To learn more, connect with Nick F. Hernandez on LinkedIn.