<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.4 20241031//EN" "JATS-journalpublishing1-4.dtd">
<article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" article-type="research-article" dtd-version="1.4" xml:lang="en">
  <front>
    <journal-meta>
      <journal-id journal-id-type="publisher-id">jis</journal-id>
      <journal-title-group>
        <journal-title>Journal of Information Security</journal-title>
      </journal-title-group>
      <issn pub-type="epub">2153-1242</issn>
      <issn pub-type="ppub">2153-1234</issn>
      <publisher>
        <publisher-name>Scientific Research Publishing</publisher-name>
      </publisher>
    </journal-meta>
    <article-meta>
      <article-id pub-id-type="doi">10.4236/jis.2026.173016</article-id>
      <article-id pub-id-type="publisher-id">jis-152549</article-id>
      <article-categories>
        <subj-group>
          <subject>Article</subject>
        </subj-group>
        <subj-group>
          <subject>Computer Science</subject>
          <subject>Communications</subject>
        </subj-group>
      </article-categories>
      <title-group>
        <article-title>Optimization of Zero Trust Principles in Modern Security Operations: A Framework of Minimum Standing Trust</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <name name-style="western">
            <surname>Jr.</surname>
            <given-names>Peter J. Worth</given-names>
          </name>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <name name-style="western">
            <surname>Cunningham</surname>
            <given-names>Chase</given-names>
          </name>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff3">3</xref>
        </contrib>
        <contrib contrib-type="author">
          <name name-style="western">
            <surname>Cardei</surname>
            <given-names>Ionut</given-names>
          </name>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
      </contrib-group>
      <aff id="aff1"><label>1</label> Athena Security Group, Jupiter, FL, USA </aff>
      <aff id="aff2"><label>2</label> Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA </aff>
      <aff id="aff3"><label>3</label> Absolute Zero Cyber LLC, Nokesville, VA, USA </aff>
      <author-notes>
        <fn fn-type="conflict" id="fn-conflict">
          <p>All three authors are affiliated with Athena Security Group. Peter J. Worth Jr. is founder, president, and CEO of Athena Security Group, and is concurrently a PhD candidate in the Department of Electrical Engineering and Computer Science at Florida Atlantic University. Dr. Ionut Cardei is a Professor in the Department of Electrical Engineering and Computer Science at Florida Atlantic University and serves as Chief Scientist at Athena Security Group. Dr. Chase Cunningham serves on the Leadership team of Athena Security Group and is the founder of the Dr. Zero Trust podcast. Athena Core and Athena Pallas are discussed in the paper only as disclosed implementation examples of the unified telemetry and AI-assisted response patterns described by the Minimum Standing Trust framework; the framework is intended to be vendor-neutral and applicable beyond any specific product or platform.</p>
        </fn>
      </author-notes>
      <pub-date pub-type="epub">
        <day>27</day>
        <month>05</month>
        <year>2026</year>
      </pub-date>
      <pub-date pub-type="collection">
        <month>05</month>
        <year>2026</year>
      </pub-date>
      <volume>17</volume>
      <issue>03</issue>
      <fpage>322</fpage>
      <lpage>370</lpage>
      <history>
        <date date-type="received">
          <day>30</day>
          <month>05</month>
          <year>2026</year>
        </date>
        <date date-type="accepted">
          <day>12</day>
          <month>07</month>
          <year>2026</year>
        </date>
        <date date-type="published">
          <day>15</day>
          <month>07</month>
          <year>2026</year>
        </date>
      </history>
      <permissions>
        <copyright-statement>© 2026 by the authors and Scientific Research Publishing Inc.</copyright-statement>
        <copyright-year>2026</copyright-year>
        <license license-type="open-access">
          <license-p> This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license ( <ext-link ext-link-type="uri" xlink:href="https://creativecommons.org/licenses/by/4.0/">https://creativecommons.org/licenses/by/4.0/</ext-link> ). </license-p>
        </license>
      </permissions>
      <self-uri content-type="doi" xlink:href="https://doi.org/10.4236/jis.2026.173016">https://doi.org/10.4236/jis.2026.173016</self-uri>
      <abstract>
        <p>Regulated SaaS providers must defend exposed web applications and APIs, distributed cloud control paths, BYOD-heavy workforces, and privileged internal workflows while simultaneously preserving availability, auditability, and user experience. Zero Trust Architecture (ZTA) is widely adopted as a target model for these environments; yet practical implementations frequently devolve into either an unworkable internal deny-all posture that fractures operations, or an insufficiently rigorous configuration that leaves unjustified standing trust intact. This paper proposes the <italic>Minimum Standing Trust</italic> (MST) framework: an operations optimization model for security operations centers (SOCs) that support SaaS platforms processing regulated data, including PHI, PII, PCI-DSS-scoped data, and GDPR-governed information. MST formalizes a two-plane enforcement architecture. At the application edge, the prescribed posture is strict minimization of allowed ingress, enforced through WAF controls, NIDS visibility, bidirectional abuse-list auto-blocking (inbound and outbound, at both network and endpoint layers), and tightly governed exception handling. Inside the distributed enterprise, ZTA is implemented not as universal blocking but as the progressive removal of standing trust through strong identity, device posture, session-aware authorization, just-in-time privilege elevation, and behavioral context. The paper further argues that the operational hinge of this model is a unified telemetry plane spanning SIEM, EDR, XDR, WAF, NIDS, IAM, VPN or ZTNA, cloud, and data-access events. On this foundation, agentic AI can safely accelerate triage and response—but only when autonomy is bounded by policy, reversibility, and blast-radius constraints derived from organizational risk tolerance. The resulting framework reduces analyst burden, limits unnecessary access, improves audit-evidence generation, and offers a concrete path for aligning Zero Trust theory with cyber defense practice in regulated SaaS environments.</p>
      </abstract>
      <kwd-group kwd-group-type="author-generated" xml:lang="en">
        <kwd>Minimum Standing Trust</kwd>
        <kwd>Zero Trust Architecture</kwd>
        <kwd>Telemetry Fusion</kwd>
        <kwd>Identity-Centric Access</kwd>
        <kwd>Agentic AI Governance</kwd>
        <kwd>Reversible Response</kwd>
        <kwd>Regulated SaaS</kwd>
        <kwd>Virtual Security Operations Center</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec1">
      <title>1. Introduction</title>
      <p>NIST Special Publication 800-207 defines Zero Trust as a shift away from static, network-based perimeters toward controls centered on users, assets, and resources, and explicitly frames the model as a necessary response to remote users, BYOD programs, and cloud-hosted assets [<xref ref-type="bibr" rid="B1">1</xref>]. That description maps precisely to the modern regulated SaaS provider, and can be further generalized to any organization that supports both an externally facing application infrastructure (web or otherwise), alongside an internally facing network infrastructure used by those individuals and systems that are inside organizational boundaries—<italic>i.e.</italic> the two fundamental planes in our model. In this type of environment, it is safe to assume that the externally facing application infrastructure lives in the Cloud;<sup>1</sup> identities and sessions traverse both public and private networks; support, engineering, and operations work are distributed across geographies and devices; and a constrained but consequential subset of internal roles still requires carefully governed access to data or administrative functions that affect regulated records. In this setting, the protected resource is not a building, a subnet, or a conventional inside network; it is the intersection of application paths, identities, sessions, data stores, and administrative workflows that collectively process or expose PHI, PII, PCI-DSS-relevant data, GDPR-scoped data, and similarly high-consequence, or otherwise regulated, information.</p>
      <p><xref ref-type="fig" rid="fig1">Figure 1</xref> illustrates the environment that motivates the MST framework. The key structural insight is that the protected resource zone is defined by the intersection of both planes, not by a network segment or perimeter line. Anything that can reach the protected resource—whether from the external application path or from an internal administrative workflow—is subject to the same fundamental challenge: how much trust should be extended to this identity, on this device, in this session, for this operation, at this moment? The two planes differ not in the answer to that question but in the default posture, the traffic characteristics, and the governance tools most appropriate for enforcing it.</p>
      <p>The Zero Trust principle traces its formal expression to the foundational Forrester Research report [<xref ref-type="bibr" rid="B2">2</xref>], which argued that traditional perimeter-based security architectures had become conceptually obsolete: the “trusted inside” assumption was already empirically false for enterprises with mobile workers, contractor populations, and cloud-resident data. The BeyondCorp initiative at Google operationalized this intuition at scale by moving access controls from the network perimeter to the individual device and user, making network location irrelevant to access decisions [<xref ref-type="bibr" rid="B3">3</xref>][<xref ref-type="bibr" rid="B4">4</xref>]. Gilman and Barth subsequently codified the design principles in a form accessible to a wider practitioner and academic audience [<xref ref-type="bibr" rid="B5">5</xref>]. NIST publications on Zero Trust [<xref ref-type="bibr" rid="B1">1</xref>][<xref ref-type="bibr" rid="B6">6</xref>] elevated these ideas into normative federal guidance, while CISA’s Zero Trust Maturity Model [<xref ref-type="bibr" rid="B7">7</xref>] provided a staged implementation roadmap. The United States Department of Defense Zero Trust Strategy [<xref ref-type="bibr" rid="B8">8</xref>] and Executive Order 14028 on Improving the Nation’s Cybersecurity [<xref ref-type="bibr" rid="B9">9</xref>] further institutionalized Zero Trust adoption as a matter of national security policy.</p>
      <fig id="fig1">
        <label>Figure 1</label>
        <graphic xlink:href="https://html.scirp.org/file/7801240-rId15.jpeg?20260715020559" />
      </fig>
      <p><bold>Figure 1</bold><bold>.</bold><bold>The two-plane operating environment.</bold> The external application infrastructure (left)—internet-accessible, cloud-hosted, and reachable by customers, partners, and threat actors—is governed by a strict ingress-minimization policy. The internal network infrastructure (right) serves the distributed organizational workforce across geographies, devices, and roles, and is governed by progressive trust removal and continuous verification. Both planes converge on a protected resource zone (centre) that is not a network segment but the intersection of application paths, identities, sessions, regulated data stores, and administrative workflows. The organizational boundary (dashed) encloses the protected resource zone and the internal plane, while the external plane is deliberately exposed to the public Internet.</p>
      <p>Despite this rich lineage, many Zero Trust programs become operationally brittle because they are translated into a simplistic network slogan: deny everything, trust nothing, then carve back exceptions until the business can function. Security leaders face relentless external probing, credential abuse, endpoint compromise, supply-chain dependencies, and the reality that a single misrouted administrative path can expose the same data that the organization is contractually and legally obligated to protect. Yet a literal internal deny-all posture produces predictable pathologies: exception sprawl, analyst fatigue, fragile change windows, shadow IT proliferation, and policy bypasses by teams that must keep the service running [<xref ref-type="bibr" rid="B10">10</xref>]. An enterprise can therefore accumulate more controls and more friction while achieving <italic>less</italic> measurable assurance.</p>
      <p>Meanwhile, the adversary landscape facing SaaS operators has intensified. The Verizon Data Breach Investigations Report, the CrowdStrike Global Threat Report, and the Cisco Talos Year in Review consistently converge on the same leading breach vectors: credential theft, identity-based attacks, and web application exploitation [<xref ref-type="bibr" rid="B11">11</xref>]-[<xref ref-type="bibr" rid="B13">13</xref>]. CrowdStrike reports that identity-based initial access techniques—including the abuse of valid credentials and adversary-in-the-middle phishing—featured in the majority of intrusions it investigated in 2024, while Cisco Talos identifies valid account abuse as the single most common initial access technique for the same period [<xref ref-type="bibr" rid="B12">12</xref>][<xref ref-type="bibr" rid="B13">13</xref>]. The MITRE ATT&amp;CK knowledge base catalogs hundreds of adversarial techniques that exploit exactly the trust assumptions Zero Trust is designed to eliminate: lateral movement through standing credentials, privilege escalation via misconfigured roles, and data exfiltration over legitimately provisioned paths [<xref ref-type="bibr" rid="B14">14</xref>]. In regulated SaaS environments, these techniques carry amplified consequences because the attacker’s prize is not merely intellectual property but records that trigger mandatory breach notification, regulatory sanction, and customer harm.</p>
      <p>This paper advances a specific, operational interpretation of Zero Trust: the goal is not universal denial, but <italic>minimum standing trust consistent with business-</italic><italic>required operations</italic>—abbreviated throughout as Minimum Standing Trust (MST).</p>
      <p>We define the two central terms precisely at the outset. By <italic>standing trust</italic> we mean any privilege, session, credential, key, or access path that persists by default beyond the specific transaction that justified it—for example, a never-expiring service-account token, a broadly scoped administrative role that is held continuously rather than acquired on demand, or a session that remains valid without renewed proof of identity, device posture, and context. <italic>Minimum Standing Trust</italic> is the operating objective of holding the aggregate quantity of such persistent, unjustified trust to the smallest value consistent with business-required operations, and of replacing persistence with continuous, evidence-gated re-authorization wherever feasible.</p>
      <p>MST is related to, but distinct from, three established principles, and the distinctions matter for what follows. <italic>Least privilege</italic> [<xref ref-type="bibr" rid="B15">15</xref>] constrains the <italic>scope</italic> of a grant—how much a principal may do; MST additionally constrains its <italic>persistence</italic>—how long the grant survives without renewed justification. <italic>Just-in-time (JIT) privilege</italic> is one mechanism for reducing standing trust—it converts a persistent grant into an ephemeral, request-bound one—but MST is the broader objective that JIT serves, and it applies equally to sessions, credentials, network reachability, and machine identities, not only to privilege-elevation events. <italic>Continuous verification</italic> is the evidentiary process on which MST depends: MST specifies <italic>what</italic> should be minimized (standing trust), while continuous verification supplies the per-access evidence—formalized as <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> in Section 6.2—that determines whether a non-standing, re-authorized grant may be issued at the moment it is needed. In short, least privilege bounds the scope of a grant, JIT bounds the duration of one grant type, continuous verification supplies the evidence, and MST is the system-level optimization objective that integrates all three into a single trust-reduction target.</p>
      <p>The argument rests on four claims that form the spine of the paper.</p>
      <p>First, Zero Trust fails in practice not from insufficient controls but from a category error: practitioners confuse Zero Trust with universal denial, then carve back exceptions until the business can function. The correct objective is not to maximize blocking but to eliminate <italic>standing</italic> trust—privileges, sessions, and access paths that persist beyond the transaction that justified them.</p>
      <p>Second, the enforcement logic at the Internet-facing application edge must be fundamentally different from the logic governing the internal enterprise. Edge controls belong as close to deny-by-default as the service can tolerate; internal controls should progressively remove standing trust through identity, device posture, session context, and data-aware authorization. WAF, NIDS, and bidirectional reputation-based auto-blocking (inbound and outbound, at the network perimeter and at the endpoint) are edge and perimeter <italic>tools</italic>, not a strategy. The real message is: constrain exposure, constrain privilege, and prove continuously. Network location is not a trust signal. Standing privilege is the primary attack surface.</p>
      <p>Third, a unified telemetry plane is the operational hinge of the entire model. Without it, every other control degenerates into isolated noise. With it, the security operations center can answer the decisive questions—who acted, from where, against which resource, with what trust context, and with what consequence—without manual event correlation.</p>
      <p>Fourth, agentic AI can safely accelerate triage and response, but only when its autonomy is bounded by policy, reversibility, and blast-radius constraints that the organization has explicitly authorized. AI should operate inside the MST model, not alongside it as a separate problem domain. The governance criteria that determine whether an access action is permitted are the same criteria that determine whether an automated response action is permissible.</p>
      <p>The contribution of this paper is therefore an operational framework that bridges architectural Zero Trust guidance and modern cyber defense operations for regulated SaaS enterprises. The framework synthesizes NIST Zero Trust guidance [<xref ref-type="bibr" rid="B1">1</xref>][<xref ref-type="bibr" rid="B6">6</xref>], the CISA maturity model [<xref ref-type="bibr" rid="B7">7</xref>], current AI governance and secure deployment guidance [<xref ref-type="bibr" rid="B16">16</xref>]-[<xref ref-type="bibr" rid="B21">21</xref>], and the Zero Trust eXtended (ZTX) ecosystem framework [<xref ref-type="bibr" rid="B22">22</xref>]. The result is not a vendor-specific product design; it is a practical operating model instantiable across different tooling environments.</p>
      <sec id="sec1dot1">
        <title>Compelling and Innovative Aspects of This Work</title>
        <p>This paper advances the Zero Trust literature in five specific ways that, taken together, distinguish it from prior practitioner-oriented and academic treatments.</p>
        <p><italic>First</italic>,<italic>a structural diagnosis of why Zero Trust programs fail in practice.</italic> The dominant failure mode is not insufficient controls but a <italic>category error</italic>: practitioners frame ZTA deployment as a monotonic optimization problem and reach a local optimum at which control density is high, operational friction is high, and measurable risk reduction is low. We formalize the corrective reframing as constrained optimization with competing objectives, making the trade-off explicit and visible to engineering teams.</p>
        <p><italic>Second</italic>,<italic>a formal optimization model with parameters that map directly to operational policy levers.</italic> The MST framework introduces binary decision variables <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> over the action tuple <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> δ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> σ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ω </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , a risk-exposure weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , a denial-cost weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , and a resource-sensitive verification threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> tied to a continuous verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> . Each parameter has a defined operational interpretation (Section 6.2), allowable values, and worked-example calibration ranges, so the model is implementable rather than purely expository.</p>
        <p><italic>Third</italic>,<italic>an action-space-time graph formulation and a connection to attack-surface minimization.</italic> The MST problem on the graph is <italic>weighted minimum sub</italic><italic>graph cover</italic> on a bipartite directed graph; we establish NP-hardness via reduction from 0-1 knapsack, sketch tractable LP-relaxation, MIP, and greedy-approximation strategies, and prove that the MST optimum corresponds to a principled minimum on the enterprise attack surface in the established Manadhata-Wing sense—with reputation-based pre-filtering further tightening the achievable minimum.</p>
        <p><italic>Fourth</italic>,<italic>a unified two-plane operational architecture with asymmetric enforcement logic.</italic> Edge controls and internal controls operate under structurally different MST parameter values; symmetric policy across the two planes is therefore inconsistent with the optimization geometry. We introduce <italic>bidirectional reputation-based auto-blocking</italic>—inbound and outbound, at both the network perimeter and the endpoint—as the most operationally cheap, theoretically well-justified standing control.</p>
        <p><italic>Fifth</italic>,<italic>a unified governance surface for AI-assisted security operations.</italic> Bounded-autonomy AI is treated as an instance of the same MST optimization rather than as a separate problem domain. The same trust criteria that govern human access decisions govern AI response actions; if a human analyst would need approval, an AI agent needs approval. The bounded-autonomy ladder and per-event-class decision matrix (<bold>Table 1</bold>) operationalize this principle.</p>
        <p>The remainder of the paper is organized to put operational architecture and design decisions first, then develop the formal model that motivates them. Section 2 situates the contribution within the existing literature. Section 3 introduces the MST model as an operational sketch and presents the two-plane architecture, threat model, application-edge enforcement, and internal enterprise controls. Section 4 addresses unified telemetry and decisioning; Section 5 addresses policy-governed autonomous response. Section 6 formalizes the theoretical foundations of MST, including the optimization problem statement, the action-space-time graph, the complexity analysis, and the attack-surface-minimization treatment. Section 7 presents expected outcomes, theoretical summary, and future-work directions. Section 8 concludes.</p>
      </sec>
    </sec>
    <sec id="sec2">
      <title>2. Related Work</title>
      <sec id="sec2dot1">
        <title>2.1. Zero Trust: Foundations and Frameworks</title>
        <p>The intellectual lineage of Zero Trust begins with the observation that enterprise security models grounded in perimeter trust were failing empirically long before they were declared obsolete theoretically. The foundational principles of computer system design [<xref ref-type="bibr" rid="B15">15</xref>] articulated the <italic>principle of least privilege</italic> as a design requirement: every program and user should operate with the minimum set of privileges necessary to complete the job. This principle, formalized in 1975, is the earliest formal ancestor of Zero Trust. The Jericho Forum’s work in the mid-2000s on “de-perimeterization” built on similar intuitions, arguing that the enterprise boundary was already dissolving and that security controls needed to migrate toward the data and identity layers. The 2010 Forrester report [<xref ref-type="bibr" rid="B2">2</xref>] coined the “Zero Trust” label and articulated the first systematic architecture for building on that insight.</p>
        <p>The BeyondCorp initiative [<xref ref-type="bibr" rid="B3">3</xref>][<xref ref-type="bibr" rid="B4">4</xref>] provided the first large-scale empirical evidence that a Zero Trust model could operate at production quality without perimeter dependency. BeyondCorp shifted Google’s enterprise model to device- and user-centric access controls, effectively treating the corporate network as untrusted by default. The project’s public documentation established the practical engineering vocabulary that later researchers and standards bodies would inherit: device inventory, certificate-based access control, fine-grained per-application access proxies, and continuous device and user validation [<xref ref-type="bibr" rid="B23">23</xref>].</p>
        <p>The Zero Trust eXtended (ZTX) ecosystem framework [<xref ref-type="bibr" rid="B22">22</xref>], developed at Forrester, extended Kindervag’s architecture by explicitly naming the seven pillars of a mature Zero Trust program—network, data, workloads, devices, people, visibility and analytics, and automation and orchestration—and offering measurable maturity criteria for each. ZTX is directly referenced in the CISA maturity model [<xref ref-type="bibr" rid="B7">7</xref>] and is the principal scaffolding on which the present paper’s multi-pillar analysis is built. The Zero Trust Networks book [<xref ref-type="bibr" rid="B5">5</xref>] synthesized Google’s operational experience and prior academic work into a coherent engineering guide. The book’s formulation of trust as a continuous, context-sensitive score rather than a binary network-location attribute anticipates the adaptive authorization mechanisms that later NIST guidance would formalize.</p>
      </sec>
      <sec id="sec2dot2">
        <title>2.2. NIST and Policy Normalization</title>
        <p>NIST SP 800-207 [<xref ref-type="bibr" rid="B1">1</xref>] represented the maturation of Zero Trust from practitioner framework to normative federal policy. The publication defined the logical components of a Zero Trust Architecture—policy engine, policy administrator, policy enforcement point—and described seven tenets that any Zero Trust program should exhibit. These tenets are foundational to the present work. NIST SP 800-207A [<xref ref-type="bibr" rid="B6">6</xref>] extended this work into cloud-native and multi-cloud environments by adding application-level service identity, ingress and egress gateway policy, and workload-centric enforcement to the ZTA framework.</p>
        <p>The CISA Zero Trust Maturity Model [<xref ref-type="bibr" rid="B7">7</xref>] operationalized these tenets into five implementation pillars (identity, devices, networks, applications and workloads, and data) with three cross-cutting capabilities (visibility and analytics, automation and orchestration, and governance). The model’s staged maturity levels (Traditional, Advanced, Optimal) provide a progression path that is compatible with the tiered trust-reduction approach advocated by the MST framework. The DOD Zero Trust Strategy [<xref ref-type="bibr" rid="B8">8</xref>] extended the NIST and CISA frameworks into a classified operational context, emphasizing data-layer access controls and activity-based monitoring, both of which are central to the present paper’s recommendations for regulated SaaS environments.</p>
      </sec>
      <sec id="sec2dot3">
        <title>2.3. Zero Trust in Cloud and SaaS Environments</title>
        <p>The application of Zero Trust to cloud-native and SaaS architectures raises distinct challenges not fully addressed by perimeter-era frameworks. A 2022 comprehensive survey [<xref ref-type="bibr" rid="B24">24</xref>] surveyed the Zero Trust literature and identified identity and access management, device health validation, and micro-segmentation as the three control categories with the most consistent empirical support across cloud deployments. The authors noted that implementation heterogeneity—different cloud providers, identity systems, and application stacks—was the principal barrier to realizing theoretical Zero Trust guarantees in production. This finding directly motivates the unified telemetry plane emphasized by the MST framework.</p>
        <p>Early SaaS security research [<xref ref-type="bibr" rid="B25">25</xref>] examined the security risks inherent in multi-tenant SaaS architectures, identifying API exposure, credential sharing, and insufficient tenant isolation as the primary attack surfaces. While predating formal ZTA guidance, their analysis correctly anticipated the application-edge threat model that later Zero Trust frameworks would address through WAF integration, API gateway policy, and service identity. A systematic review of BYOD challenges [<xref ref-type="bibr" rid="B26">26</xref>] analyzed the specific challenges of BYOD governance in regulated industries, finding that device-trust tiering—assigning different access scopes based on device management state—was more operationally viable than binary managed/unmanaged policies. This empirical finding is directly instantiated in the MST framework’s device-aware trust tiering principle.</p>
        <p>A multivocal literature review [<xref ref-type="bibr" rid="B10">10</xref>] found that while Zero Trust is broadly endorsed as an architectural goal, evidence of successful end-to-end implementation in enterprise environments remains sparse, and the gap between policy intent and operational deployment is a recurring theme. The MST framework explicitly addresses this gap by treating the optimization of operational throughput as a first-class design objective alongside security assurance.</p>
      </sec>
      <sec id="sec2dot4">
        <title>2.4. Identity, Behavioral Analytics, and Adaptive Authorization</title>
        <p>The shift from network-location trust to identity-centric trust has produced a substantial body of research on the mechanisms of adaptive authorization. The role-based access control (RBAC) model [<xref ref-type="bibr" rid="B27">27</xref>] remains the most widely deployed authorization substrate in enterprise systems. However, the static assignment of roles conflicts with Zero Trust’s requirement for continuous, context-sensitive evaluation. Attribute-based access control (ABAC) and policy-based access control (PBAC) extend RBAC by incorporating environmental attributes—device posture, session context, location, behavioral signals—into authorization decisions, moving closer to the dynamic trust evaluation that ZTA prescribes [<xref ref-type="bibr" rid="B28">28</xref>].</p>
        <p>Behavioral User and Entity Analytics (UEBA) provides a complementary layer. Statistical modeling of user activity—peer-group deviation analysis, temporal pattern recognition, data-access volume monitoring—can surface anomalies that evade rule-based controls [<xref ref-type="bibr" rid="B29">29</xref>]. The MST framework incorporates behavioral context not as a substitute for identity and policy but as an evidence layer that modulates authorization confidence during a session, consistent with the continuous re-evaluation tenet of SP 800-207.</p>
      </sec>
      <sec id="sec2dot5">
        <title>2.5. Security Policy as Optimization</title>
        <p>The idea of formulating network and enterprise security policy as a constrained optimization problem has a growing body of prior work that directly informs the MST formalization. Early approaches to formalizing security policy optimization addressed firewall configuration, showing that achieving diverse, resilient rule sets while preserving permitted reachability is a non-trivial combinatorial problem [<xref ref-type="bibr" rid="B30">30</xref>]. Subnet-based network hardening problems—deciding which vulnerabilities to patch or which paths to segment to reduce attack-graph reach—are known to be NP-hard, and attack graph literature has explored approximation and heuristic approaches to making them tractable [<xref ref-type="bibr" rid="B31">31</xref>][<xref ref-type="bibr" rid="B32">32</xref>]. These contributions establish that the optimization framing of security policy is not merely metaphorical but computationally precise, and that efficient approximations exist for practical problem scales.</p>
        <p>A parallel and older tradition concerns <italic>attack surface minimization</italic> as an explicit engineering objective. Howard, Pincus, and Wing [<xref ref-type="bibr" rid="B33">33</xref>] introduced the attack surface as a measurable property of a system—the subset of its resources reachable and usable by attackers—and argued that reducing this surface should be a first-order design objective. Manadhata and Wing [<xref ref-type="bibr" rid="B34">34</xref>] subsequently formalized this as a quantitative metric based on entry points, exit points, and channel resources, and established it as a peer-reviewed evaluation tool for comparing relative security postures across system versions and configurations. This attack surface tradition connects directly to the MST formulation: the permitted action set <inline-formula><mml:math><mml:mi mathvariant="script"> T </mml:mi></mml:math></inline-formula> is the attack surface a successful attacker can exploit, and the trust surplus <inline-formula><mml:math><mml:mrow><mml:mi mathvariant="script"> T </mml:mi><mml:mo> \ </mml:mo><mml:mi> ℒ </mml:mi></mml:mrow></mml:math></inline-formula> is precisely the avoidable portion of that surface. MST generalises attack surface minimization by introducing the operational-cost constraint that prevents over-minimization.</p>
        <p>The present paper builds on both traditions. First, it extends the action space from network flows and firewall rules to the richer tuple space of (identity, device, session, resource, operation) that characterizes modern SaaS access patterns. Second, it introduces the action-space-time graph as a unified representation that captures both spatial access structure and temporal verification dynamics in a single model amenable to graph-theoretic analysis, and connects Zero Trust policy to the weighted minimum subgraph cover problem (Section 6.2). Third, it integrates reputation-based pre-filtering—operationalized through feeds such as AbuseIP DB [<xref ref-type="bibr" rid="B35">35</xref>] and Spamhaus [<xref ref-type="bibr" rid="B36">36</xref>]—as a mechanism that reduces the effective action space <inline-formula><mml:math><mml:mi mathvariant="script"> S </mml:mi></mml:math></inline-formula> before the optimization problem is formulated, further tightening the achievable minimum.</p>
      </sec>
      <sec id="sec2dot6">
        <title>2.6. AI and Automation in Security Operations</title>
        <p>The integration of machine learning and AI into security operations has accelerated substantially in the period 2023-2025. Alert fatigue—the tendency of high-volume detection platforms to produce more events than analysts can meaningfully review—has been identified as one of the most consequential operational problems facing modern SOCs [<xref ref-type="bibr" rid="B11">11</xref>]. AI-assisted alert enrichment and triage has shown measurable efficiency gains in controlled evaluations, particularly for known-indicator matching and correlated-event summarization [<xref ref-type="bibr" rid="B37">37</xref>]. However, the extension of AI autonomy into active response introduces new failure modes. Adversarial manipulation of detection models [<xref ref-type="bibr" rid="B38">38</xref>], distribution shift between training and operational data, and the amplification of erroneous automation decisions at machine speed are all recognized risks.</p>
        <p>Recent work on large language model (LLM)-assisted security operations has further sharpened these concerns. A recent survey [<xref ref-type="bibr" rid="B39">39</xref>] examines LLM applications across threat intelligence, vulnerability analysis, and autonomous penetration testing, finding that while LLMs substantially accelerate analyst workflows, they introduce new attack surfaces including prompt injection against agentic security tools and hallucination-induced false negatives in threat reasoning. A 2024 survey of LLM applications in cybersecurity [<xref ref-type="bibr" rid="B40">40</xref>] examines the specific risks of deploying autonomous LLM agents in SOC environments, arguing that action boundaries and reversibility constraints are necessary preconditions for safe deployment—a finding that directly corroborates the bounded-autonomy ladder formalized in Section 8.</p>
        <p>NIST’s AI Risk Management Framework [<xref ref-type="bibr" rid="B16">16</xref>] and its Generative AI Profile [<xref ref-type="bibr" rid="B17">17</xref>] provide a governance vocabulary for managing these risks. The MST framework’s bounded-autonomy principle—restricting autonomous action to high-confidence, low-blast-radius, reversible decisions—is directly derived from the trustworthiness and oversight principles of the AI RMF. OWASP’s agentic application security guidance [<xref ref-type="bibr" rid="B21">21</xref>] extends these principles into the specific context of tool-using AI agents deployed within security workflows, addressing prompt injection, excessive tool use, and unsupervised policy modification as primary threat vectors against agentic SecOps tooling. A taxonomy of language model risks [<xref ref-type="bibr" rid="B41">41</xref>] provides a taxonomy of sociotechnical harms from autonomous AI agents that is applicable to the agentic SecOps context, identifying irreversibility and scope creep as the highest-consequence risk dimensions—consistent with the blast-radius criteria used in the MST autonomy ladder.</p>
      </sec>
      <sec id="sec2dot7">
        <title>2.7. Synthesis and Gap Identification</title>
        <p>The extant literature collectively establishes that Zero Trust is architecturally sound, empirically motivated, and increasingly normative. The persistent gap is between architectural specification and operational deployment. The MST framework addresses this gap by: 1) formalizing the optimization objective as a multi-criteria problem with explicit tradeoffs between security assurance, operational throughput, and audit evidence quality; 2) differentiating enforcement posture by exposure plane rather than applying symmetric policy; and 3) integrating bounded AI autonomy into the operations model as a governed capability rather than an aspirational feature. No prior work known to the authors has combined these three contributions into a unified operational framework specifically calibrated to regulated SaaS environments.</p>
        <p><bold>What MST adds beyond existing frameworks.</bold> The novelty of MST is sharpest when stated by direct contrast with the frameworks it builds on. Beyond <italic>NIST SP</italic>800-207 [<xref ref-type="bibr" rid="B1">1</xref>], which specifies the logical components (policy engine, policy administrator, policy enforcement point) and the seven tenets of a Zero Trust architecture but leaves the trust-reduction <italic>target</italic> unquantified, MST supplies an explicit optimization objective—minimize standing trust subject to business completeness and verification sufficiency—that turns those tenets into a measurable quantity. Beyond <italic>NIST SP</italic>800<italic>-</italic>207<italic>A</italic> [<xref ref-type="bibr" rid="B6">6</xref>], which extends ZTA to cloud-native service identity and ingress/egress gateway policy, MST contributes the asymmetric two-plane result: it shows formally why edge and internal enforcement must operate at structurally different parameter values rather than under one uniform policy. Beyond the <italic>CISA Zero Trust Maturity Model</italic> [<xref ref-type="bibr" rid="B7">7</xref>], which orders implementation into pillars and maturity stages but treats greater maturity as monotonically better, MST contributes the U-shaped cost geometry (Section 6.3) that explains why monotonic control accumulation overshoots the optimum and can degrade outcomes. And beyond prior <italic>Zero Trust surveys and multivocal reviews</italic>, which document the persistent gap between Zero Trust intent and operational deployment [<xref ref-type="bibr" rid="B10">10</xref>][<xref ref-type="bibr" rid="B24">24</xref>], MST advances from <italic>documenting</italic> the gap to giving it a structural account: the gap is the distance between the realized permitted set <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> and the business-required minimum <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> , a quantity the framework makes measurable and ties to the established attack-surface metric [<xref ref-type="bibr" rid="B34">34</xref>]. In each case, the prior framework supplies the architecture, or the empirical evidence of the problem; MST supplies the optimization structure that makes the trust-reduction objective explicit, measurable, and plane-differentiated.</p>
      </sec>
    </sec>
    <sec id="sec3">
      <title>3. The Minimum Standing Trust Model: Operational Sketch</title>
      <p>The MST framework treats Zero Trust implementation as a constrained optimization problem rather than a policy posture. The objective is to find the minimum-cost permitted action set <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> that covers all business-required operations <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> while continuously verifying that each permitted action meets a resource-sensitive evidence threshold <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> . Each action is weighted by a risk-exposure cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> (the cost of incorrectly permitting it) and a denial cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> (the operational cost of incorrectly blocking it). The result is a two-term objective that makes explicit the tradeoff that most Zero Trust programs resolve implicitly and badly: minimizing unnecessary trust while preserving operational completeness. The full formalization—decision variables, constraints, complexity analysis, and connection to attack surface minimization—is developed in Sections 6.1 - 6.6. This section gives the operational gist that the architectural sections then build on. The paper is organized so that the operational architecture and design choices are presented first (Sections 3.1 - 3.4), and the formal framework that underlies them is developed afterward (Sections 6.1 - 6.6). Operational sections forward-reference the formal model where the optimization framing sharpens an architectural claim; formal sections back-reference the operational sections that motivated each piece of structure. Section 6.6 closes the loop by mapping each formal model element back onto specific architectural components.</p>
      <p>The MST model has three direct operational implications that shape the architecture described in Sections 4 - 8. First, the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> can only be computed accurately if telemetry from all relevant planes is fused—making unified telemetry a correctness requirement, not a convenience. Second, the risk weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and the threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> differ fundamentally between the exposed application edge and the internal enterprise, which is why symmetric control policy across both planes is structurally wrong. Third, the blast-radius and reversibility criteria used to bound AI autonomous response are derived from the same <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> parameterization: high-consequence resources require human approval before their access policy changes for exactly the same reason they require higher verification thresholds.</p>
      <sec id="sec3dot1">
        <title>3.1. A Two-Plane Operating Architecture</title>
        <p>The most useful way to operationalize the MST model is to separate the environment into two enforcement planes. The first plane is the <italic>external application edge</italic>: the exposed SaaS surface where north-south traffic reaches web applications, APIs, authentication services, and narrowly scoped administrative interfaces. The second plane is the <italic>internal distributed enterprise</italic>: the workforce, endpoints, service accounts, cloud control paths, engineering tools, support workflows, and data-adjacent systems that sustain the service behind the scenes. These two planes are structurally related but are not governed well by the same default action.</p>
        <p>The separation of a defended network into an exposed external zone and a controlled internal zone is not itself novel; it reflects current practice across mature enterprise security programs and is implicit in NIST SP 800-207A’s ingress/egress gateway model [<xref ref-type="bibr" rid="B6">6</xref>] and in the CISA maturity model’s application and network pillars [<xref ref-type="bibr" rid="B7">7</xref>]. The contribution of the two-plane architecture in this paper is not the zone separation itself, but its <italic>explicit mapping to the MST optimization structure</italic>: the action space <inline-formula><mml:math><mml:mi mathvariant="script"> S </mml:mi></mml:math></inline-formula> , the risk weights <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , the denial costs <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , and the verification threshold function <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> take on fundamentally different parameter values in the two planes, which is why applying symmetric control policy across both planes is not merely suboptimal but structurally inconsistent with the optimization problem’s geometry. The gap between symmetric-policy programs and zone-differentiated programs is consistently documented in Zero Trust implementation reviews [<xref ref-type="bibr" rid="B10">10</xref>].</p>
        <p>Edge traffic is comparatively easier to constrain because the set of legitimate flows is narrower, more observable, and more closely tied to the application’s business purpose. Internal enterprise traffic is more heterogeneous and more tightly coupled to changing work patterns, which makes blanket deny-all policies far more likely to produce operational self-harm. NIST SP 800-207A reinforces this separation by emphasizing granular application-level policies, service identities, ingress and egress gateways, and enforcement that works across hybrid and multi-cloud environments [<xref ref-type="bibr" rid="B6">6</xref>]. CISA’s maturity model further organizes implementation around identity, devices, networks, applications and workloads, and data, with visibility and analytics, automation and orchestration, and governance as cross-cutting capabilities [<xref ref-type="bibr" rid="B7">7</xref>].</p>
        <p>This separation leads to a practical design rule: <italic>control density should be highest where exposure and consequence intersect</italic>. At the external edge, that means hardening ingress, minimizing accepted traffic, and placing the burden of justification on everything unusual. Internally, it means reducing standing privilege, continuously validating identities and devices, and using session-level and behavioral context to decide whether an action remains consistent with the role, the asset, and the data involved. The bridge between the two planes is a unified telemetry and policy layer that turns events from WAF, NIDS, SIEM, EDR, XDR, IAM, VPN or ZTNA, cloud platforms, and data-access systems into a shared operational picture rather than a collection of disconnected alarms.</p>
        <p><xref ref-type="fig" rid="fig2">Figure 2</xref> summarizes the proposed operating model. The primary architectural mistake in many Zero Trust programs is not excessive control, but excessive <italic>symmetry</italic>: when the same binary control philosophy is imposed on both the exposed edge and the internal distributed enterprise, either the edge remains too open or the enterprise becomes too brittle [<xref ref-type="bibr" rid="B10">10</xref>]. The two-plane MST architecture avoids this tradeoff by allowing strict minimization where the traffic set is narrow and progressive trust reduction where business operations remain inherently dynamic.</p>
        <fig id="fig2">
          <label>Figure 2</label>
          <graphic xlink:href="https://html.scirp.org/file/7801240-rId68.jpeg?20260715020604" />
        </fig>
        <p><bold>Figure 2</bold><bold>.</bold><bold>Two-plane operating model for regulated SaaS Zero Trust.</bold> The external plane applies deny-by-default pressure at the SaaS edge through tightly constrained ingress, application-aware controls, and documented exception handling. The internal plane progressively removes standing trust through identity, device, session, and data-aware control. Both planes depend on a unified telemetry and policy layer that supports consistent vSOC decision-making.</p>
      </sec>
      <sec id="sec3dot2">
        <title>3.2. Threat Model</title>
        <p>The MST framework is designed to address a specific and well-documented adversary profile relevant to regulated SaaS providers. Based on the MITRE ATT&amp;CK framework [<xref ref-type="bibr" rid="B14">14</xref>] and annual empirical breach intelligence [<xref ref-type="bibr" rid="B11">11</xref>]-[<xref ref-type="bibr" rid="B13">13</xref>], the principal threats are:</p>
        <p><bold>External application attacks</bold>: Web application exploitation (OWASP Top Ten vulnerabilities), API abuse, automated credential stuffing, and bot-driven enumeration. These attacks target the application edge and are best addressed by the external plane controls.<bold>Identity and credential compromise</bold>: Phishing, adversarial token theft, session hijacking, and MFA bypass techniques (including adversary-in-the-middle proxies such as Evilginx). These attacks exploit the trust implicit in valid credentials and motivate continuous session re-verification.<bold>Privilege escalation and lateral movement</bold>: Exploitation of overprivileged service accounts, standing administrative access, and misconfigured IAM roles. These attacks are addressed by just-in-time privilege, device-trust tiering, and behavioral baselining.<bold>Data exfiltration</bold>: Abuse of legitimate data-access paths to extract regulated records, often using credentials obtained in prior stages. This threat motivates data-aware access policy, field-level masking, and egress monitoring.<bold>Insider threat and support-account misuse</bold>: Authorized users acting outside normal behavioral baselines, whether through negligence, coercion, or malicious intent. This motivates behavioral analytics and just-enough privilege enforcement.<bold>Command-and-control and known-bad egress</bold>: Established footholds—whether on compromised endpoints, rogue servers, or hijacked service accounts—that attempt to communicate with adversary-controlled infrastructure for command reception, tool staging, or data exfiltration. A large fraction of this traffic resolves to IP addresses already catalogued on public and commercial reputation feeds (AbuseIPDB, Spamhaus DROP/EDROP, and vendor threat-intelligence lists). This motivates symmetric, bidirectional reputation-based blocking at both the network perimeter (NIDS/firewall) and the endpoint (EDR-enforced egress policy)—inbound connections from known-bad sources and outbound connections to known-bad destinations are both automatically denied. </p>
        <p>The MST framework does not claim to defeat all of these threats in isolation. Rather, it provides the architectural substrate within which specific control technologies operate with maximum effectiveness and minimum operational friction.</p>
        <p><bold>Trusted inputs and non-goals.</bold> MST treats a small set of components as a trusted computing base whose integrity is <italic>assumed</italic> rather than established by the framework itself. Specifically, MST assumes: 1) the identity provider (IdP) and its issuance of authentication assertions are not themselves compromised, so that a validated identity assertion can be relied upon as evidence; 2) the endpoint posture agent (EDR/XDR) reports device state faithfully and has not been subverted on the host it measures; and 3) the unified telemetry pipeline (Section 4) delivers events with integrity, so that the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is computed from trustworthy inputs. These three components constitute the framework’s root of trust: if an adversary fully controls the IdP, forges device-posture attestations at will, or rewrites telemetry in transit, the verification gate on which MST depends can be defeated and the optimization will operate on corrupted evidence.</p>
        <p>Correspondingly, several classes of compromise are explicitly out of scope. MST does not by itself address: supply-chain or fourth-party compromise of components outside the enterprise’s direct control (identified as future work in Section 7.7); cryptographic-primitive failure or root-CA compromise underlying the IdP and certificate infrastructure; physical or firmware-level attacks that subvert the posture agent below the layer it can observe; and insider compromise of the governance process that defines the legitimate set <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> itself. The defenses for these scenarios—hardware roots of trust, telemetry signing and provenance, IdP-directed threat detection, and separation-of-duties controls on policy change—are complementary measures that MST assumes are supplied by the surrounding security program. The contribution of MST is to minimize standing trust <italic>given</italic> a trustworthy evidence layer, not to guarantee that layer’s integrity.</p>
      </sec>
      <sec id="sec3dot3">
        <title>3.3. Application-Edge Enforcement</title>
        <p>At the SaaS edge, Zero Trust should be strict. The exposed application surface should be reduced to the smallest practical set of domains, protocols, ports, paths, and partner integrations required for customer use and legitimate business operations. If traffic is not necessary for the service to function, it should not reach the service. Administrative interfaces should not be broadly reachable from the public Internet; customer APIs should be versioned and documented; unpublished or legacy endpoints should be retired rather than merely hidden; and edge policy should clearly distinguish among customer traffic, machine-to-machine traffic, partner integrations, and administrative control paths.</p>
        <p>SP 800-207A is especially relevant here because it emphasizes application and service identities in addition to network parameters, enabling a SaaS provider to control not only who is calling an interface but which service is calling which other service and under what policy [<xref ref-type="bibr" rid="B6">6</xref>]. This is critical in microservice architectures where east-west service-to-service traffic within the platform can itself represent an attack surface if lateral movement is possible through a compromised service identity.</p>
        <p>In practice, the edge control stack typically includes a reverse proxy or gateway, a WAF, abuse and reputation intelligence, rate-limiting controls, and one or more NIDS vantage points that can observe north-south traffic and selected east-west paths behind the edge. These controls are not interchangeable. A WAF is strongest when it enforces application-aware policy around malformed requests, exploit patterns, bot behavior, API misuse, and route-specific protections. A NIDS is strongest when it identifies suspicious network behavior, scanning activity, protocol anomalies, lateral movement indicators, or traffic patterns that become meaningful only when viewed in sequence. Using WAF for behavioral pattern detection or NIDS for application-layer enforcement produces both functional gaps and telemetry noise; the architectural separation of responsibilities matters.</p>
        <p>Because the legitimate edge surface is relatively compact, autonomous prevention is most realistic at this plane. High-confidence controls can be allowed to act by default when their scope is narrow and their rollback path is simple. The most important such control is <italic>bidirectional auto-blocking of IP addresses appearing on curated reputation feeds</italic>. Sources listed on feeds such as AbuseIPDB [<xref ref-type="bibr" rid="B35">35</xref>], the Spamhaus DROP and EDROP lists [<xref ref-type="bibr" rid="B36">36</xref>], and vendor-provided threat-intelligence bundles represent, by construction, hosts that have demonstrated adversarial activity against other organizations. Permitting connections to or from them serves no legitimate business purpose. Accordingly, the SecOps platform should ingest one or more such feeds continuously and automatically drop both inbound connections originating from listed IPs and outbound connections destined for them—the symmetric posture that is central to the MST interpretation of the edge. The symmetry matters: inbound blocking alone addresses probing, scanning, and credential-stuffing attempts, but outbound blocking is what denies command-and-control callbacks, tool-staging retrievals, and exfiltration paths from any foothold an adversary has already established. Neither direction is complete without the other. Other autonomous edge controls—short-lived blocks on repeated exploit-like request patterns, suppression of commodity scanning behavior with no plausible customer use case—complement this reputation-based foundation. Geo-based controls can be appropriate when justified by the service footprint, contractual obligations, or observed threat concentration, but they should be treated as coarse risk signals rather than proof of maliciousness. A workable program gives blocked traffic a documented exception path so that the organization can say “no by default” while preserving a controlled allowlisting mechanism for legitimate business cases.</p>
        <p>A further edge consideration is egress discipline from sensitive workloads and administrative enclaves. Regulated SaaS providers often invest more in ingress filtering than in outbound control, even though data exfiltration, command-and-control callbacks, and accidental exposure can ride legitimate-looking outbound paths. Zero Trust at the edge therefore benefits from a symmetrical design: published inbound paths should be explicit, but so should the outbound destinations and protocols available to systems handling regulated data or administrative control. Service-to-service traffic, update channels, partner APIs, and observability exports should be enumerated and monitored. Everything else should at minimum be measurable and, where feasible, denied by policy.</p>
        <p>External Zero Trust also carries a compliance dividend. Edge decisions are easier to explain to auditors and customers when they are tied to documented policy, constrained exposure, and loggable enforcement actions. The same evidence that helps a vSOC explain why a source was blocked can help a compliance or privacy team explain how the service minimizes unnecessary access to regulated data. A disciplined edge therefore simultaneously reduces attack surface and improves defensibility during audits, customer reviews, and breach-response inquiries.</p>
      </sec>
      <sec id="sec3dot4">
        <title>3.4. Internal Enterprise Control without Operational Self-Harm</title>
        <p>The internal enterprise is where Zero Trust programs most frequently lose credibility. The workforce is distributed. Some users are on managed corporate endpoints; some are on contractor machines; and some are on BYOD devices that may be acceptable for productivity workflows but inappropriate for sensitive administrative access. Engineers need to push code, observe production behavior, and solve incidents under time pressure. Support staff may require constrained visibility into customer-impacting cases. Security administrators need enough reach to investigate and contain activity. These realities do not invalidate Zero Trust, but they require a more precise implementation model than simple deny-all.</p>
        <p>The ZTX framework’s seven pillars [<xref ref-type="bibr" rid="B22">22</xref>] provide a useful organizing structure for the internal enterprise controls advocated by the MST framework. The following subsections address the four pillars most directly implicated in SecOps operations for regulated SaaS: identity, devices, data, and behavioral analytics. The remaining pillars—network, workloads, and automation—are addressed in Sections 7 and 8.</p>
        <p>3.4.1. Identity as the Primary Policy Object</p>
        <p>NIST’s Zero Trust guidance removes implicit trust based on network location and instead places authentication and authorization before each session to an enterprise resource [<xref ref-type="bibr" rid="B1">1</xref>]. For regulated SaaS operations, this means strong identity proofing, multifactor authentication, and preferably phishing-resistant mechanisms (e.g., FIDO2/WebAuthn passkeys) for privileged users; role- and attribute-aware authorization tied to concrete job function; short session lifetimes for sensitive access; and policy checks that re-evaluate context during the session rather than only at logon.</p>
        <p>The internal question is not simply whether a user reached the corporate network. It is whether this identity, on this device, in this session, for this task, should continue to retain this level of access. This formulation is consistent with the ABAC and PBAC models identified in the research literature [<xref ref-type="bibr" rid="B28">28</xref>] as the access control paradigms most compatible with Zero Trust’s dynamic authorization requirements. Operationally, it means that authorization decisions are not static grants managed at provisioning time but continuous evaluations driven by current context.</p>
        <p>A related concern is service account and machine identity. In regulated SaaS environments, service accounts frequently hold elevated permissions that human accounts do not, because they were provisioned early in the platform’s development under fewer controls. Machine-to-machine authentication via short-lived certificates or OIDC token federation, combined with just-in-time (JIT) privilege elevation for sensitive operations, should be applied to service identities with the same rigor as to human identities.</p>
        <p>3.4.2. Device-Aware Trust Tiering</p>
        <p>BYOD does not need to be eliminated to make Zero Trust credible, but it does require honest segmentation of what those devices are permitted to do [<xref ref-type="bibr" rid="B26">26</xref>]. A mature SaaS program can allow low-sensitivity collaboration and basic ticketing from lightly trusted devices while reserving administrative consoles, production shells, sensitive data paths, and broad incident-response capabilities for managed and policy-compliant endpoints. Device posture checks can include verified operating-system patch state, endpoint protection agent health and version, full-disk encryption status, certificate presence, screen-lock policy compliance, and absence of jailbreak or unauthorized administrative tool installation.</p>
        <p>The practical effect is that a user may be fully authenticated while the device remains insufficiently trusted for a high-consequence action. This tiering avoids the binary choice between “block all unmanaged devices” and “allow everything.” It also provides a defensible audit position: the organization can demonstrate that regulated data paths are accessible only from devices meeting documented posture standards.</p>
        <p>3.4.3. Just-in-Time and Just-Enough Privilege</p>
        <p>Persistent administrative access is one of the most durable forms of unjustified trust in modern enterprises. A regulated SaaS provider should minimize standing access to production systems, data stores, cloud control planes, and security controls. Elevation should be time-bounded, reason-coded, and linked to a ticket, incident, or approved maintenance window. For sensitive data operations, field-level masking, tokenization, or explicit approval workflows are often more appropriate than broad record-level access.</p>
        <p>This is where Zero Trust and privacy engineering overlap operationally: the most effective way to protect regulated data is frequently to avoid exposing it in the first place. The principle of least privilege [<xref ref-type="bibr" rid="B15">15</xref>] requires not just that the initial access grant be minimal, but that the grant be regularly reviewed and revoked when the business justification lapses. Automated JIT systems that provision and expire privilege on verified request—integrating with change management ticketing, on-call rotation schedules, and data classification policies—operationalize this principle at the scale and speed that a SaaS engineering organization requires.</p>
        <p>3.4.4. Behavioral Context and Continuous Verification</p>
        <p>Behavioral modeling is compatible with but not identical to Zero Trust. It helps detect when a nominally authorized identity is acting outside its expected pattern, providing evidence that enriches rather than replaces policy-based decisions. Internal behavioral baselining can be constructed around role, time of day, application usage patterns, administrative history, data-access volume, source device, network path, and peer-group norms [<xref ref-type="bibr" rid="B29">29</xref>]. These signals raise or lower response confidence. Used properly, they function as contextual evidence layered onto identity and policy; used poorly, they generate opaque noise that degrades analyst trust in the detection platform.</p>
        <p>The key is to treat behavioral deviation as a modulator of the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mi> a </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> in the MST model—a signal that triggers re-verification, step-up authentication, or session scope narrowing—rather than as an independent enforcement mechanism. This integration is well-supported by the UEBA research literature, which consistently finds that behavioral signals have the highest operational value when combined with identity and policy context [<xref ref-type="bibr" rid="B29">29</xref>].</p>
        <p>3.4.5. Endpoint-Enforced Reputation Blocking</p>
        <p>The reputation-based auto-blocking posture described in Section 5 for the application edge has a direct symmetric counterpart inside the internal enterprise, enforced at the endpoint rather than at the network perimeter. EDR and XDR agents deployed on managed endpoints are already positioned to observe every outbound connection from every process on every host. By integrating the same curated reputation feeds that drive edge-level blocking—AbuseIPDB, Spamhaus, vendor threat intelligence [<xref ref-type="bibr" rid="B35">35</xref>][<xref ref-type="bibr" rid="B36">36</xref>]—into the EDR policy engine, the platform can automatically block any process on any managed endpoint from initiating an outbound connection to a known-bad IP, and from accepting an inbound connection from one. The NIST SP 800-94 guide to intrusion detection and prevention systems establishes reputation-list filtering as a standard IDS/IPS capability [<xref ref-type="bibr" rid="B42">42</xref>]; applying it at the endpoint rather than only at the network perimeter closes the visibility gap created by work-from-home patterns, where endpoint traffic often bypasses the corporate network boundary entirely.</p>
        <p>This symmetric posture is structurally important. An adversary who has established a foothold on an internal endpoint (via phishing, supply-chain compromise, or any other initial access vector) will typically attempt to reach adversary-controlled infrastructure for command reception, lateral tool retrieval, or data staging. If the destination infrastructure is on a public reputation feed—and a substantial fraction of active adversary infrastructure is, because reputation feeds are populated in near-real-time by honeypot networks, abuse reports, and passive DNS collectors—then endpoint-enforced egress blocking denies the callback before the adversary can execute subsequent stages. Combined with the edge-level blocking of inbound connections from the same lists, the organization denies both the initial probe and the subsequent exfiltration channel with a single, operationally cheap control that requires no per-decision human judgment.</p>
        <p>The control is well-suited to the bounded-autonomy framework (Section 8): the signal quality is high (the IP is on a curated feed with explicit evidence of malicious activity), the blast radius is low (a single connection is denied; a business-legitimate connection would rarely target a reputation-listed IP), and the action is fully reversible (the IP can be whitelisted in policy if a false positive occurs). These properties place reputation blocking firmly within the region of the MST model that admits full autonomous execution.</p>
        <p>A useful shorthand emerges from these five principles: internally, Zero Trust is best implemented as the <italic>progressive removal of standing trust</italic> rather than as the elimination of all connectivity. An organization matures when fewer people retain persistent privilege, fewer unmanaged devices can touch sensitive paths, fewer sessions continue without renewed proof, fewer anomalous actions go unexplained, and fewer endpoints can reach known-bad infrastructure. This is a realistic and sustainable maturity trajectory for distributed SaaS operations, and one that accommodates the mobility and device heterogeneity of modern knowledge work.</p>
      </sec>
    </sec>
    <sec id="sec4">
      <title>4. Unified Telemetry and Decisioning</title>
      <p>Architecture becomes operations only when telemetry is fused. Many enterprises already operate capable point products: SIEM for aggregation and correlation, EDR or XDR for endpoint and cross-domain detection, WAF for application protection, NIDS for network visibility, identity services for authentication and conditional access, cloud consoles for infrastructure telemetry, and data-access logs for sensitive operations. The problem is not typically missing tools. The problem is that each tool tries to tell its own story about what happened, while the analyst is left to merge those partial narratives manually, under time pressure, against an adversary who is not similarly constrained.</p>
      <p>This operational fragmentation is well-documented. Alert fatigue—the state in which detection volume exceeds the analyst’s capacity for meaningful triage—is among the most cited productivity barriers in SOC research [<xref ref-type="bibr" rid="B11">11</xref>]. The consequence is not merely wasted analyst time; it is systematic under-investigation of genuine signals buried in commodity noise, which directly degrades detection and containment performance.</p>
      <p>A practical SecOps design therefore requires a single ingestion and normalization pipeline. The data model should revolve around a small set of stable objects: identity, device, session, resource, action, evidence quality, and business consequence. WAF events, NIDS alerts, EDR detections, cloud audit logs, VPN or ZTNA sessions, SaaS application logs, and data-access events should be normalized into a common schema so the vSOC can answer a small set of decisive questions quickly: who or what acted; from where; against which resource; using which trust context; with what likely consequence; and with what confidence. Without that normalization, automated response will either stay too conservative to matter or act on incomplete evidence with unpredictable outcomes.</p>
      <p><xref ref-type="fig" rid="fig3">Figure 3</xref> illustrates the four-stage pipeline. The dashed boundary on the left groups all nine telemetry sources, making explicit that the architectural problem being solved is not missing tools but the absence of a single ingestion path. The <italic>Decoder</italic> stage handles log normalization and carries the alert rules that are specific to each telemetry source—the logic that knows, for example, what a NIDS rule-fire threshold or an EDR behavioral indicator threshold should look like before it merits analyst attention. The <italic>Alerting</italic> stage applies those rules as a filter gate: only events that cross the relevance threshold proceed to enrichment and SOC notification; all others are logged but not escalated, directly addressing alert fatigue. The <italic>Enrichment</italic> stage then computes the MST formal model variables (<inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , and <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> ) and attaches ATT&amp;CK mappings and policy constraints. This architecture ensures that the analyst receives an enriched incident rather than a raw fragment, and that computational resources are spent only on alerts the decoder has already qualified as relevant.</p>
      <sec id="sec4dot1">
        <title>4.1. Evidence Classification and Decision Value</title>
        <p>To support sound decisions, the normalization layer should classify evidence on two dimensions: <italic>technical trustworthiness</italic> (how reliably does this signal indicate adversarial activity?) and <italic>operational decision value</italic> (how much does this signal affect the response decision for this resource?). Some events are strong technical indicators of maliciousness but weak indicators of business consequence. Others are technically weak but operationally consequential because they involve a privileged identity or a regulated dataset. A mature pipeline preserves both dimensions.</p>
        <p>For example, an EDR alert on a kiosk device may be technically high-confidence but operationally low-consequence. A weaker behavioral anomaly tied to a production administrator who has just opened a sensitive data-access path from an unmanaged endpoint may be technically uncertain but operationally critical. The unified telemetry layer resolves this asymmetry by enriching events with resource classification, identity role, session context, and data-sensitivity labels before routing them to the response decision engine.</p>
        <fig id="fig3">
          <label>Figure 3</label>
          <graphic xlink:href="https://html.scirp.org/file/7801240-rId81.jpeg?20260715020609" />
        </fig>
        <p><bold>Figure 3</bold><bold>.</bold><bold>Unified Telemetry &amp; Data Ingestion Pipeline.</bold> All nine telemetry sources—WAF, NIDS, SIEM, EDR/XDR, IAM, VPN/ZTNA, cloud audit, data-access logs, and SaaS application logs—are grouped within a single collection boundary and feed a <italic>Decoder</italic> module that performs log ingestion and normalization into a common schema. Decoder-embedded alert rules then drive an <italic>Alerting</italic> module that determines whether each normalized event warrants SOC attention: events that pass are forwarded to the SOC via email notification and proceed to <italic>Enrichment</italic>; events that do not pass are suppressed and retained in the audit log only. The enrichment layer computes the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , applies the resource threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , assigns risk weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , maps adversary techniques, and attaches policy constraints. The resulting enriched incident object is routed to three consumers: bounded autonomous response, the vSOC analyst decision surface, and compliance and audit evidence generation.</p>
      </sec>
      <sec id="sec4dot2">
        <title>4.2. Compliance as an Operational Dividend</title>
        <p>A unified telemetry plane is also where compliance becomes operational rather than retrospective. In regulated SaaS firms, security and compliance have historically operated in separate evidence loops: one loop for incident handling and another for audits, attestations, and customer questionnaires. That separation introduces cost and delay because analysts resolve the same event that auditors and compliance teams later need re-explained from a different analytical frame. A shared data plane can eliminate this duplication. Case notes, control outcomes, policy decisions, and exception records created during security operations should also be available as evidence for governance, privacy, and assurance workflows, with appropriate access controls and retention policies.</p>
        <p>This integration supports what the NIST Cybersecurity Framework 2.0 [<xref ref-type="bibr" rid="B43">43</xref>] identifies as the “Govern” function: the organizational structures, policies, processes, and oversight mechanisms that determine how cybersecurity risk decisions are made, prioritized, and communicated. Unified telemetry makes that governance function continuous rather than periodic, enabling real-time status rather than point-in-time snapshots.</p>
        <p>The design implication bears repeating: unifying telemetry at the dashboard layer improves visualization; unifying it at the decision layer improves operations.<sup>2</sup></p>
        <p>The vSOC should receive <italic>incidents</italic>, not fragments. A suspicious event should arrive with identity context, device trust tier, resource sensitivity, prior related signals, probable adversary technique mapping where applicable, and any policy constraints on what automation is permitted to do next.</p>
      </sec>
    </sec>
    <sec id="sec5">
      <title>5. Policy-Governed Autonomous Response</title>
      <p>The rise of agentic AI has revived an old security ambition: a SOC that can not only observe and recommend, but act at machine speed. That ambition is operationally sound only if action is bounded by policy rather than by model confidence alone—and <italic>the policy in question is the MST model itself</italic>. AI governance in security operations is not a separate problem domain; it is an instance of the same optimization structure. The permitted action set <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> that governs human access decisions also governs what an AI agent may do autonomously: if an action would require human authorization when a human requests it, it requires human authorization when an AI agent recommends or executes it.</p>
      <p>The governance literature establishes the requirements clearly. NIST’s AI Risk Management Framework and its Generative AI Profile emphasize that AI systems must be governed as a risk-management discipline, with trustworthiness, oversight, measurement, and context-appropriate controls built in at design time [<xref ref-type="bibr" rid="B16">16</xref>][<xref ref-type="bibr" rid="B17">17</xref>]. The 2025 NSA/CISA/FBI joint guidance on deploying AI systems securely stresses governance, data provenance, adversarial robustness, and continuous monitoring for model drift [<xref ref-type="bibr" rid="B18">18</xref>][<xref ref-type="bibr" rid="B19">19</xref>]. OWASP’s agentic application security guidance identifies prompt injection, excessive tool grant, and unsupervised policy modification as the primary attack vectors against SOC-deployed AI agents [<xref ref-type="bibr" rid="B21">21</xref>]. Ferrag <italic>et al.</italic> survey LLM applications in security operations and find that while LLMs substantially accelerate analyst workflows, they introduce hallucination risk in threat reasoning and are directly susceptible to adversarial manipulation of their input telemetry [<xref ref-type="bibr" rid="B39">39</xref>]. Motlagh <italic>et al.</italic> argue that action boundaries and reversibility constraints are necessary preconditions for safe autonomous SOC deployment—not optional governance preferences [<xref ref-type="bibr" rid="B40">40</xref>].</p>
      <p>The integration of these requirements into the MST model produces a straightforward design rule: <italic>AI agents in security operations should follow the same trust constraints as human analysts</italic>,<italic>applied to response actions rather than access decisions</italic>. Concretely, an AI agent executing a response action must satisfy the same criteria as any other permitted action: the verification evidence must be sufficient (<inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi></mml:mrow></mml:math></inline-formula> ), the risk weight must be low (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> small), and the action must be reversible and time-bounded. This means that an AI agent may block an IP address or trigger step-up authentication autonomously on the same evidence that would justify a human analyst doing so; it may not rewrite access policy, grant durable privilege, or take any action that a human analyst would need approval to take. The MST model thus provides a unified governance surface for both human and AI actors in the security operations workflow.</p>
      <p>For cyber defense operations, the safest synthesis is <italic>bounded autonomy</italic>. An AI-enabled assistant provides high value when it enriches alerts, correlates related evidence, drafts concise case summaries, explains likely adversary behavior, and recommends next steps. It becomes more sensitive when allowed to suppress noisy alerts, trigger step-up authentication, temporarily isolate a host, revoke a session token, or block an IP range. It becomes high risk when it can rewrite policy broadly, grant or revoke enduring access, or take actions materially affecting customers or regulated data without immediate human review.</p>
      <sec id="sec5dot1">
        <title>5.1. Agentic AI Frameworks for vSOC Operations</title>
        <p>The most consequential design decision in deploying agentic AI inside a virtual security operations centre (vSOC) is not which language model to adopt or which orchestration framework to license, but the choice of <italic>span of control</italic>—the set of operational actions the agent is authorized to take without human approval. Recent SOC operations research has converged on a clear pattern: agentic deployments succeed when their span of control is calibrated to the consequence severity of the actions in scope, and they fail when span of control is selected on the basis of model capability alone [<xref ref-type="bibr" rid="B39">39</xref>][<xref ref-type="bibr" rid="B40">40</xref>]. A capable agent given excessive scope produces fast, articulate, and confidently wrong policy decisions at machine speed; a constrained agent given too narrow a scope produces minimal operational lift and analyst frustration. The optimization question is not how capable the agent is, but where on the action space its autonomy can safely sit.</p>
        <p>MST provides a principled criterion for this calibration. Each candidate agent action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> inherits the same parameters that govern human access decisions: a risk-exposure weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , a denial cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , and a resource-sensitive verification threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> (Section 6.2). The agent’s permissible-action set <inline-formula><mml:math><mml:mrow><mml:mi mathvariant="script"> A </mml:mi><mml:mo> ⊆ </mml:mo><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> is therefore not a property of the agent or the model but of the MST optimum: the agent may act autonomously on actions whose <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is small, whose verification evidence <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> comfortably clears <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , and whose effect is reversible within an audit window the organization has approved. Every other action is recommended, not executed.</p>
        <p>The blast-radius spectrum operationalizes this principle. We define the <italic>blast radius</italic> of action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> as the magnitude of organizational exposure created if the action is wrong—measured in the same currency as <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , but extended to capture cascading consequences such as downstream availability impact, customer-facing damage, regulatory disclosure thresholds, and reversibility timeline. At one end of the spectrum sit actions with negligible blast radius: muting a duplicate low-value alert, enriching an incident with reputation context, drafting a triage summary for analyst review. These actions can safely run as fully autonomous provided three structural controls are in place: 1) a strong upstream verification policy that the agent inherits rather than overrides; 2) deterministic action logging into an immutable audit trail; and 3) a kill-switch that an authorized operator can invoke without external dependency. At the opposite end sit actions with severe blast radius: rewriting access policy, granting standing privilege, broad isolation of customer-facing services, irrevocable data destruction. These require explicit human-in-the-loop approval regardless of model confidence, evidence quality, or operational pressure.</p>
        <p>Between these endpoints lies the largest and most contested region of the spectrum, where well-governed conditional autonomy is possible: temporary host isolation contingent on a recoverable rollback path, session revocation for non-executive accounts, short-TTL IP blocking, narrowed-scope step-up authentication challenges, and quarantine actions on managed endpoints. For each, the governance pattern is the same. An action is autonomous when (1) the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> exceeds a <italic>strictly higher</italic> threshold than the corresponding human-initiated action would require, (2) the action is reversible within a documented operational window, and (3) a human review event is generated regardless of whether the action succeeds. The asymmetry in (1)—holding agents to a higher evidence bar than humans for the same action class—is deliberate. It reflects the fact that an erroneous agent decision propagates without the natural friction that an erroneous human decision encounters, and it aligns directly with the trustworthiness, oversight, and continuous-monitoring requirements emphasised in NIST and NCSC AI deployment guidance [<xref ref-type="bibr" rid="B16">16</xref>][<xref ref-type="bibr" rid="B17">17</xref>][<xref ref-type="bibr" rid="B20">20</xref>].</p>
        <p>Two failure modes from the agentic-AI security literature warrant specific attention because they manifest distinctively in vSOC deployments. <italic>Excessive tool grant</italic>, identified in OWASP’s agentic application security guidance [<xref ref-type="bibr" rid="B21">21</xref>], occurs when an agent is configured with broader API access than its operational role requires—classically, an enrichment agent that also has the ability to modify firewall rules. Within MST, this failure becomes structurally visible the moment <inline-formula><mml:math><mml:mi mathvariant="script"> A </mml:mi></mml:math></inline-formula> is enumerated and reviewed: an agent whose permissible-action set extends beyond the actions whose <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and reversibility profiles justify autonomous execution is a policy violation, not an emergent behaviour. <italic>Adversarial input manipulation</italic>, particularly prompt injection embedded in ingested telemetry [<xref ref-type="bibr" rid="B38">38</xref>][<xref ref-type="bibr" rid="B41">41</xref>], can cause an agent to act on attacker-supplied instructions rather than on legitimate signals. The MST verification gate <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> addresses this directly: the agent’s verification score must be computed from the unified telemetry plane (Section 4) rather than from agent-internal reasoning, and high-blast-radius actions require the highest <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> values, so adversarial manipulation cannot push an agent action across the autonomy threshold without first compromising the upstream telemetry pipeline—a substantially harder attack than crafting a prompt-injection payload.</p>
        <p>The practical implication for vSOC architects is direct: deploying agentic AI inside an MST-governed environment is not principally a question of model selection but of permissible-action enumeration. The model is the means; the permissible-action set <inline-formula><mml:math><mml:mi mathvariant="script"> A </mml:mi></mml:math></inline-formula> , the verification thresholds, the reversibility requirements, and the audit instrumentation are the substance. The bounded-autonomy ladder developed in the next subsection makes this substance concrete.</p>
      </sec>
      <sec id="sec5dot2">
        <title>5.2. The Bounded-Autonomy Ladder</title>
        <p>The practical test for whether an action belongs on the autonomous side of the ladder is not whether the model appears confident. It is whether the action is simultaneously: 1) high-confidence based on multiple corroborating signals; 2) low-blast-radius with respect to customer-facing services and regulated data; 3) reversible within a short operational window; and 4) supported by a documented playbook that encodes the organization’s explicit risk tolerance for that action class.</p>
        <p>These criteria explain why temporary edge blocking often qualifies for autonomous execution before permanent access revocation does. A short-lived block on a source matching multiple abuse signals, triggering a known exploit rule, and affecting no preapproved partner is a more appropriate autonomous action than a long-lived access change against an internal administrator during an active production incident.</p>
        <p>The design is also relevant to reinforcement and adaptive learning within the response engine. Statistical models are well-suited to optimizing alert-priority thresholds, ranking playbook choices, learning suppression patterns for duplicate noise, and calibrating when the cost of intervention delay exceeds the cost of a reversible action. They are poorly suited to unconstrained self-directed policy modification in production. If learning systems are used to improve autonomous action over time, the reward function must incorporate not only speed and detection gains, but also false-block cost, customer impact, action reversals, and exception volume [<xref ref-type="bibr" rid="B38">38</xref>]. Otherwise the system will optimize the wrong objective.</p>
      </sec>
      <sec id="sec5dot3">
        <title>5.3. Human Factors and SOC Trust in Automation</title>
        <p>There is also a human-factors rationale for bounded autonomy that the literature on automation-induced complacency makes compelling. Analysts will extend trust to automated response only when the system behaves predictably, explains its choices, and stays within known boundaries. A platform that behaves unpredictably—jumping from alert summarization to disruptive containment actions without transparent reasoning—teaches the SOC to disable automation rather than expand it [<xref ref-type="bibr" rid="B37">37</xref>]. Agentic security tooling should therefore behave more like a disciplined junior analyst with very fast hands than like an unsupervised decision-maker. It should show its work, stay within policy rails, and leave a reviewable record.</p>
        <p><xref ref-type="fig" rid="fig4">Figure 4</xref> and <bold>Table 1</bold> together illustrate that the safest automation program is one that expands machine speed where reversibility is high and contracts it where policy consequences are broad. Organizations should also resist confusing a more capable model with better policy. An AI assistant can become dramatically more fluent at summarizing incidents without improving the correctness of the response actions the organization has authorized. Conversely, a conservatively bounded policy can remain safe even when the AI layer is only modestly capable, because it limits the damage of incorrect inference. This separation of model capability from policy authority is a fundamental governance principle for agentic security tooling.</p>
        <fig id="fig4">
          <label>Figure 4</label>
          <graphic xlink:href="https://html.scirp.org/file/7801240-rId126.jpeg?20260715020611" />
        </fig>
        <p><bold>Figure 4</bold><bold>.</bold><bold>Bounded-autonomy ladder for the</bold><bold>vSOC</bold><bold>.</bold> Low-risk functions such as enrichment, correlation, summarization, and duplicate-noise suppression can be automated aggressively. As blast radius, irreversibility, or customer impact increase, autonomous action should narrow and human approval becomes mandatory.</p>
        <p>Every autonomous action should be explainable in operational terms. The record should show: what evidence triggered the action; what policy authorized it; how long the action was intended to persist; who could reverse it; and whether the event touched regulated data or customer-facing systems. This is not only sound governance but sound engineering. When incidents occur, organizations need to know not just what the adversary attempted, but what the defense platform decided on the organization’s behalf and on what basis.</p>
        <p><bold>Table 1</bold><bold>.</bold><bold>Response decision matrix for policy-governed autonomous response.</bold> Signal quality, blast radius, and reversibility together determine whether an action is appropriate for automatic execution or requires human review.</p>
        <table-wrap id="tbl1">
          <label>Table 1</label>
          <table>
            <tbody>
              <tr>
                <td>
                  <bold>Event class</bold>
                </td>
                <td>
                  <bold>Typical signal quality</bold>
                </td>
                <td>
                  <bold>Blast radius/reversibility</bold>
                </td>
                <td>
                  <bold>Default autonomous action</bold>
                </td>
                <td>
                  <bold>Human-review trigger</bold>
                </td>
              </tr>
              <tr>
                <td>Known-bad Internet source</td>
                <td>High confidence from abuse feed plus exploit or scanning context</td>
                <td>Low blast radius when block has short TTL and no partner dependency</td>
                <td>Temporary IP block or rate limit at edge</td>
                <td>Partner traffic, repeated exception requests, or unexpected business impact</td>
              </tr>
              <tr>
                <td>Repeated WAF exploit attempts</td>
                <td>High when rule precision is validated on the protected route</td>
                <td>Low to moderate; reversible at edge controls</td>
                <td>Short-lived block, challenge, or request throttling</td>
                <td>Possible false positive on customer workflow or API client</td>
              </tr>
              <tr>
                <td>Managed endpoint malware</td>
                <td>High for confirmed malware or command-and-control indicators</td>
                <td>Moderate; rollback available but host isolation affects user productivity</td>
                <td>Quarantine artifact; isolate host if policy conditions are met</td>
                <td>Executive or on-call operational asset, or uncertainty about detection quality</td>
              </tr>
              <tr>
                <td>Duplicate low-value alerts</td>
                <td>Medium to high if repetition pattern is stable</td>
                <td>Very low; fully reversible</td>
                <td>Mute or suppress with expiration and sampling review</td>
                <td>Pattern drift, new asset class, or prior false suppression</td>
              </tr>
              <tr>
                <td>Privileged session anomaly</td>
                <td>Medium; behavior signal strengthened by identity and data context</td>
                <td>Moderate to high depending on account and active task</td>
                <td>Step-up authentication, token revocation, or narrowed session scope</td>
                <td>Critical user, sensitive maintenance window, or customer-visible risk</td>
              </tr>
              <tr>
                <td>Broad policy rewrite or permanent access denial</td>
                <td>Varies; confidence alone is insufficient</td>
                <td>High; often difficult to reverse without operational fallout</td>
                <td>No autonomous execution</td>
                <td>Always human approval</td>
              </tr>
            </tbody>
          </table>
        </table-wrap>
      </sec>
    </sec>
    <sec id="sec6">
      <title>6. Formalizing the Theoretical Foundations of MST</title>
      <sec id="sec6dot1">
        <title>6.1. Why Zero Trust Implementations Fail as Monotonic Optimization</title>
        <p>Before formalizing the MST model, it is worth establishing precisely why the dominant failure mode of Zero Trust programs takes the form it does. Zero Trust practitioners and academics alike have documented a recurrent pattern: programs begin with an architectural goal of radical access reduction, accumulate controls as their maturity increases, yet do not proportionally improve measurable security outcomes [<xref ref-type="bibr" rid="B10">10</xref>]. Buck <italic>et al.</italic> [<xref ref-type="bibr" rid="B10">10</xref>] identify this gap systematically across a multivocal review of enterprise Zero Trust deployments, finding that control accumulation without outcome measurement is the most consistently reported implementation failure mode.</p>
        <p>This failure mode reflects a specific structural error: treating Zero Trust deployment as a <italic>monotonic optimization</italic>—one in which adding more controls or making existing controls stricter constitutes monotonic progress toward the security objective. Monotonic optimization is appropriate when the objective function is convex and unconstrained. Security posture is neither. The security benefit of each additional control exhibits diminishing returns once the highest-risk paths are blocked, while the operational cost of each additional control (analyst burden, exception rate, business friction) accumulates linearly. The resulting program reaches a local optimum far short of the global security objective while simultaneously over-shooting the operational feasibility constraint. The organization cannot distinguish this outcome from genuine security progress because it is measuring control density rather than risk reduction.</p>
        <p>We are therefore careful to distinguish the MST claim from a simple inversion: the goal is not to <italic>minimize</italic> controls, but to find the <italic>minimum-cost trust set</italic> that satisfies both the security and operational constraints simultaneously. This is a constrained optimization problem, not a greedy minimization.</p>
      </sec>
      <sec id="sec6dot2">
        <title>6.2. Action Space and Decision Variables</title>
        <p>Let <inline-formula><mml:math><mml:mrow><mml:mi mathvariant="script"> S </mml:mi><mml:mo> = </mml:mo><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mn> 1 </mml:mn></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> a </mml:mi><mml:mn> 2 </mml:mn></mml:msub><mml:mo> , </mml:mo><mml:mo> ⋯ </mml:mo><mml:mo> , </mml:mo><mml:msub><mml:mi> a </mml:mi><mml:mi> n </mml:mi></mml:msub></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> denote the <italic>action space</italic>: the finite set of all access actions possible in the enterprise at a given point in time. Each action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mi mathvariant="script"> S </mml:mi></mml:mrow></mml:math></inline-formula> is a tuple: </p>
        <disp-formula id="FD1">
          <label>(1)</label>
          <mml:math>
            <mml:mrow>
              <mml:msub>
                <mml:mi>a</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>=</mml:mo>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:msub>
                    <mml:mi>ι</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                  <mml:mo>,</mml:mo>
                  <mml:msub>
                    <mml:mi>δ</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                  <mml:mo>,</mml:mo>
                  <mml:msub>
                    <mml:mi>ρ</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                  <mml:mo>,</mml:mo>
                  <mml:msub>
                    <mml:mi>σ</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                  <mml:mo>,</mml:mo>
                  <mml:msub>
                    <mml:mi>ω</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>where <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is the authenticated identity, <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> δ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is the device trust tier, <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is the target resource and its data classification, <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> σ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is the session context (freshness, MFA strength, network path), and <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ω </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is the requested operation (read, write, execute, elevate, etc.).</p>
        <p>Introduce binary decision variables <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> for each <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mi mathvariant="script"> S </mml:mi></mml:mrow></mml:math></inline-formula> : </p>
        <disp-formula id="FD2">
          <label>(2)</label>
          <mml:math>
            <mml:mrow>
              <mml:msub>
                <mml:mi>x</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>=</mml:mo>
              <mml:mrow>
                <mml:mo>{</mml:mo>
                <mml:mrow>
                  <mml:mtable columnalign="left">
                    <mml:mtr columnalign="left">
                      <mml:mtd columnalign="left">
                        <mml:mn>1</mml:mn>
                      </mml:mtd>
                      <mml:mtd columnalign="left">
                        <mml:mrow>
                          <mml:mtext>if</mml:mtext>
                          <mml:mtext>
                             
                          </mml:mtext>
                          <mml:mtext>action</mml:mtext>
                          <mml:mtext>
                             
                          </mml:mtext>
                          <mml:msub>
                            <mml:mi>a</mml:mi>
                            <mml:mi>i</mml:mi>
                          </mml:msub>
                          <mml:mtext>
                             
                          </mml:mtext>
                          <mml:mtext>is</mml:mtext>
                          <mml:mtext>
                             
                          </mml:mtext>
                          <mml:mtext>permitted</mml:mtext>
                          <mml:mtext>
                             
                          </mml:mtext>
                          <mml:mrow>
                            <mml:mo>(</mml:mo>
                            <mml:mrow>
                              <mml:mtext>included</mml:mtext>
                              <mml:mtext>
                                 
                              </mml:mtext>
                              <mml:mtext>in</mml:mtext>
                              <mml:mtext>
                                 
                              </mml:mtext>
                              <mml:mi mathvariant="script">T</mml:mi>
                            </mml:mrow>
                            <mml:mo>)</mml:mo>
                          </mml:mrow>
                        </mml:mrow>
                      </mml:mtd>
                    </mml:mtr>
                    <mml:mtr columnalign="left">
                      <mml:mtd columnalign="left">
                        <mml:mn>0</mml:mn>
                      </mml:mtd>
                      <mml:mtd columnalign="left">
                        <mml:mrow>
                          <mml:mtext>otherwise</mml:mtext>
                        </mml:mrow>
                      </mml:mtd>
                    </mml:mtr>
                  </mml:mtable>
                </mml:mrow>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>The <italic>permitted action set</italic> is then <inline-formula><mml:math><mml:mrow><mml:mi mathvariant="script"> T </mml:mi><mml:mo> = </mml:mo><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mi mathvariant="script"> S </mml:mi><mml:mo> : </mml:mo><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> and the <italic>legitimate business-required set</italic><inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> ⊆ </mml:mo><mml:mi mathvariant="script"> S </mml:mi></mml:mrow></mml:math></inline-formula> is defined as the subset of actions for which a documented business or operational justification exists. Let <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> denote membership in <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> .</p>
        <p><bold>Creating and maintaining</bold><inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula><bold>in practice.</bold> The legitimate set is not a static artifact but a governed register whose entries each carry a justification, an owner, and an expiry. Additions to <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> are approved through the organization’s change-management process: a resource or service owner sponsors the request, a security or access-governance reviewer validates that the requested <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> δ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> σ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ω </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> tuple is consistent with documented job function and data-classification policy, and the approved entry is recorded against the ticket that justifies it—supplying the control-to-case traceability discussed in Section 7. Emergency exceptions—access required faster than the standing approval cycle permits—enter <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> through a break-glass path that grants the entry immediately but attaches a mandatory short expiry and a flag for retrospective review, so that an emergency grant cannot silently harden into permanent standing trust. Stale entries are removed by two complementary mechanisms: <italic>time-based expiry</italic>, under which every entry must be re-justified before its expiry or it lapses automatically; and <italic>usage-based reconciliation</italic>, under which entries that the telemetry plane records as unused over a defined window are surfaced for owner re-attestation or removal. This lifecycle is what keeps the declared <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> aligned with the effective set of actions the business actually requires. The residual gap between declared and effective <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> —and the prospect of <italic>learning</italic><inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> from observed behaviour rather than from policy declarations—is discussed as a limitation in Section 6.3 and as a research direction in Section 7.7.</p>
        <p>As a <bold>uniform-cost baseline</bold>, the MST problem in its simplest form seeks the minimum-cardinality permitted set that covers all legitimate actions and satisfies a verification threshold: </p>
        <disp-formula id="FD3">
          <label>(3)</label>
          <mml:math>
            <mml:mrow>
              <mml:msup>
                <mml:mi mathvariant="script">T</mml:mi>
                <mml:mtext>*</mml:mtext>
              </mml:msup>
              <mml:mo>=</mml:mo>
              <mml:munder>
                <mml:mrow>
                  <mml:mi>arg</mml:mi>
                  <mml:mi>min</mml:mi>
                </mml:mrow>
                <mml:mi mathvariant="script">T</mml:mi>
              </mml:munder>
              <mml:mrow>
                <mml:mo>|</mml:mo>
                <mml:mrow>
                  <mml:mi mathvariant="script">T</mml:mi>
                  <mml:mo>\</mml:mo>
                  <mml:mi>ℒ</mml:mi>
                </mml:mrow>
                <mml:mo>|</mml:mo>
              </mml:mrow>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>subject</mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>to</mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mi>ℒ</mml:mi>
              <mml:mo>⊆</mml:mo>
              <mml:mi mathvariant="script">T</mml:mi>
              <mml:mo>,</mml:mo>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mo>∀</mml:mo>
              <mml:msub>
                <mml:mi>a</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>∈</mml:mo>
              <mml:mi mathvariant="script">T</mml:mi>
              <mml:mo>:</mml:mo>
              <mml:mi>V</mml:mi>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:msub>
                    <mml:mi>a</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
              <mml:mo>≥</mml:mo>
              <mml:mi>θ</mml:mi>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:msub>
                    <mml:mi>ρ</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>where:</p>
        <p><inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ≥ </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> is the <bold>risk-exposure weight</bold> for action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> —the cost of incorrectly permitting it. Allowable values are any non-negative real number. In practice, organisations assign <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> on a relative scale calibrated to data classification and role sensitivity: a read-only query against a non-regulated internal dashboard might be assigned <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ; a privileged write to a PHI record store by a service account <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 50 </mml:mn></mml:mrow></mml:math></inline-formula> ; an administrative action on the cloud control plane by an unmanaged device <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 100 </mml:mn></mml:mrow></mml:math></inline-formula> or higher. The scale itself is arbitrary—what matters is the ratio between values, since the optimiser trades off <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> terms against <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> terms. A practical starting point is a four-tier classification: <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> , </mml:mo><mml:mn> 10 </mml:mn><mml:mo> , </mml:mo><mml:mn> 50 </mml:mn><mml:mo> , </mml:mo><mml:mn> 100 </mml:mn></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> mapped to low, medium, high, and critical data sensitivity respectively.<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ≥ </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> is the <bold>denial-cost weight</bold> for action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> —the cost of incorrectly blocking it when it is legitimately required. Allowable values are any non-negative real number. For actions that are business-critical and time-sensitive, <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> should be high: blocking an on-call engineer’s read access to production logs during an incident might carry <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 200 </mml:mn></mml:mrow></mml:math></inline-formula> , reflecting the cost of delayed remediation. For speculative or low-frequency access patterns, <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> may be close to zero. In the uniform-cost baseline (Equation 3), <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> → </mml:mo><mml:mi> ∞ </mml:mi></mml:mrow></mml:math></inline-formula> for all legitimate actions, which forces the optimiser to permit every member of <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> unconditionally. In the weighted formulation, finite <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> values allow the policy designer to express that some legitimate actions carry acceptable denial risk—useful for soft-blocking patterns that are legitimate but rarely exercised, where temporary disruption is tolerable.<inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ∈ </mml:mo><mml:mrow><mml:mo> [ </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> ] </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is the <bold>verification threshold</bold> for the target resource <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> —the minimum composite evidence score an action must achieve before it may even be considered for permission. Unlike <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , which enter the objective function, <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> acts as a hard gate: any action with <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> &lt; </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is ineligible regardless of its cost weights. Allowable values are in <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> [ </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> ] </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , where <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> imposes no verification requirement and <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> requires perfect evidence on every dimension—an unachievable bar in practice. A workable implementation maps <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> to resource sensitivity class: <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 0.4 </mml:mn></mml:mrow></mml:math></inline-formula> for low-sensitivity internal resources; <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 0.6 </mml:mn></mml:mrow></mml:math></inline-formula> for production systems; <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 0.8 </mml:mn></mml:mrow></mml:math></inline-formula> for regulated data stores; and <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 0.95 </mml:mn></mml:mrow></mml:math></inline-formula> for cloud control plane and secrets management interfaces. The verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> that is compared against <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is itself a composite of identity assurance level, device trust tier, session freshness, MFA strength, and behavioural conformance, each component scored in <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> [ </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> ] </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> and aggregated by policy-defined weighting.</p>
        <p>Equation (3) is equivalent to setting <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> and <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> → </mml:mo><mml:mi> ∞ </mml:mi></mml:mrow></mml:math></inline-formula> for all <inline-formula><mml:math><mml:mi> i </mml:mi></mml:math></inline-formula> in the full formulation: every unjustified permitted action costs equally, and every denied legitimate action is infinitely costly. This uniform version is operationally interpretable—minimize the count of unnecessary permissions—but it ignores the fact that permitting a production-administrator session to a regulated data store carries far greater risk than permitting a read-only dashboard query. Section 6.3 generalises it accordingly.</p>
      </sec>
      <sec id="sec6dot3">
        <title>6.3. Weighted Objective Function</title>
        <p>Section 6.2 established that in the uniform-cost baseline, every unjustified permitted action costs equally (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ) and every denied legitimate action is infinitely costly (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> → </mml:mo><mml:mi> ∞ </mml:mi></mml:mrow></mml:math></inline-formula> ). The full formulation replaces those fixed values with action-specific weights, producing the <bold>MST optimization problem</bold>: </p>
        <disp-formula id="FD4">
          <label>(4)</label>
          <mml:math>
            <mml:mrow>
              <mml:munder>
                <mml:mrow>
                  <mml:mtext>min</mml:mtext>
                </mml:mrow>
                <mml:mstyle mathvariant="bold" mathsize="normal">
                  <mml:mi>x</mml:mi>
                </mml:mstyle>
              </mml:munder>
              <mml:munderover>
                <mml:mstyle mathsize="140%" displaystyle="true">
                  <mml:mo>∑</mml:mo>
                </mml:mstyle>
                <mml:mrow>
                  <mml:mi>i</mml:mi>
                  <mml:mo>=</mml:mo>
                  <mml:mn>1</mml:mn>
                </mml:mrow>
                <mml:mi>n</mml:mi>
              </mml:munderover>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:msub>
                <mml:mi>c</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:msub>
                <mml:mi>x</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:mn>1</mml:mn>
                  <mml:mo>−</mml:mo>
                  <mml:msub>
                    <mml:mi>ℓ</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
              <mml:mo>+</mml:mo>
              <mml:munderover>
                <mml:mstyle mathsize="140%" displaystyle="true">
                  <mml:mo>∑</mml:mo>
                </mml:mstyle>
                <mml:mrow>
                  <mml:mi>i</mml:mi>
                  <mml:mo>=</mml:mo>
                  <mml:mn>1</mml:mn>
                </mml:mrow>
                <mml:mi>n</mml:mi>
              </mml:munderover>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:msub>
                <mml:mi>d</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:mn>1</mml:mn>
                  <mml:mo>−</mml:mo>
                  <mml:msub>
                    <mml:mi>x</mml:mi>
                    <mml:mi>i</mml:mi>
                  </mml:msub>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
              <mml:msub>
                <mml:mi>ℓ</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>subject to: </p>
        <disp-formula id="FD5">
          <label>(5)</label>
          <mml:math>
            <mml:mrow>
              <mml:msub>
                <mml:mi>x</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>=</mml:mo>
              <mml:mn>1</mml:mn>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mo>∀</mml:mo>
              <mml:msub>
                <mml:mi>a</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>:</mml:mo>
              <mml:msub>
                <mml:mi>ℓ</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>=</mml:mo>
              <mml:mn>1</mml:mn>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:mtext>business completeness</mml:mtext>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <disp-formula id="FD6">
          <label>(6)</label>
          <mml:math>
            <mml:mrow>
              <mml:msub>
                <mml:mi>x</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>≤</mml:mo>
              <mml:mn>1</mml:mn>
              <mml:mrow>
                <mml:mo>[</mml:mo>
                <mml:mrow>
                  <mml:mi>V</mml:mi>
                  <mml:mrow>
                    <mml:mo>(</mml:mo>
                    <mml:mrow>
                      <mml:msub>
                        <mml:mi>a</mml:mi>
                        <mml:mi>i</mml:mi>
                      </mml:msub>
                    </mml:mrow>
                    <mml:mo>)</mml:mo>
                  </mml:mrow>
                  <mml:mo>≥</mml:mo>
                  <mml:mi>θ</mml:mi>
                  <mml:mrow>
                    <mml:mo>(</mml:mo>
                    <mml:mrow>
                      <mml:msub>
                        <mml:mi>ρ</mml:mi>
                        <mml:mi>i</mml:mi>
                      </mml:msub>
                    </mml:mrow>
                    <mml:mo>)</mml:mo>
                  </mml:mrow>
                </mml:mrow>
                <mml:mo>]</mml:mo>
              </mml:mrow>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mo>∀</mml:mo>
              <mml:msub>
                <mml:mi>a</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mrow>
                <mml:mo>(</mml:mo>
                <mml:mrow>
                  <mml:mtext>verification sufficiency</mml:mtext>
                </mml:mrow>
                <mml:mo>)</mml:mo>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <disp-formula id="FD7">
          <label>(7)</label>
          <mml:math>
            <mml:mrow>
              <mml:msub>
                <mml:mi>x</mml:mi>
                <mml:mi>i</mml:mi>
              </mml:msub>
              <mml:mo>∈</mml:mo>
              <mml:mrow>
                <mml:mo>{</mml:mo>
                <mml:mrow>
                  <mml:mn>0</mml:mn>
                  <mml:mo>,</mml:mo>
                  <mml:mn>1</mml:mn>
                </mml:mrow>
                <mml:mo>}</mml:mo>
              </mml:mrow>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mtext>
                 
              </mml:mtext>
              <mml:mo>∀</mml:mo>
              <mml:mi>i</mml:mi>
              <mml:mo>∈</mml:mo>
              <mml:mrow>
                <mml:mo>{</mml:mo>
                <mml:mrow>
                  <mml:mn>1</mml:mn>
                  <mml:mo>,</mml:mo>
                  <mml:mo>⋯</mml:mo>
                  <mml:mo>,</mml:mo>
                  <mml:mi>n</mml:mi>
                </mml:mrow>
                <mml:mo>}</mml:mo>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p><bold>Plain-English reading of Equation (4).</bold> The equation asks: find the set of permission decisions—each <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is either grant (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ) or deny (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> )—that minimises the total cost of getting those decisions wrong. It accumulates cost in exactly two ways. The first term charges <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> whenever an action that has no business justification (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> ) is nevertheless permitted (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ): this is the price of unnecessary trust. The second term charges <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> whenever an action that is legitimately required (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ) is blocked (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> ): this is the price of operational self-harm. The three constraints then define the feasible region: every legitimate action must be granted (Constraint 5); no action may be granted unless the verification evidence is sufficient for that resource (Constraint 6); and each decision is binary (Constraint 7). In plain terms: permit the minimum standing trust required to keep the business running, provided the evidence clears the bar, and penalise deviations from that minimum in proportion to the damage each type of deviation causes.</p>
        <p>The first term of Equation (4) thus penalizes unnecessary trust: permitting actions that have no business justification (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> ), weighted by their risk exposure <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> . The second term penalizes operational self-harm: denying actions that are legitimately required (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ), weighted by their denial cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> . Constraint (5) encodes the business completeness requirement: every action in <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> must be permitted. Constraint (6) encodes the continuous verification requirement: an action can be permitted only if its verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> meets or exceeds the resource-specific threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> . The verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> aggregates identity assurance level, device trust tier, session freshness, and behavioral conformance into a composite signal; <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is a policy-defined minimum that scales with the sensitivity of the target resource <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> .</p>
        <p><bold>Policy intent: verification is a hard gate; completeness is conditional on it.</bold> Sections 6.2 and 6.3 could be read as supporting two different policies for a legitimate action whose current verification evidence is insufficient—“always permit” (business completeness) versus “permit only after sufficient evidence” (verification sufficiency). The framework resolves this in favour of verification: <italic>a business-required action is temporarily denied whenever its verification evidence is</italic><italic>insufficient</italic>, <italic>and</italic><italic>is permitted only once the evidence clears the resource threshold</italic><inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> . Verification is therefore a hard gate that takes precedence, and the business-completeness requirement is to be read as conditional on it—the policy must permit every legitimate action whose evidence is <italic>currently</italic> sufficient, not permit legitimate actions unconditionally. When <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> &lt; </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> for a legitimate <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , the correct response is not to waive the threshold but to remediate the evidence gap—step-up authentication, device re-enrolment, or session re-establishment—after which the action becomes permissible. The deny is thus temporary and evidence-driven rather than permanent, and the model preserves the invariant that no action, legitimate or otherwise, is ever permitted on insufficient evidence.</p>
        <p><bold>A worked end-to-end decision.</bold> A concrete request grounds the model. An on-call site-reliability engineer (identity <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> : authenticated via a FIDO2 passkey, identity assurance high) attempts a privileged write (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ω </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> : write) to a PHI-classified datastore (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> : regulated data, threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> = </mml:mo><mml:mn> 0.8 </mml:mn></mml:mrow></mml:math></inline-formula> ) during an active incident. The request arrives from a laptop whose posture agent reports current OS patching and full-disk encryption but a non-compliant screen-lock policy (device tier <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> δ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> : partially compliant), over a session that is MFA-backed but four hours old with no recent re-authentication (session context <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> σ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> : stale). The enrichment layer (Section 4) aggregates the verification components—identity assurance ≈0.85, device tier ≈0.70, session freshness ≈0.55, behavioural conformance ≈0.85—into, for this example, <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> = </mml:mo><mml:mn> 0.74 </mml:mn></mml:mrow></mml:math></inline-formula> . The action is business-required during the incident, so <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> and the denial cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> is high. But <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> = </mml:mo><mml:mn> 0.74 </mml:mn><mml:mo> &lt; </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> = </mml:mo><mml:mn> 0.8 </mml:mn></mml:mrow></mml:math></inline-formula> , so the verification gate (Constraint 6) is not satisfied; because verification takes precedence, the business-completeness requirement is held in abeyance and the write is <italic>not</italic> granted. The decision is a <italic>temporary deny with a remediation path</italic>: the platform issues a step-up authentication challenge and requires the engineer to bring the device into screen-lock compliance, which raises session freshness and device tier and lifts <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> above 0.8. The action is then permitted, the grant is time-bounded to the incident window (a non-standing grant), and the full sequence—evidence components, threshold, decision, and remediation—is written to the audit log as control-to-case evidence. Had the same request originated from a fully managed device on a fresh, re-authenticated session, <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> would have cleared <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> immediately and the write would have been granted without challenge. This is the MST model operating as intended: business-required access is delivered, but only on sufficient, current evidence, and never as standing trust.</p>
        <p>This formulation makes explicit the tradeoff that the original uniform version obscured: the two objective terms pull in opposite directions, and the optimal <inline-formula><mml:math><mml:mrow><mml:msup><mml:mstyle mathvariant="bold" mathsize="normal"><mml:mi> x </mml:mi></mml:mstyle><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> is the Pareto point that minimizes their weighted sum given the risk tolerance encoded in <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> . When <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> → </mml:mo><mml:mi> ∞ </mml:mi></mml:mrow></mml:math></inline-formula> for all <inline-formula><mml:math><mml:mi> i </mml:mi></mml:math></inline-formula> , the problem degenerates to full permissiveness (traditional perimeter model). When <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> → </mml:mo><mml:mi> ∞ </mml:mi></mml:mrow></mml:math></inline-formula> for all <inline-formula><mml:math><mml:mi> i </mml:mi></mml:math></inline-formula> , it degenerates to full denial (operationally self-defeating deny-all). MST occupies the feasible interior.</p>
        <p><xref ref-type="fig" rid="fig5">Figure 5</xref> visualises this geometry. The U-shape of the total objective is the central reason that adding controls monotonically does not yield monotonic security improvement: past the MST optimum <inline-formula><mml:math><mml:mrow><mml:msup><mml:mstyle mathvariant="bold" mathsize="normal"><mml:mi> x </mml:mi></mml:mstyle><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> , additional denial increases denial cost faster than it reduces residual risk, and the security program absorbs operational damage without commensurate benefit. Conversely, every unit of standing trust granted to the right of <inline-formula><mml:math><mml:mrow><mml:msup><mml:mstyle mathvariant="bold" mathsize="normal"><mml:mi> x </mml:mi></mml:mstyle><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> adds risk cost faster than it removes operational friction. Identifying <inline-formula><mml:math><mml:mrow><mml:msup><mml:mstyle mathvariant="bold" mathsize="normal"><mml:mi> x </mml:mi></mml:mstyle><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> —and operating at it—is therefore not merely a matter of policy preference but the explicit goal of the MST framework.</p>
        <p><bold>Limitations of the formulation.</bold> Several limitations of Equation (4) deserve explicit acknowledgement.</p>
        <p><italic>Action independence.</italic> The formulation treats each action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> as independent: the cost of permitting or denying <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> does not depend on which other actions are simultaneously permitted. In practice, actions are not independent. Permitting a read on a regulated dataset and permitting an export to an external endpoint together create an exfiltration path that neither action creates alone. The independent-action assumption is the most consequential modelling simplification in the formulation, and extending the model to capture combinatorial action interactions—at the cost of substantially increased complexity—is an important direction for future work.</p>
        <p><italic>Uniform action weight.</italic> Each action is assigned a single scalar <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , treating all consequences of incorrectly permitting it as commensurable. In practice, an action can have multiple consequence dimensions (regulatory, financial, reputational, operational) that may not reduce to a single number without arbitrary weighting choices. The <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> parameterisation is therefore an abstraction that organisations must calibrate carefully, and different calibrations will produce materially different optimal policies.</p>
        <p><italic>The proxy hypothesis.</italic> Equation (4) optimises a measurable cost function as a proxy for unmeasurable quantities such as <inline-formula><mml:math><mml:mrow><mml:mi> P </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mtext> breach </mml:mtext></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> or expected breach impact. The hypothesis that minimising the weighted trust surplus reduces actual breach probability is operationally motivated but not proven. It is the foundational modelling assumption of the MST framework, not a derived result, and its empirical validation is identified in Section 7.7 as a priority research direction.</p>
        <p><italic>Static</italic><inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula><italic>.</italic> The legitimate business-required set <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> is treated as known and fixed within each optimisation instance. In practice, <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> is dynamic, incompletely specified, and contested: engineering teams add new access requirements faster than governance processes can document them, and emergency exceptions create persistent paths that were never formally added to <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> . The action-space-time graph formulation in Section 6.4 partially addresses this by indexing <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> ℒ </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup></mml:mrow></mml:math></inline-formula> over time, but it does not resolve the harder problem of learning <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> from operational behaviour rather than from policy declarations.</p>
        <fig id="fig5">
          <label>Figure 5</label>
          <graphic xlink:href="https://html.scirp.org/file/7801240-rId370.jpeg?20260715020614" />
        </fig>
        <p><bold>Figure 5</bold><bold>.</bold>The MST optimization geometry. The horizontal axis represents the proportion of the action space that is permitted, ranging from full denial (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula><inline-formula><mml:math><mml:mrow><mml:mo> ∀ </mml:mo><mml:mi> i </mml:mi></mml:mrow></mml:math></inline-formula> , left edge) to full permit (<inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula><inline-formula><mml:math><mml:mrow><mml:mo> ∀ </mml:mo><mml:mi> i </mml:mi></mml:mrow></mml:math></inline-formula> , right edge). The risk-exposure cost <inline-formula><mml:math><mml:mrow><mml:mstyle displaystyle="true"><mml:msub><mml:mo> ∑ </mml:mo><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> − </mml:mo><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:mstyle></mml:mrow></mml:math></inline-formula> is convex increasing in permissiveness: more granted access exposes more attack surface. The denial/operational cost <inline-formula><mml:math><mml:mrow><mml:mstyle displaystyle="true"><mml:msub><mml:mo> ∑ </mml:mo><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> − </mml:mo><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:mstyle></mml:mrow></mml:math></inline-formula> is convex decreasing: more granted access denies fewer business-required actions. Their sum is the MST total objective of Equation (4), which is U-shaped on this axis and attains its minimum at the feasible interior point <inline-formula><mml:math><mml:mrow><mml:msup><mml:mstyle mathvariant="bold" mathsize="normal"><mml:mi> x </mml:mi></mml:mstyle><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> : the operating point of <italic>minimum standing trust consistent with business-required operations</italic>. Pure Zero Trust (deny-all) is operationally self-defeating in this geometry; the perimeter model (permit-all) maximizes exposure. The MST framework rejects both extremes and locates the optimum between them.</p>
      </sec>
      <sec id="sec6dot4">
        <title>6.4. Action-Space-Time Graph Formulation</title>
        <p>The weighted ILP formulation of Equations (4)-(7) treats the action space as a static flat set. In practice, enterprise access patterns are dynamic: identities, devices, sessions, and resources change state continuously, and the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> and threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> are time-varying quantities. A graph-theoretic formulation captures this temporal dimension naturally.</p>
        <p>Define the <bold>action-space-time graph</bold><inline-formula><mml:math><mml:mrow><mml:mi> G </mml:mi><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> V </mml:mi><mml:mi> G </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> E </mml:mi><mml:mi> G </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> as follows. The vertex set <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> V </mml:mi><mml:mi> G </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mi mathvariant="script"> U </mml:mi><mml:mo> ∪ </mml:mo><mml:mi> ℛ </mml:mi></mml:mrow></mml:math></inline-formula> partitions into <italic>actor nodes</italic><inline-formula><mml:math><mml:mi mathvariant="script"> U </mml:mi></mml:math></inline-formula> (users, service accounts, processes, devices) and <italic>resource nodes</italic><inline-formula><mml:math><mml:mi> ℛ </mml:mi></mml:math></inline-formula> (data stores, APIs, administrative consoles, cloud control plane endpoints). Each directed edge <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> e </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:mo> ∈ </mml:mo><mml:msub><mml:mi> E </mml:mi><mml:mi> G </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> from actor node <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> u </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mi mathvariant="script"> U </mml:mi></mml:mrow></mml:math></inline-formula> to resource node <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> r </mml:mi><mml:mi> j </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mi> ℛ </mml:mi></mml:mrow></mml:math></inline-formula> represents a potential access action, with weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> encoding risk exposure. Time-indexed copies of the graph, <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> G </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> V </mml:mi><mml:mi> G </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msubsup><mml:mi> E </mml:mi><mml:mi> G </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msubsup></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , capture the fact that verification scores and business requirements evolve: an edge <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> e </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> that is permitted at time <inline-formula><mml:math><mml:mi> t </mml:mi></mml:math></inline-formula> may not satisfy the verification threshold at time <inline-formula><mml:math><mml:mrow><mml:mi> t </mml:mi><mml:mo> + </mml:mo><mml:mtext> Δ </mml:mtext><mml:mi> t </mml:mi></mml:mrow></mml:math></inline-formula> if device posture degrades or session context changes.</p>
        <p>The MST problem on the graph is: find the minimum-cost subgraph <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> G </mml:mi><mml:mtext> * </mml:mtext></mml:msup><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> V </mml:mi><mml:mi> G </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msup><mml:mi> E </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> of <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> G </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup></mml:mrow></mml:math></inline-formula> such that:</p>
        <p>1) <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> E </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> contains all edges corresponding to <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> ℒ </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup></mml:mrow></mml:math></inline-formula> (the current legitimate business-required actions); </p>
        <p>2) For every edge <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> e </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:mo> ∈ </mml:mo><mml:msup><mml:mi> E </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> : <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> e </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> r </mml:mi><mml:mi> j </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> ; </p>
        <p>3) The induced subgraph on <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> ℒ </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup></mml:mrow></mml:math></inline-formula> is connected in the sense that all business workflows can execute without interruption. </p>
        <p>The objective function on the graph is <inline-formula><mml:math><mml:mrow><mml:msub><mml:mrow><mml:mtext> min </mml:mtext></mml:mrow><mml:mrow><mml:msup><mml:mi> E </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:msub><mml:mstyle displaystyle="true"><mml:msub><mml:mo> ∑ </mml:mo><mml:mrow><mml:msub><mml:mi> e </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:mo> ∈ </mml:mo><mml:msup><mml:mi> E </mml:mi><mml:mtext> * </mml:mtext></mml:msup><mml:mo> \ </mml:mo><mml:msup><mml:mi> ℒ </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup></mml:mrow></mml:msub><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub></mml:mrow></mml:mstyle></mml:mrow></mml:math></inline-formula> , <italic>i.e.</italic>, minimize the </p>
        <p>total risk-exposure weight of permitted edges that are not legitimately required. This is a <italic>weighted minimum subgraph cover</italic> problem on a bipartite directed graph. When <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> for all edges, it reduces to the uniform cardinality formulation in Equation (3).</p>
        <p>This graph representation, visually depicted in <xref ref-type="fig" rid="fig6">Figure 6</xref>, connects directly to intrusion detection systems that model enterprise activity as a provenance graph or process-lineage graph [<xref ref-type="bibr" rid="B46">46</xref>]. In those systems, nodes represent processes, files, and network sockets, and edges represent system-call-level events—precisely the fine granularity of the action space described here. The MST subgraph cover problem can therefore be instantiated on a provenance graph, treating each system-level event as a candidate <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and applying the verification and risk constraints per edge. This connection makes the MST formulation amenable to empirical validation on provenance graph datasets, a direction identified as a priority in Section 7.7.</p>
      </sec>
      <sec id="sec6dot5">
        <title>6.5. Complexity and Tractability</title>
        <p>The uniform-cardinality version of the MST problem (minimize <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> | </mml:mo><mml:mrow><mml:mi mathvariant="script"> T </mml:mi><mml:mo> \ </mml:mo><mml:mi> ℒ </mml:mi></mml:mrow><mml:mo> | </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> subject to <inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> ⊆ </mml:mo><mml:mi mathvariant="script"> T </mml:mi></mml:mrow></mml:math></inline-formula> and verification constraints) is equivalent, when the verification constraint is dropped, to finding the minimum superset of <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> in <inline-formula><mml:math><mml:mi mathvariant="script"> S </mml:mi></mml:math></inline-formula> , which is trivially solvable. The computational difficulty arises from two sources: 1) the verification constraint <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> couples the permission variables <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> to a scoring function that may be non-linear and resource-intensive to evaluate; 2) in the weighted formulation, the interaction between the two objective terms and the completeness constraint creates a structure analogous to the <bold>0</bold><bold>-</bold><bold>1 knapsack problem</bold>, which is NP-hard in the strong sense [<xref ref-type="bibr" rid="B32">32</xref>]: each action <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> has a “profit” (denial cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> if it is in <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> ) and a “weight” (risk cost <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> ), and the problem is to select the minimum-risk superset of <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> within the feasible verification region.</p>
        <p>More precisely, the weighted MST problem (Equations 4-7) is NP-hard by reduction from 0-1 knapsack: given a knapsack instance with items <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> , </mml:mo><mml:mo> ⋯ </mml:mo><mml:mo> , </mml:mo><mml:mi> n </mml:mi></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> , values <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> v </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , weights <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> w </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , and capacity <inline-formula><mml:math><mml:mi> W </mml:mi></mml:math></inline-formula> , construct an MST instance with <inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> = </mml:mo><mml:mo> ∅ </mml:mo></mml:mrow></mml:math></inline-formula> , <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:msub><mml:mi> w </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:msub><mml:mi> v </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , and <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> for all <inline-formula><mml:math><mml:mi> i </mml:mi></mml:math></inline-formula> . The MST optimal selects the minimum-weight feasible set, which corresponds directly to the knapsack optimal selection.</p>
        <fig id="fig6">
          <label>Figure 6</label>
          <graphic xlink:href="https://html.scirp.org/file/7801240-rId473.jpeg?20260715020615" />
        </fig>
        <p><bold>Figure 6</bold><bold>.</bold><bold>W</bold><bold>eighted minimum subgraph cover: full action space</bold><inline-formula><mml:math><mml:mi> G </mml:mi></mml:math></inline-formula><bold>and optimal permitted subgraph</bold><inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> G </mml:mi><mml:mo> * </mml:mo></mml:msup></mml:mrow></mml:math></inline-formula><bold>.</bold> The left panel shows the full bipartite graph of candidate access actions between three actor nodes (<inline-formula><mml:math><mml:mi mathvariant="script"> U </mml:mi></mml:math></inline-formula> ) and three resource nodes (<inline-formula><mml:math><mml:mi> ℛ </mml:mi></mml:math></inline-formula> ), with each directed edge labelled by its risk-exposure weight <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> and current verification score <inline-formula><mml:math><mml:mi> V </mml:mi></mml:math></inline-formula> . The right panel shows the MST-optimal permitted subgraph <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> G </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> : green edges are business-required and pass the verification threshold; the amber dashed edge (U2→R1) is not required but has low <inline-formula><mml:math><mml:mrow><mml:mi> c </mml:mi><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> cost so is retained; red dashed edges fail the verification gate (<inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mo> &lt; </mml:mo><mml:mi> θ </mml:mi></mml:mrow></mml:math></inline-formula> ) and are ineligible regardless of business requirement. The key illustrative case is U2→R3: the Engineer needs control-plane access (<inline-formula><mml:math><mml:mrow><mml:mi> ℓ </mml:mi><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> ) but achieves only <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mo> = </mml:mo><mml:mn> 0.79 </mml:mn></mml:mrow></mml:math></inline-formula> , which falls below the critical-resource threshold <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mo> = </mml:mo><mml:mn> 0.95 </mml:mn></mml:mrow></mml:math></inline-formula> . The policy response is not to lower <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> but to remediate the evidence gap—step-up authentication or device re-enrolment—before the permission can be granted.</p>
        <p>For practical enterprise scales, this complexity motivates relaxation approaches. A <bold>linear programming (LP) relaxation</bold> of Equations (4)-(7) replaces <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mrow><mml:mo> { </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> } </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> with <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mrow><mml:mo> [ </mml:mo><mml:mrow><mml:mn> 0 </mml:mn><mml:mo> , </mml:mo><mml:mn> 1 </mml:mn></mml:mrow><mml:mo> ] </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> and solves the resulting LP in polynomial time; the fractional solution can be rounded to a feasible integer solution with a bounded approximation ratio. Alternatively, the structure of the problem—bipartite graph, separable objective, binary variables—makes it well-suited to <bold>branch-and-bound mixed integer programming (MIP)</bold> solvers, which handle enterprise-scale instances (tens of thousands of action types) routinely in practice [<xref ref-type="bibr" rid="B47">47</xref>]. For real-time enforcement decisions, where the full MIP is too slow, a greedy policy that sorts candidate actions by <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> / </mml:mo><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:mrow></mml:mrow></mml:math></inline-formula> (risk per unit of verification evidence) and admits actions in ascending risk order until the completeness constraint is satisfied provides a practical approximation with a well-understood performance bound.</p>
        <p>The time-varying graph formulation introduces additional structure: as <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> r </mml:mi><mml:mi> j </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> and <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> e </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> change, previously permitted edges may need to be revoked and previously denied edges may become admissible. The dynamic version of the problem is related to <italic>online subgraph maintenance</italic> under changing constraints, a problem studied in the streaming graph algorithms literature [<xref ref-type="bibr" rid="B48">48</xref>]. This connection suggests that the SOC’s continuous re-evaluation of session trust is not merely a policy preference but a computational necessity: the optimal permitted set changes as the verification evidence changes, and maintaining it requires incremental update rather than full re-solve.</p>
      </sec>
      <sec id="sec6dot6">
        <title>6.6. Mapping Optimization Elements to Architecture</title>
        <p>The formalization above maps directly onto the two-plane operating architecture and unified telemetry framework described in Sections 4-7, as summarized below.</p>
        <p><bold>Action space</bold><inline-formula><mml:math><mml:mi mathvariant="script"> S </mml:mi></mml:math></inline-formula><bold>.</bold> At the external application edge, the action space is narrow: inbound HTTP/S requests, API calls, authentication attempts, and partner integrations. The cardinality of <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> at the edge is small and well-documented, making the optimization tractable and the verification threshold <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> enforceable close to deny-by-default. Internally, <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> | </mml:mo><mml:mi mathvariant="script"> S </mml:mi><mml:mo> | </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is orders of magnitude larger (every user-to-resource path across the enterprise), but the risk weights <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> concentrate on a small subset of high-consequence actions (privileged administrative sessions, regulated data access, cloud control plane operations), allowing the optimizer to allocate verification resources proportionally.</p>
        <p><bold>Verification score</bold><inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula><bold>.</bold> The unified telemetry plane (Section 7) exists precisely to compute <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> in real time. Each source—IAM, EDR, ZTNA, NIDS, UEBA—contributes a component of the verification score. Without telemetry fusion, <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> cannot be computed accurately, and the optimization problem becomes infeasible: actions are permitted or denied on incomplete evidence, which corresponds to setting some <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> to zero (under-penalizing risky actions) or some <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> to zero (under-protecting legitimate ones).</p>
        <p><bold>Bounded autonomy as a constraint on</bold><inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula><bold>.</bold> The bounded-autonomy ladder (Section 8) is a policy translation of the risk-weight structure. Actions at the top of the ladder (policy rewrites, permanent access changes) have high <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and are therefore excluded from autonomous execution even when <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi></mml:mrow></mml:math></inline-formula> . Actions at the bottom (alert enrichment, duplicate suppression) have negligible <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and are freely automated. The ladder makes the optimization structure operationally legible to analysts who do not interact with the formal model directly.</p>
        <p><bold>Discussion of assumptions.</bold> The MST model rests on the working hypothesis that minimizing the risk-weighted unnecessary trust set <inline-formula><mml:math><mml:mrow><mml:mstyle displaystyle="true"><mml:msub><mml:mo> ∑ </mml:mo><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> − </mml:mo><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:mstyle></mml:mrow></mml:math></inline-formula> is a useful proxy for minimizing concrete security metrics such as <inline-formula><mml:math><mml:mrow><mml:mi> P </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mtext> breach </mml:mtext></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> or expected breach impact. This hypothesis is not proven in the paper; it is the fundamental modeling assumption, analogous to the assumption in network hardening that minimizing attack graph reach reduces breach probability [<xref ref-type="bibr" rid="B31">31</xref>]. The advantage of the set-size and graph-size formulations is that they are computable from operational data, whereas <inline-formula><mml:math><mml:mrow><mml:mi> P </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mtext> breach </mml:mtext></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is not. We acknowledge this approximation and identify its empirical validation as a priority research direction (Section 7.7).</p>
      </sec>
      <sec id="sec6dot7">
        <title>6.7. Attack Surface Minimization as the Theoretical Objective</title>
        <p>The formulation of Equations (3)-(7) has a direct interpretation in the attack-surface-minimization literature introduced by work on attack surface metrics [<xref ref-type="bibr" rid="B33">33</xref>][<xref ref-type="bibr" rid="B34">34</xref>]. In that tradition, the <italic>attack surface</italic> of a system is the subset of its resources reachable and usable by an attacker: entry points through which inputs flow, exit points through which outputs flow, and channel resources that mediate communication. Reducing this surface reduces the opportunities available for adversarial exploitation.</p>
        <p>For the MST framework, the connection is immediate. The permitted action set <inline-formula><mml:math><mml:mrow><mml:mi mathvariant="script"> T </mml:mi><mml:mo> ⊆ </mml:mo><mml:mi mathvariant="script"> S </mml:mi></mml:mrow></mml:math></inline-formula><italic>is</italic> the enterprise attack surface in the relevant sense: every action permitted by policy is an action an attacker might exploit if they can impersonate a legitimate actor or compromise the verification context. The legitimate business-required set <inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> ⊆ </mml:mo><mml:mi mathvariant="script"> T </mml:mi></mml:mrow></mml:math></inline-formula> is the irreducible lower bound on this surface—the portion that must be exposed for the service to function—and the trust surplus <inline-formula><mml:math><mml:mrow><mml:mi mathvariant="script"> T </mml:mi><mml:mo> \ </mml:mo><mml:mi> ℒ </mml:mi></mml:mrow></mml:math></inline-formula> is the avoidable portion. The MST objective is therefore a direct quantitative expression of attack surface minimization under operational feasibility constraints.</p>
        <p><bold>The effect of reputation-based blocking.</bold> A reputation-list control—whether operated at the network perimeter (NIDS, firewall) or at the endpoint (EDR egress policy)—modifies the problem structure by pre-filtering the action space itself, not merely the permitted subset. Let <inline-formula><mml:math><mml:mrow><mml:mi> ℬ </mml:mi><mml:mo> ⊆ </mml:mo><mml:mi mathvariant="script"> S </mml:mi></mml:mrow></mml:math></inline-formula> denote the set of actions whose identity tuple <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> δ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> σ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ω </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> has either <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> or <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> resolving to an IP address on a curated reputation feed. Reputation-based auto-blocking enforces <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mn> 0 </mml:mn></mml:mrow></mml:math></inline-formula> for every <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> ∈ </mml:mo><mml:mi> ℬ </mml:mi></mml:mrow></mml:math></inline-formula> regardless of all other considerations. The effective action space becomes: </p>
        <disp-formula id="FD8">
          <label>(8)</label>
          <mml:math>
            <mml:mrow>
              <mml:msub>
                <mml:mi mathvariant="script">S</mml:mi>
                <mml:mrow>
                  <mml:mtext>eff</mml:mtext>
                </mml:mrow>
              </mml:msub>
              <mml:mo>=</mml:mo>
              <mml:mi mathvariant="script">S</mml:mi>
              <mml:mo>\</mml:mo>
              <mml:mi>ℬ</mml:mi>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>and the MST optimization is solved over <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi mathvariant="script"> S </mml:mi><mml:mrow><mml:mtext> eff </mml:mtext></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> rather than <inline-formula><mml:math><mml:mi mathvariant="script"> S </mml:mi></mml:math></inline-formula> . Because reputation feeds explicitly enumerate hosts with documented adversarial activity, the expected intersection <inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> ∩ </mml:mo><mml:mi> ℬ </mml:mi></mml:mrow></mml:math></inline-formula> is close to empty—legitimate business counterparties do not appear on Spamhaus DROP or AbuseIPDB—so the completeness constraint <inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> ⊆ </mml:mo><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> remains satisfiable in <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi mathvariant="script"> S </mml:mi><mml:mrow><mml:mtext> eff </mml:mtext></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> . The practical result is that the optimal permitted set <inline-formula><mml:math><mml:mrow><mml:msubsup><mml:mi mathvariant="script"> T </mml:mi><mml:mrow><mml:mtext> eff </mml:mtext></mml:mrow><mml:mtext> * </mml:mtext></mml:msubsup></mml:mrow></mml:math></inline-formula> computed over <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi mathvariant="script"> S </mml:mi><mml:mrow><mml:mtext> eff </mml:mtext></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> has strictly smaller attacker-exploitable surface than the corresponding optimum <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> computed over the full <inline-formula><mml:math><mml:mi mathvariant="script"> S </mml:mi></mml:math></inline-formula> : </p>
        <disp-formula id="FD9">
          <label>(9)</label>
          <mml:math>
            <mml:mrow>
              <mml:mrow>
                <mml:mo>|</mml:mo>
                <mml:mrow>
                  <mml:msubsup>
                    <mml:mi mathvariant="script">T</mml:mi>
                    <mml:mrow>
                      <mml:mtext>eff</mml:mtext>
                    </mml:mrow>
                    <mml:mtext>*</mml:mtext>
                  </mml:msubsup>
                  <mml:mo>\</mml:mo>
                  <mml:mi>ℒ</mml:mi>
                </mml:mrow>
                <mml:mo>|</mml:mo>
              </mml:mrow>
              <mml:mo>≤</mml:mo>
              <mml:mrow>
                <mml:mo>|</mml:mo>
                <mml:mrow>
                  <mml:msup>
                    <mml:mi mathvariant="script">T</mml:mi>
                    <mml:mtext>*</mml:mtext>
                  </mml:msup>
                  <mml:mo>\</mml:mo>
                  <mml:mi>ℒ</mml:mi>
                </mml:mrow>
                <mml:mo>|</mml:mo>
              </mml:mrow>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>with strict inequality whenever <inline-formula><mml:math><mml:mi> ℬ </mml:mi></mml:math></inline-formula> contains any action that would otherwise satisfy the verification threshold under <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> .</p>
        <p><bold>The theoretical lower bound.</bold> Equation (9) frames the fundamental question of how far attack surface can be reduced in principle. The global lower bound is given by the legitimate set itself: </p>
        <disp-formula id="FD10">
          <label>(10)</label>
          <mml:math>
            <mml:mrow>
              <mml:mrow>
                <mml:mo>|</mml:mo>
                <mml:mrow>
                  <mml:msup>
                    <mml:mi mathvariant="script">T</mml:mi>
                    <mml:mtext>*</mml:mtext>
                  </mml:msup>
                  <mml:mo>\</mml:mo>
                  <mml:mi>ℒ</mml:mi>
                </mml:mrow>
                <mml:mo>|</mml:mo>
              </mml:mrow>
              <mml:mo>≥</mml:mo>
              <mml:mn>0</mml:mn>
            </mml:mrow>
          </mml:math>
        </disp-formula>
        <p>with equality if and only if every action in <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> is business-required. This bound is achievable only under perfect information—complete knowledge of <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> , perfect verification (<inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> = </mml:mo><mml:mn> 1 </mml:mn></mml:mrow></mml:math></inline-formula> for all legitimate actions), and no external dependencies. In practice, the realized trust surplus is strictly positive, and the engineering question becomes: how close to zero can it be driven without violating the operational-cost constraint?</p>
        <p>The two planes of the MST architecture give different answers to this question. At the external application edge, <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> is narrow, well-documented, and relatively static (customer API calls, authentication endpoints, partner integrations), making the trust surplus easier to drive toward zero. Bidirectional reputation blocking reduces it further by shrinking the action space before the optimization is even formulated. Inside the internal enterprise, <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> is broader, dynamic, and incompletely specified, so the achievable minimum is inherently larger—but endpoint-enforced reputation blocking still reduces it by an amount bounded by the size of <inline-formula><mml:math><mml:mi> ℬ </mml:mi></mml:math></inline-formula> restricted to internal-origin traffic.</p>
        <p>The MST model thus provides both an operational framework and a theoretical minimum: the ideal end-state of a Zero Trust program is a permitted action set exactly equal to the current legitimate business-required set, with all other actions either denied by policy or pre-filtered by reputation-based blocking. Every deviation from this ideal—every permitted action outside <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> , every connection to or from a reputation-listed IP that the platform fails to block—is a quantifiable gap in the architecture rather than an unmeasurable policy judgement. This quantifiability is what distinguishes attack surface minimization from traditional Zero Trust rhetoric: it supplies a target that organizations can measure progress against, and it supplies a theoretical justification for specific controls (reputation blocking, JIT privilege, device tiering) in terms of the surface-reduction they produce.</p>
      </sec>
    </sec>
    <sec id="sec7">
      <title>7. Expected Outcomes and Argument Summary</title>
      <sec id="sec7dot1">
        <title>7.1. Summary of the Central Argument</title>
        <p>The argument of this paper can be stated plainly. Zero Trust is not a product category. Network location is not a trust signal. Standing privilege is the enemy. Compliance evidence is a byproduct of good architecture, not its purpose. These are not marketing slogans; they are operational commitments with specific engineering consequences.</p>
        <p>The Minimum Standing Trust model operationalizes these commitments in four steps. Step one: at the Internet-facing application edge, enforce deny-by-default using WAF, NIDS, and abuse-list controls as <italic>instruments</italic> of that posture—not as the posture itself. Step two: inside the enterprise, eliminate standing privilege through identity-centric access, device-trust tiering, JIT elevation, and continuous session verification. The goal is that no adversary who acquires a credential can inherit the access it once carried indefinitely. Step three: fuse all telemetry into a single decision plane so that the security operations center receives incidents, not fragments, and can answer who acted, from where, against what, with what evidence. Step four: let AI operate inside this model—automating what is reversible, narrow, and pre-authorized while requiring human judgment for anything that cannot be quickly undone or that touches regulated data at scale. The compliance records that regulators and auditors need are a natural output of this architecture, not a parallel documentation effort.</p>
      </sec>
      <sec id="sec7dot2">
        <title>7.2. Expected Operational Outcomes</title>
        <p>A Zero Trust operations model is credible only if it produces measurable improvements in outcomes rather than merely increasing control count or coverage claims. For a regulated SaaS enterprise, the MST framework is expected to produce four principal outcome improvements.</p>
        <p><bold>Reduction in unjustified access.</bold> The progressive removal of standing trust, JIT privilege, and device-trust tiering collectively shrink the attack surface available to an adversary who has acquired a valid credential. This directly reduces the dwell time and lateral movement capability implied by a credential-theft event. Credential and identity-based attacks remain the dominant initial-access vector across all major annual threat intelligence reports [<xref ref-type="bibr" rid="B11">11</xref>]-[<xref ref-type="bibr" rid="B13">13</xref>].</p>
        <p><bold>Reduction in analyst toil.</bold> Unified telemetry and bounded AI automation reduce the manual correlation work imposed on analysts by fragmented detection stacks. Alert enrichment, case summarization, and duplicate suppression are the highest-volume, lowest-value analyst tasks; automating them within the bounded-autonomy framework frees analyst capacity for high-judgment work such as threat hunting, policy refinement, and incident command.</p>
        <p><bold>Improvement in detection and containment speed.</bold> A shared telemetry pipeline with pre-enriched incident records reduces mean-time-to-detect and mean-time-to-contain by eliminating manual pivot time. When an analyst receives an incident rather than a fragment, the time from alert to containment decision is reduced by the elimination of the context-assembly phase.</p>
        <p><bold>Improvement in audit-evidence generation.</bold> Unified telemetry with compliance-tagged event records transforms audit preparation from a retrospective evidence-gathering exercise into a continuous operational byproduct. The evidence a regulator or customer questionnaire requires—access logs, control outcomes, exception records, policy decisions—exists as a natural output of the operational platform rather than a separately constructed artifact.</p>
      </sec>
      <sec id="sec7dot3">
        <title>7.3. Performance Metrics and Governance Cadence</title>
        <p>The appropriate scorecard for the MST framework balances four dimensions: security effectiveness, analyst efficiency, business friction, and evidence quality. Useful quantitative measures include: mean time to detect (MTTD); mean time to contain (MTTC); mean time to recover (MTTR); false-block rate (the fraction of automated blocks that are later reversed as erroneous); exception-turnaround time (time from exception request to documented resolution); percentage of analyst time on repeatable low-value tasks; percentage of autonomous actions subsequently reversed; and the fraction of alert volume arriving with sufficient context to support a decision without manual pivoting.</p>
        <p>In regulated environments, a further class of metrics is operationally essential: evidence latency (how quickly can an event be reconstructed for audit?); control-to-case traceability (can every control action be linked to a governing policy and a ticket?); and answer time for auditor or customer inquiries about specific access events.</p>
        <p>An explicit multi-objective optimization model is useful for framing governance reviews honestly. Security teams are often informally evaluated on whether they block enough adversarial activity while formally measured on availability, audit readiness, and customer trust. These objectives can pull in opposite directions, and the temptation is to resolve the tension implicitly rather than explicitly. The MST optimization structure (Section 6.3, Equation 4) makes the tradeoff visible: reducing <inline-formula><mml:math><mml:mrow><mml:mrow><mml:mo> | </mml:mo><mml:mrow><mml:mi mathvariant="script"> T </mml:mi><mml:mo> \ </mml:mo><mml:mi> ℒ </mml:mi></mml:mrow><mml:mo> | </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> is the security objective; maintaining <inline-formula><mml:math><mml:mrow><mml:mi> ℒ </mml:mi><mml:mo> ⊆ </mml:mo><mml:mi mathvariant="script"> T </mml:mi></mml:mrow></mml:math></inline-formula> is the availability constraint; and the verification threshold <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> parameterizes the risk tolerance of the organization at each resource class. Governance reviews should track all three dimensions simultaneously.</p>
      </sec>
      <sec id="sec7dot4">
        <title>7.4. Validation and Red-Team Considerations</title>
        <p>Validation must be explicit and structured. Edge policies should be exercised through red-team and purple-team scenarios simulating exploit traffic, abuse-list hits, false-attribution cases, and partner-traffic exceptions. Internal Zero Trust controls should be tested against stolen-session scenarios, unmanaged-device access attempts, privilege escalation paths, support-account misuse, and insider-style behavioral anomalies. AI-enabled playbooks should be run in shadow mode with before-and-after comparison of analyst actions, response speed, reversal rates, and business impact, before being promoted to live execution authority.</p>
        <p>Without structured validation, organizations tend to overestimate both detection precision and readiness for autonomous action. The bounded-autonomy ladder in <xref ref-type="fig" rid="fig4">Figure 4</xref> and the decision matrix in <bold>Table 1</bold> are useful not just as design guides but as evaluation rubrics: an organization can assess whether its current autonomous action program stays within the cells that the framework designates as safe for automation.</p>
        <p>These reviews should engage more than the SOC. In a regulated SaaS company, the consequences of Zero Trust policy are distributed across engineering, support, privacy, compliance, product, and customer trust functions. A regular cross-functional governance cadence is therefore essential. At minimum, the organization should review: the precision of automated blocks; the exception patterns introduced by geo or reputation controls; the policy drift introduced by repeated emergency overrides; the failure modes of behavioral detections; and the cases in which bounded automation either prevented harm or created avoidable friction. These reviews convert isolated lessons learned into structured policy refinement.</p>
      </sec>
      <sec id="sec7dot5">
        <title>7.5. Limitations and Scope Boundaries</title>
        <p>The MST framework addresses operational architecture and governance structure; it does not prescribe specific tool vendors, identity provider configurations, or regulatory compliance mappings. Organizations will need to adapt the framework’s principles to their specific regulatory context (HIPAA, PCI-DSS, GDPR, SOC 2, and others impose different specific requirements), technology stack, workforce scale, and risk tolerance. The formal model in Section 6.2 is intended to clarify the optimization structure rather than to be computed algorithmically in practice; the <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mi> a </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> scoring function and the <inline-formula><mml:math><mml:mi> θ </mml:mi></mml:math></inline-formula> thresholds are policy parameters that each organization must define based on its own risk profile and data classification standards.</p>
        <p>The framework also does not resolve the challenge of third-party and supply-chain trust. SaaS providers depend on cloud infrastructure, open-source components, and vendor integrations that introduce trust relationships outside the direct control of the enterprise security program. While the two-plane architecture provides a structural basis for evaluating third-party access, a full supply-chain Zero Trust model is a substantial research and operational program in its own right, and is identified as a direction for future work.</p>
      </sec>
      <sec id="sec7dot6">
        <title>7.6. Synthesis of the Theoretical Framework</title>
        <p>The formal development in Section 6 can be summarized in five interlocking elements that together transform Zero Trust from a posture into an explicit constrained-optimization program.</p>
        <p><italic>The objective function.</italic> Equation 4 expresses the MST problem as the minimization of a two-term cost: the risk-exposure cost <inline-formula><mml:math><mml:mrow><mml:mstyle displaystyle="true"><mml:msub><mml:mo> ∑ </mml:mo><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> − </mml:mo><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:mstyle></mml:mrow></mml:math></inline-formula> of permitted actions outside the business-required set, plus the operational-friction cost <inline-formula><mml:math><mml:mrow><mml:mstyle displaystyle="true"><mml:msub><mml:mo> ∑ </mml:mo><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:mn> 1 </mml:mn><mml:mo> − </mml:mo><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:msub><mml:mi> ℓ </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:mstyle></mml:mrow></mml:math></inline-formula> of denied legitimate actions, subject to business completeness, verification sufficiency (<inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow><mml:mo> ≥ </mml:mo><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> ), and binary integrality. The two opposing terms make explicit the trade-off that Zero Trust programs otherwise resolve implicitly and badly. The risk-exposure weights <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , the denial costs <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> d </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> , and the resource-sensitive thresholds <inline-formula><mml:math><mml:mrow><mml:mi> θ </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> are policy parameters that organizations calibrate to their own data classification and operational tolerance; the framework specifies their roles, not their values.</p>
        <p><italic>The decision variables.</italic> The action tuple <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> ι </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> δ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ρ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> σ </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msub><mml:mi> ω </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> captures the five dimensions an MST-aligned policy must consider for every access decision: identity, device tier, resource and data classification, session context, and requested operation. Treating these jointly—rather than as independent gates—is what distinguishes MST from earlier RBAC, ABAC, and policy-administrator-only formalizations.</p>
        <p><italic>The graph formulation.</italic> The action-space-time graph <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi> G </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msup><mml:mo> = </mml:mo><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> V </mml:mi><mml:mi> G </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:msubsup><mml:mi> E </mml:mi><mml:mi> G </mml:mi><mml:mrow><mml:mrow><mml:mo> ( </mml:mo><mml:mi> t </mml:mi><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:msubsup></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> casts the MST optimum as the <italic>weighted minimum subgraph cover</italic> of business-required edges under time-varying verification weights. This formulation makes time explicit, makes the connection to provenance-graph datasets concrete, and provides a natural substrate for empirical evaluation.</p>
        <p><italic>The complexity result.</italic> The weighted MST problem is NP-hard via reduction from 0 - 1 knapsack. Tractable approaches—LP relaxation, branch-and-bound MIP, greedy risk-ratio approximation, and online/streaming formulation—make the model solvable in practice at enterprise scale, and they explain why continuous re-evaluation of session trust in operational SOCs is a computational requirement rather than merely a policy preference.</p>
        <p><italic>The attack-surface implication.</italic> The MST permitted action set <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula><italic>is</italic> the enterprise attack surface in the established Manadhata-Wing sense. The MST objective is therefore a direct quantitative expression of attack surface minimization under operational feasibility constraints, with reputation-based pre-filtering shrinking the effective action space <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi mathvariant="script"> S </mml:mi><mml:mrow><mml:mtext> eff </mml:mtext></mml:mrow></mml:msub></mml:mrow></mml:math></inline-formula> before optimization. Every gap between the realized <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> and the business-required minimum <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> is a measurable architectural deficit rather than an unmeasurable policy judgement.</p>
      </sec>
      <sec id="sec7dot7">
        <title>7.7. Future Work</title>
        <p>Five research directions emerge directly from the framework.</p>
        <p><italic>Empirical validation of the proxy hypothesis.</italic> The foundational modelling assumption of MST—that minimising the risk-weighted trust surplus is a reliable proxy for reducing breach probability or expected breach impact—is operationally motivated but not proven. Longitudinal study of Zero Trust maturity against observed security outcomes is the primary research direction; the growing corpus of enterprise ZT deployment data identified in the multivocal review [<xref ref-type="bibr" rid="B10">10</xref>] makes such study increasingly tractable.</p>
        <p><italic>Provenance-graph instantiation of the action-space-time graph.</italic> The MST subgraph cover formulation can be instantiated on public provenance-graph datasets (e.g., those used in OmegaLog [<xref ref-type="bibr" rid="B46">46</xref>]), treating each system-call-level event as a candidate <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> and applying the verification and risk constraints per edge. This would provide the first quantitative comparison of MST-based access policy against baseline access-control regimes at realistic granularity.</p>
        <p><italic>Action-independence extensions.</italic> The current formulation treats each action as independent. Extending the model to capture combinatorial interactions—for instance, with pairwise risk terms <inline-formula><mml:math display="inline"><mml:mrow><mml:msub><mml:mi> c </mml:mi><mml:mrow><mml:mi> i </mml:mi><mml:mi> j </mml:mi></mml:mrow></mml:msub><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:msub><mml:mi> x </mml:mi><mml:mi> j </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> for action pairs known to compose into higher-risk compound actions (a read on regulated data plus an export to an external endpoint, for example)—substantially increases computational complexity but is essential for capturing real exfiltration paths. A principled treatment of compound-action risk is an important next step.</p>
        <p><italic>Learning the legitimate set</italic><inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula><italic>from operational</italic><italic>behaviour</italic><italic>.</italic> Organizations maintain <inline-formula><mml:math><mml:mi> ℒ </mml:mi></mml:math></inline-formula> through policy declarations that lag operational reality. Time-indexed Bayesian updates, semi-supervised clustering, or other behavioural-learning approaches could close the gap between declared and effective legitimate sets, and would integrate naturally with the UEBA evidence layer [<xref ref-type="bibr" rid="B29">29</xref>] that already feeds the verification score <inline-formula><mml:math><mml:mrow><mml:mi> V </mml:mi><mml:mrow><mml:mo> ( </mml:mo><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub><mml:mo> , </mml:mo><mml:mi> t </mml:mi></mml:mrow><mml:mo> ) </mml:mo></mml:mrow></mml:mrow></mml:math></inline-formula> .</p>
        <p><italic>Supply-chain extension.</italic> The current two-plane architecture addresses the enterprise’s direct attack surface. SaaS providers depend on cloud infrastructure, open-source components, and vendor integrations that introduce trust relationships outside direct control. Extending MST to fourth-party trust—where actions <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> a </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> may be initiated by entities whose identity and device tier are not directly observable to the enterprise—is a substantial research program in its own right and a natural next direction.</p>
      </sec>
    </sec>
    <sec id="sec8">
      <title>8. Conclusions</title>
      <p>Zero Trust is not a product category. Network location is not a trust signal. Standing privilege is the enemy. Compliance evidence is a byproduct of good architecture, not its purpose.</p>
      <p>These four commitments are not rhetorical. Each has a specific operational consequence. Zero Trust is not a product category means that no tool purchase implements it; it is a continuous operating discipline enacted through policy, verification, and governance. Network location is not a trust signal means that being inside the corporate network confers nothing; every access decision requires current evidence of identity, device posture, and session legitimacy. Standing privilege is the enemy means that persistent access grants—service accounts, never-expiring tokens, broadly scoped admin roles—are the attack surface that adversaries actually exploit, and eliminating them is the highest-leverage security investment an organization can make. Compliance evidence is a byproduct means that organizations that build good architecture generate the audit records regulators need as a side-effect; organizations that build for compliance and treat security as secondary get neither.</p>
      <p>In a regulated SaaS enterprise, the Minimum Standing Trust framework operationalizes these commitments: deny-by-default at the exposed application edge; identity-, device-, and session-aware internal control with JIT privilege throughout; unified telemetry across detection and access systems; and policy-governed AI autonomous response bounded by the same trust criteria that govern human access.</p>
      <p>The MST framework presented in this paper makes four contributions to the Zero Trust literature.</p>
      <p>First, it reframes the Zero Trust implementation problem as a constrained optimization with competing objectives—minimizing unnecessary trust while preserving operational completeness—and shows why monotonic control accumulation fails as a strategy. This reframing explains empirically documented implementation failures that prior frameworks left without a structural account [<xref ref-type="bibr" rid="B10">10</xref>].</p>
      <p>Second, it prescribes asymmetric enforcement posture across the two planes and sharpens the control hierarchy: WAF, NIDS, and reputation controls are edge instruments, not strategy; identity, device posture, JIT privilege, and session verification are the substance of Zero Trust in the internal enterprise.</p>
      <p>Third, it establishes unified telemetry as a correctness requirement of the MST model—not a convenience—and provides a four-stage pipeline architecture (Decoder, Alerting, Enrichment, Enriched Incident) that operationalizes this requirement at the decision layer rather than at the dashboard layer.</p>
      <p>Fourth, it integrates AI governance into the MST model as a first-class concern, showing that the same trust criteria governing human access decisions govern AI autonomous response actions, and providing the bounded-autonomy ladder as a practical policy instrument for both.</p>
      <p>A consequence of these four contributions, developed formally in Sections 6.1 - 6.6, is that the MST optimum corresponds to a principled minimum on the enterprise attack surface in the established attack-surface sense [<xref ref-type="bibr" rid="B34">34</xref>]: the permitted action set <inline-formula><mml:math><mml:mrow><mml:msup><mml:mi mathvariant="script"> T </mml:mi><mml:mtext> * </mml:mtext></mml:msup></mml:mrow></mml:math></inline-formula> is the smallest attacker-exploitable surface consistent with the organization’s business requirements. Bidirectional reputation-based blocking, applied symmetrically at both the network perimeter and the endpoint, further reduces the effective action space by removing from consideration any action whose counterparty is already known to be adversarial. The full mathematical formalization, including the weighted ILP, action-space-time graph, complexity analysis, and solution approaches, appears in Sections 6.1 - 6.6.</p>
      <p>This operating model does not solve every problem. It does, however, close the gap between Zero Trust in theory and cyber defense in practice. It gives the vSOC a clearer decision surface. It reduces the standing privilege that adversaries can inherit through credential compromise. It creates a structured path for AI-assisted defense without surrendering policy authority to opaque automation. And it generates the evidence a regulated SaaS provider needs not only to defend its platform, but also to explain its controls to customers, auditors, and regulators.</p>
      <p>For organizations operating under the mobile, distributed, and data-regulated conditions that now characterize modern enterprise computing, the MST framework offers a practical and theoretically grounded path to the intersection of Zero Trust principles and effective cyber defense operations.</p>
      <p><bold>Future work.</bold> Several important directions remain open. The most pressing empirical question is whether the MST model’s core hypothesis holds in practice: that eliminating standing trust—measured by credential exposure, dwell time, and lateral movement reach—is a reliable proxy for reducing breach impact. Longitudinal studies of Zero Trust maturity and security outcomes, building on the multivocal review methodology of Buck <italic>et al.</italic> [<xref ref-type="bibr" rid="B10">10</xref>], would provide a rigorous empirical path to this validation. Instantiating the action-space-time graph on provenance graph datasets [<xref ref-type="bibr" rid="B46">46</xref>] would provide a concrete experimental substrate for evaluating the MST subgraph cover formulation at system-call granularity. Developing efficient MIP formulations calibrated to enterprise-scale action spaces—leveraging the bipartite structure of the actor-resource graph to reduce problem dimensionality—is a tractable near-term algorithmic research agenda. The extension of the two-plane architecture to supply-chain and fourth-party trust relationships introduces additional graph layers (vendor nodes, dependency edges) whose MST formulation remains open. Finally, the governance implications of agentic AI in security operations—including the formal treatment of irreversibility constraints on the <inline-formula><mml:math><mml:mrow><mml:msub><mml:mi> x </mml:mi><mml:mi> i </mml:mi></mml:msub></mml:mrow></mml:math></inline-formula> variables, liability for autonomous access decisions, and regulatory standards for AI-governed policy enforcement—are emerging questions at the intersection of computer science and law that the security research community is well-positioned to address.</p>
    </sec>
    <sec id="sec9">
      <title>Data Availability</title>
      <p>No datasets were generated or analyzed during the preparation of this conceptual and operational framework paper.</p>
    </sec>
    <sec id="sec10">
      <title>Acknowledgements</title>
      <p>The authors thank colleagues at Florida Atlantic University’s Department of Electrical Engineering and Computer Science and at Athena Security Group for discussions that informed this work.</p>
    </sec>
    <sec id="sec11">
      <title>NOTES</title>
      <p><sup>1</sup>The application need not be hosted by a Cloud or PaaS provider; its main characteristics simply being derived from the fact that it is Internet-accessible and as such is subject to certain categories and types of threats that are specific to the protocols and applications in question.</p>
      <p><sup>2</sup>All three authors are affiliated with Athena Security Group. Athena Core [<xref ref-type="bibr" rid="B44">44</xref>] and Athena Pallas [<xref ref-type="bibr" rid="B45">45</xref>] are commercially available instantiations of the unified telemetry and AI-assisted analyst patterns described in this section. They are cited only as disclosed implementation examples. The framework is intended to be vendor-neutral and is applicable across different tooling environments.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <title>References</title>
      <ref id="B1">
        <label>1.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Rose, S., Borchert, O., Mitchell, S. and Connelly, S. (2020) Zero Trust Architecture. NIST Special Publication 800-207. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207-draft2 <pub-id pub-id-type="doi">10.6028/NIST.SP.800-207-draft2</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.6028/NIST.SP.800-207-draft2">https://doi.org/10.6028/NIST.SP.800-207-draft2</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Rose, S.</string-name>
              <string-name>Borchert, O.</string-name>
              <string-name>Mitchell, S.</string-name>
              <string-name>Connelly, S.</string-name>
            </person-group>
            <year>2020</year>
            <article-title>Zero Trust Architecture</article-title>
            <pub-id pub-id-type="doi">10.6028/NIST.SP.800-207-draft2</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B2">
        <label>2.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">Kindervag, J. (2010) Build Security into Your Network’s DNA: The Zero Trust Network Architecture. Technical Report, Forrester Research.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Kindervag, J.</string-name>
              <string-name>Report, F</string-name>
            </person-group>
            <year>2010</year>
            <article-title>Build Security into Your Network’s DNA: The Zero Trust Network Architecture</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B3">
        <label>3.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Ward, R. and Beyer, B. (2014) BeyondCorp: A New Approach to Enterprise Security. <italic>USENIX</italic>, 39, 6-11.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Ward, R.</string-name>
              <string-name>Beyer, B.</string-name>
            </person-group>
            <year>2014</year>
            <article-title>BeyondCorp: A New Approach to Enterprise Security</article-title>
            <source>USENIX</source>
            <volume>39</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B4">
        <label>4.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Osborn, B., McAdams, J., Beyer, B. and Ward, R. (2016) BeyondCorp: DESIGN to Deployment at Google. <italic>USENIX</italic>, 41, 28-34.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Osborn, B.</string-name>
              <string-name>McAdams, J.</string-name>
              <string-name>Beyer, B.</string-name>
              <string-name>Ward, R.</string-name>
            </person-group>
            <year>2016</year>
            <article-title>BeyondCorp: DESIGN to Deployment at Google</article-title>
            <source>USENIX</source>
            <volume>41</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B5">
        <label>5.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Gilman, E. and Barth, D. (2017) Zero Trust Networks: Building Secure Systems in Untrusted Networks. O’Reilly Media.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Gilman, E.</string-name>
              <string-name>Barth, D.</string-name>
            </person-group>
            <year>2017</year>
            <article-title>Zero Trust Networks: Building Secure Systems in Untrusted Networks</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B6">
        <label>6.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Chandramouli, R. (2023) A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments. NIST Special Publication 800-207A, National Institute of Standards and Technology.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Chandramouli, R.</string-name>
            </person-group>
            <year>2023</year>
            <article-title>A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments</article-title>
            <source>NIST Special Publication 800-207A</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B7">
        <label>7.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">Cybersecurity and Infrastructure Security Agency (2023) Zero Trust Maturity Model, Version 2.0. Technical Report, CISA.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Model, V</string-name>
              <string-name>Report, C</string-name>
            </person-group>
            <year>2023</year>
            <article-title>Zero Trust Maturity Model, Version 2</article-title>
            <source>0. Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B8">
        <label>8.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">United States Department of Defense (2022) Department of Defense Zero Trust Strategy. Technical Report, Office of the Chief Information Officer, U.S. Department of Defense.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Report, O</string-name>
              <string-name>Officer, U.S.</string-name>
            </person-group>
            <year>2022</year>
            <article-title>Department of Defense Zero Trust Strategy</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B9">
        <label>9.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Executive Office of the President (2021) Executive Order 14028: Improving the Nation’s Cybersecurity. <italic>Federal Register</italic>, 86, 26633-26641.</mixed-citation>
          <element-citation publication-type="other">
            <year>2021</year>
            <article-title>Executive Order 14028: Improving the Nation’s Cybersecurity</article-title>
            <source>Federal Register</source>
            <volume>86</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B10">
        <label>10.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Buck, C., Olenberger, C., Schweizer, A., Völter, F. and Eymann, T. (2021) Never Trust, Always Verify: A Multivocal Literature Review on Current Knowledge and Research Gaps of Zero-Trust. <italic>Computers</italic><italic>&amp;</italic><italic>Security</italic>, 110, Article ID: 102436. https://doi.org/10.1016/j.cose.2021.102436 <pub-id pub-id-type="doi">10.1016/j.cose.2021.102436</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1016/j.cose.2021.102436">https://doi.org/10.1016/j.cose.2021.102436</ext-link></mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Buck, C.</string-name>
              <string-name>Olenberger, C.</string-name>
              <string-name>Schweizer, A.</string-name>
              <string-name>Eymann, T.</string-name>
              <string-name>Trust, A</string-name>
            </person-group>
            <year>2021</year>
            <article-title>Never Trust, Always Verify: A Multivocal Literature Review on Current Knowledge and Research Gaps of Zero-Trust</article-title>
            <source>Computers &amp; Security</source>
            <volume>110</volume>
            <fpage>102436</fpage>
            <elocation-id>ID</elocation-id>
            <pub-id pub-id-type="doi">10.1016/j.cose.2021.102436</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B11">
        <label>11.</label>
        <citation-alternatives>
          <mixed-citation publication-type="book">Verizon (2025) 2025 Data Breach Investigations Report. Technical Report, Verizon Communications, 18th Edition. https://www.verizon.com/business/resources/reports/dbir/</mixed-citation>
          <element-citation publication-type="book">
            <person-group person-group-type="author">
              <string-name>Report, V</string-name>
            </person-group>
            <year>2025</year>
            <article-title>2025 Data Breach Investigations Report</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B12">
        <label>12.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">CrowdStrike (2025) CrowdStrike Global Threat Report. Technical Report, CrowdStrike. https://www.crowdstrike.com/global-threat-report/</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Report, C</string-name>
            </person-group>
            <year>2025</year>
            <article-title>CrowdStrike Global Threat Report</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B13">
        <label>13.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">Cisco Talos Intelligence Group (2025) Cisco Talos Year in Review 2024. Technical Report, Cisco Systems. https://blog.talosintelligence.com/</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Report, C</string-name>
            </person-group>
            <year>2025</year>
            <article-title>Cisco Talos Year in Review 2024</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B14">
        <label>14.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G. and Thomas, C.B. (2018) MITRE ATT&amp;CK: Design and Philosophy. Technical Report MP180360R1, The MITRE Corporation.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Strom, B.E.</string-name>
              <string-name>Applebaum, A.</string-name>
              <string-name>Miller, D.P.</string-name>
              <string-name>Nickels, K.C.</string-name>
              <string-name>Pennington, A.G.</string-name>
              <string-name>Thomas, C.B.</string-name>
            </person-group>
            <year>2018</year>
            <article-title>MITRE ATT&amp;CK: Design and Philosophy</article-title>
            <source>Technical Report MP180360R1</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B15">
        <label>15.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">Saltzer, J.H. and Schroeder, M.D. (1975) The Protection of Information in Computer Systems. <italic>Proceedings</italic><italic>of</italic><italic>the</italic><italic>IEEE</italic>, 63, 1278-1308. https://doi.org/10.1109/proc.1975.9939 <pub-id pub-id-type="doi">10.1109/proc.1975.9939</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1109/proc.1975.9939">https://doi.org/10.1109/proc.1975.9939</ext-link></mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Saltzer, J.H.</string-name>
              <string-name>Schroeder, M.D.</string-name>
            </person-group>
            <year>1975</year>
            <article-title>The Protection of Information in Computer Systems</article-title>
            <source>Proceedings of the IEEE</source>
            <volume>63</volume>
            <pub-id pub-id-type="doi">10.1109/proc.1975.9939</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B16">
        <label>16.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Tabassi, E. (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). NIST AI 100-1, National Institute of Standards and Technology.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Tabassi, E.</string-name>
            </person-group>
            <year>2023</year>
            <article-title>Artificial Intelligence Risk Management Framework (AI RMF 1</article-title>
            <source>0). NIST AI 100-1</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B17">
        <label>17.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Autio, C., Schwartz, R., Stanley, K., Tabassi, E. and Hodge, J. (2024) Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. NIST AI 600-1, National Institute of Standards and Technology.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Autio, C.</string-name>
              <string-name>Schwartz, R.</string-name>
              <string-name>Stanley, K.</string-name>
              <string-name>Tabassi, E.</string-name>
              <string-name>Hodge, J.</string-name>
            </person-group>
            <year>2024</year>
            <article-title>Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile</article-title>
            <source>NIST AI 600-1</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B18">
        <label>18.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">National Security Agency, Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, Australian Cyber Security Centre, New Zealand National Cyber Security Centre and United Kingdom National Cyber Security Centre (2024) Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. Technical Report, Joint Cybersecurity Information.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Agency, C</string-name>
              <string-name>Agency, F</string-name>
              <string-name>Investigation, A</string-name>
              <string-name>Centre, N</string-name>
              <string-name>Report, J</string-name>
            </person-group>
            <year>2024</year>
            <article-title>Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B19">
        <label>19.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">National Security Agency, Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre and International Partners (2025) AI Data Security: Best Practices for Securing Data Used to Train and Operate AI Systems. Technical Report, Joint Cybersecurity Information.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Agency, C</string-name>
              <string-name>Agency, F</string-name>
              <string-name>Investigation, A</string-name>
              <string-name>Report, J</string-name>
            </person-group>
            <year>2025</year>
            <article-title>AI Data Security: Best Practices for Securing Data Used to Train and Operate AI Systems</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B20">
        <label>20.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">National Cyber Security Centre (2023) Guidelines for Secure AI System Development. Technical Report, NCSC.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Report, N</string-name>
            </person-group>
            <year>2023</year>
            <article-title>Guidelines for Secure AI System Development</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B21">
        <label>21.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">OWASP GenAI Security Project (2025) Securing Agentic Applications Guide 1.0. Technical Report, OWASP Foundation.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Report, O</string-name>
            </person-group>
            <year>2025</year>
            <article-title>Securing Agentic Applications Guide 1</article-title>
            <source>0. Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B22">
        <label>22.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">Cunningham, C. (2018) The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Platform Providers, Q3 2018. Technical Report, Forrester Research.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Cunningham, C.</string-name>
              <string-name>Providers, Q</string-name>
              <string-name>Report, F</string-name>
            </person-group>
            <year>2018</year>
            <article-title>The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Platform Providers, Q3 2018</article-title>
            <source>Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B23">
        <label>23.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Beyer, B., Cittadini, L., Saltonstall, M. and Spear, B. (2017) Migrating to BeyondCorp: Maintaining Productivity While Improving Security. <italic>USENIX</italic>, 42, 49-55.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Beyer, B.</string-name>
              <string-name>Cittadini, L.</string-name>
              <string-name>Saltonstall, M.</string-name>
              <string-name>Spear, B.</string-name>
            </person-group>
            <year>2017</year>
            <article-title>Migrating to BeyondCorp: Maintaining Productivity While Improving Security</article-title>
            <source>USENIX</source>
            <volume>42</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B24">
        <label>24.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Syed, N.F., Shah, S.W., Shaghaghi, A., Anwar, A., Baig, Z. and Doss, R. (2022) Zero Trust Architecture (ZTA): A Comprehensive Survey. <italic>IEEE</italic><italic>Access</italic>, 10, 57143-57179. https://doi.org/10.1109/access.2022.3174679 <pub-id pub-id-type="doi">10.1109/access.2022.3174679</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1109/access.2022.3174679">https://doi.org/10.1109/access.2022.3174679</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Syed, N.F.</string-name>
              <string-name>Shah, S.W.</string-name>
              <string-name>Shaghaghi, A.</string-name>
              <string-name>Anwar, A.</string-name>
              <string-name>Baig, Z.</string-name>
              <string-name>Doss, R.</string-name>
            </person-group>
            <year>2022</year>
            <article-title>Zero Trust Architecture (ZTA): A Comprehensive Survey</article-title>
            <source>IEEE Access</source>
            <volume>10</volume>
            <pub-id pub-id-type="doi">10.1109/access.2022.3174679</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B25">
        <label>25.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">de Chaves, S.A., Westphall, C.B. and Lamin, F.R. (2010) SLA Perspective in Security Management for Cloud Computing. 2010 <italic>Sixth</italic><italic>International</italic><italic>Conference</italic><italic>on</italic><italic>Networking</italic><italic>and</italic><italic>Services</italic>, Cancun, 7-13 March 2010, 212-217. https://doi.org/10.1109/icns.2010.36 <pub-id pub-id-type="doi">10.1109/icns.2010.36</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1109/icns.2010.36">https://doi.org/10.1109/icns.2010.36</ext-link></mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Chaves, S.A.</string-name>
              <string-name>Westphall, C.B.</string-name>
              <string-name>Lamin, F.R.</string-name>
              <string-name>Services, C</string-name>
            </person-group>
            <year>2010</year>
            <article-title>SLA Perspective in Security Management for Cloud Computing</article-title>
            <source>2010 Sixth International Conference on Networking and Services</source>
            <volume>7</volume>
            <pub-id pub-id-type="doi">10.1109/icns.2010.36</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B26">
        <label>26.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Balasubramanian, V., Murugavel, P., Marikkannan, M. and Latha, B. (2021) BYOD Security Challenges and Solutions in Enterprise Environments: A Systematic Review. <italic>International</italic><italic>Journal</italic><italic>of</italic><italic>Information</italic><italic>Security</italic>, 20, 557-573.</mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Balasubramanian, V.</string-name>
              <string-name>Murugavel, P.</string-name>
              <string-name>Marikkannan, M.</string-name>
              <string-name>Latha, B.</string-name>
            </person-group>
            <year>2021</year>
            <article-title>BYOD Security Challenges and Solutions in Enterprise Environments: A Systematic Review</article-title>
            <source>International Journal of Information Security</source>
            <volume>20</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B27">
        <label>27.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Sandhu, R.S. and Samarati, P. (1994) Access Control: Principle and Practice. <italic>IEEE</italic><italic>Communications</italic><italic>Magazine</italic>, 32, 40-48. https://doi.org/10.1109/35.312842 <pub-id pub-id-type="doi">10.1109/35.312842</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1109/35.312842">https://doi.org/10.1109/35.312842</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Sandhu, R.S.</string-name>
              <string-name>Samarati, P.</string-name>
            </person-group>
            <year>1994</year>
            <article-title>Access Control: Principle and Practice</article-title>
            <source>IEEE Communications Magazine</source>
            <volume>32</volume>
            <pub-id pub-id-type="doi">10.1109/35.312842</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B28">
        <label>28.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R. and Scarfone, K. (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162, National Institute of Standards and Technology.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Hu, V.C.</string-name>
              <string-name>Ferraiolo, D.</string-name>
              <string-name>Kuhn, R.</string-name>
              <string-name>Schnitzer, A.</string-name>
              <string-name>Sandlin, K.</string-name>
              <string-name>Miller, R.</string-name>
              <string-name>Scarfone, K.</string-name>
            </person-group>
            <year>2014</year>
            <article-title>Guide to Attribute Based Access Control (ABAC) Definition and Considerations</article-title>
            <source>NIST Special Publication 800-162</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B29">
        <label>29.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N. and Robinson, S. (2017) Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams. <italic>Proceedings</italic><italic>of</italic><italic>the</italic><italic>AAAI</italic>-17 <italic>Workshop</italic><italic>on</italic><italic>AI</italic><italic>for</italic><italic>Cyber</italic><italic>Security</italic>, San Francisco, 4-5 February 2017, 224-231.</mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Tuor, A.</string-name>
              <string-name>Kaplan, S.</string-name>
              <string-name>Hutchinson, B.</string-name>
              <string-name>Nichols, N.</string-name>
              <string-name>Robinson, S.</string-name>
              <string-name>Security, S</string-name>
            </person-group>
            <year>2017</year>
            <article-title>Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams</article-title>
            <source>Proceedings of the AAAI-17 Workshop on AI for Cyber Security</source>
            <volume>4</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B30">
        <label>30.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Liu, A.X. and Gouda, M.G. (2008) Diverse Firewall Design. <italic>IEEE</italic><italic>Transactions</italic><italic>on</italic><italic>Parallel</italic><italic>and</italic><italic>Distributed</italic><italic>Systems</italic>, 19, 1100-1112.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Liu, A.X.</string-name>
              <string-name>Gouda, M.G.</string-name>
            </person-group>
            <year>2008</year>
            <article-title>Diverse Firewall Design</article-title>
            <source>IEEE Transactions on Parallel and Distributed Systems</source>
            <volume>19</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B31">
        <label>31.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Shandilya, V., Simmons, C.B. and Shiva, S. (2014) Use of Attack Graphs in Security Systems. <italic>Journal</italic><italic>of</italic><italic>Computer</italic><italic>Networks</italic><italic>and</italic><italic>Communications</italic>, 2014, Article ID: 818957. https://doi.org/10.1155/2014/818957 <pub-id pub-id-type="doi">10.1155/2014/818957</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1155/2014/818957">https://doi.org/10.1155/2014/818957</ext-link></mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Shandilya, V.</string-name>
              <string-name>Simmons, C.B.</string-name>
              <string-name>Shiva, S.</string-name>
            </person-group>
            <year>2014</year>
            <article-title>Use of Attack Graphs in Security Systems</article-title>
            <source>Journal of Computer Networks and Communications</source>
            <volume>2014</volume>
            <fpage>818957</fpage>
            <elocation-id>ID</elocation-id>
            <pub-id pub-id-type="doi">10.1155/2014/818957</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B32">
        <label>32.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Garey, M.R. and Johnson, D.S. (1979) Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Garey, M.R.</string-name>
              <string-name>Johnson, D.S.</string-name>
            </person-group>
            <year>1979</year>
            <article-title>Computers and Intractability: A Guide to the Theory of NP-Completeness</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B33">
        <label>33.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Howard, M., Pincus, J. and Wing, J.M. (2005) Measuring Relative Attack Surfaces. In: Lee, D.T., Shieh, S.P. and Tygar, J.D., Eds., <italic>Computer</italic><italic>Security</italic><italic>in</italic><italic>the</italic> 21 <italic>st</italic><italic>Century</italic>, Springer-Verlag, 109-137. https://doi.org/10.1007/0-387-24006-3_8 <pub-id pub-id-type="doi">10.1007/0-387-24006-3_8</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1007/0-387-24006-3_8">https://doi.org/10.1007/0-387-24006-3_8</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Howard, M.</string-name>
              <string-name>Pincus, J.</string-name>
              <string-name>Wing, J.M.</string-name>
              <string-name>Lee, D.T.</string-name>
              <string-name>Shieh, S.P.</string-name>
              <string-name>Tygar, J.D.</string-name>
              <string-name>Century, S</string-name>
            </person-group>
            <year>2005</year>
            <article-title>Measuring Relative Attack Surfaces</article-title>
            <source>In: Lee</source>
            <volume>109</volume>
            <pub-id pub-id-type="doi">10.1007/0-387-24006-3_8</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B34">
        <label>34.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Manadhata, P.K. and Wing, J.M. (2011) An Attack Surface Metric. <italic>IEEE</italic><italic>Transactions</italic><italic>on</italic><italic>Software</italic><italic>Engineering</italic>, 37, 371-386. https://doi.org/10.1109/tse.2010.60 <pub-id pub-id-type="doi">10.1109/tse.2010.60</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1109/tse.2010.60">https://doi.org/10.1109/tse.2010.60</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Manadhata, P.K.</string-name>
              <string-name>Wing, J.M.</string-name>
            </person-group>
            <year>2011</year>
            <article-title>An Attack Surface Metric</article-title>
            <source>IEEE Transactions on Software Engineering</source>
            <volume>37</volume>
            <pub-id pub-id-type="doi">10.1109/tse.2010.60</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B35">
        <label>35.</label>
        <citation-alternatives>
          <mixed-citation publication-type="web">AbuseIPDB (2024) Community-Driven IP Address Abuse Reporting and Reputation Database. Marathon Studios Inc. https://www.abuseipdb.com/</mixed-citation>
          <element-citation publication-type="web">
            <year>2024</year>
            <article-title>Community-Driven IP Address Abuse Reporting and Reputation Database</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B36">
        <label>36.</label>
        <citation-alternatives>
          <mixed-citation publication-type="web">The Spamhaus Project (2024) Don’t Route or Peer (DROP) and Extended DROP (EDROP) Lists. The Spamhaus Project. https://www.spamhaus.org/drop/</mixed-citation>
          <element-citation publication-type="web">
            <year>2024</year>
            <article-title>Don’t Route or Peer (DROP) and Extended DROP (EDROP) Lists</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B37">
        <label>37.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">Husari, G., Al-Shaer, E., Ahmed, M., Chu, B. and Niu, X. (2017) TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources. <italic>Proceedings</italic><italic>of</italic><italic>the</italic> 33 <italic>rd</italic><italic>Annual</italic><italic>Computer</italic><italic>Security</italic><italic>Applications</italic><italic>Conference</italic>, Orlando, 4-8 December 2017, 103-115. https://doi.org/10.1145/3134600.3134646 <pub-id pub-id-type="doi">10.1145/3134600.3134646</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1145/3134600.3134646">https://doi.org/10.1145/3134600.3134646</ext-link></mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Husari, G.</string-name>
              <string-name>Al-Shaer, E.</string-name>
              <string-name>Ahmed, M.</string-name>
              <string-name>Chu, B.</string-name>
              <string-name>Niu, X.</string-name>
              <string-name>Conference, O</string-name>
            </person-group>
            <year>2017</year>
            <article-title>TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources</article-title>
            <source>Proceedings of the 33rd Annual Computer Security Applications Conference</source>
            <volume>4</volume>
            <pub-id pub-id-type="doi">10.1145/3134600.3134646</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B38">
        <label>38.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Papernot, N., McDaniel, P., Sinha, A. and Wellman, M. (2016) Towards the Science of Security and Privacy in Machine Learning. arXiv: 1611.03814.</mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Papernot, N.</string-name>
              <string-name>McDaniel, P.</string-name>
              <string-name>Sinha, A.</string-name>
              <string-name>Wellman, M.</string-name>
            </person-group>
            <year>2016</year>
            <article-title>Towards the Science of Security and Privacy in Machine Learning</article-title>
            <fpage>1611</fpage>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B39">
        <label>39.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Ferrag, M.A., Battah, A., Tihanyi, N., Debbah, M., Lestable, T. and Nzume, L.C. (2025) Revolutionizing Cyber Threat Detection with Large Language Models: A Privacy-Preserving AdaBoost-Based LLM Approach. <italic>IEEE</italic><italic>Access</italic>, 13, 1-19.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Ferrag, M.A.</string-name>
              <string-name>Battah, A.</string-name>
              <string-name>Tihanyi, N.</string-name>
              <string-name>Debbah, M.</string-name>
              <string-name>Lestable, T.</string-name>
              <string-name>Nzume, L.C.</string-name>
            </person-group>
            <year>2025</year>
            <article-title>Revolutionizing Cyber Threat Detection with Large Language Models: A Privacy-Preserving AdaBoost-Based LLM Approach</article-title>
            <source>IEEE Access</source>
            <volume>13</volume>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B40">
        <label>40.</label>
        <citation-alternatives>
          <mixed-citation publication-type="journal">Motlagh, F.H., Uhm, M., Chu, B., Niu, X. and Al-Shaer, E. (2024) Large Language Models in Cybersecurity: State-of-the-Art. arXiv: 2402.00891.</mixed-citation>
          <element-citation publication-type="journal">
            <person-group person-group-type="author">
              <string-name>Motlagh, F.H.</string-name>
              <string-name>Uhm, M.</string-name>
              <string-name>Chu, B.</string-name>
              <string-name>Niu, X.</string-name>
              <string-name>Al-Shaer, E.</string-name>
            </person-group>
            <year>2024</year>
            <article-title>Large Language Models in Cybersecurity: State-of-the-Art</article-title>
            <fpage>2402</fpage>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B41">
        <label>41.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">Weidinger, L., Uesato, J., Rauh, M., Griffin, C., Huang, P., Mellor, J., et al. (2022) Taxonomy of Risks Posed by Language Models. 2022 <italic>ACM</italic><italic>Conference</italic><italic>on</italic><italic>Fairness</italic><italic>Accountability</italic><italic>and</italic><italic>Transparency</italic>, Seoul, 21-24 June 2022, 214-229. https://doi.org/10.1145/3531146.3533088 <pub-id pub-id-type="doi">10.1145/3531146.3533088</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1145/3531146.3533088">https://doi.org/10.1145/3531146.3533088</ext-link></mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Weidinger, L.</string-name>
              <string-name>Uesato, J.</string-name>
              <string-name>Rauh, M.</string-name>
              <string-name>Griffin, C.</string-name>
              <string-name>Huang, P.</string-name>
              <string-name>Mellor, J.</string-name>
              <string-name>Transparency, S</string-name>
            </person-group>
            <year>2022</year>
            <article-title>Taxonomy of Risks Posed by Language Models</article-title>
            <source>2022 ACM Conference on Fairness Accountability and Transparency</source>
            <volume>21</volume>
            <pub-id pub-id-type="doi">10.1145/3531146.3533088</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B42">
        <label>42.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Scarfone, K. and Mell, P. (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94, National Institute of Standards and Technology.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Scarfone, K.</string-name>
              <string-name>Mell, P.</string-name>
            </person-group>
            <year>2007</year>
            <article-title>Guide to Intrusion Detection and Prevention Systems (IDPS)</article-title>
            <source>NIST Special Publication 800-94</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B43">
        <label>43.</label>
        <citation-alternatives>
          <mixed-citation publication-type="report">National Institute of Standards and Technology (2024) The NIST Cybersecurity Framework 2.0. Technical Report, National Institute of Standards and Technology.</mixed-citation>
          <element-citation publication-type="report">
            <person-group person-group-type="author">
              <string-name>Report, N</string-name>
            </person-group>
            <year>2024</year>
            <article-title>The NIST Cybersecurity Framework 2</article-title>
            <source>0. Technical Report</source>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B44">
        <label>44.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Athena Security Group (2026) Athena Core. Athena Security Group.</mixed-citation>
          <element-citation publication-type="other">
            <year>2026</year>
            <article-title>Athena Core</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B45">
        <label>45.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Athena Security Group (2026) Athena AI Analyst (Pallas). Athena Security Group.</mixed-citation>
          <element-citation publication-type="other">
            <year>2026</year>
            <article-title>Athena AI Analyst (Pallas)</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B46">
        <label>46.</label>
        <citation-alternatives>
          <mixed-citation publication-type="confproc">Hassan, W.U., Noureddine, M.A., Datta, P. and Bates, A. (2020) OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-Layer Log Analysis. <italic>Proceedings</italic> 2020 <italic>Network</italic><italic>and</italic><italic>Distributed</italic><italic>System</italic><italic>Security</italic><italic>Symposium</italic>, San Diego, 23-26 February 2020, 1-8. https://doi.org/10.14722/ndss.2020.24270 <pub-id pub-id-type="doi">10.14722/ndss.2020.24270</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.14722/ndss.2020.24270">https://doi.org/10.14722/ndss.2020.24270</ext-link></mixed-citation>
          <element-citation publication-type="confproc">
            <person-group person-group-type="author">
              <string-name>Hassan, W.U.</string-name>
              <string-name>Noureddine, M.A.</string-name>
              <string-name>Datta, P.</string-name>
              <string-name>Bates, A.</string-name>
              <string-name>Symposium, S</string-name>
            </person-group>
            <year>2020</year>
            <article-title>OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-Layer Log Analysis</article-title>
            <source>Proceedings 2020 Network and Distributed System Security Symposium</source>
            <volume>23</volume>
            <pub-id pub-id-type="doi">10.14722/ndss.2020.24270</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B47">
        <label>47.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">Wolsey, L.A. (1998) Integer Programming. Wiley.</mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>Wolsey, L.A.</string-name>
            </person-group>
            <year>1998</year>
            <article-title>Integer Programming</article-title>
          </element-citation>
        </citation-alternatives>
      </ref>
      <ref id="B48">
        <label>48.</label>
        <citation-alternatives>
          <mixed-citation publication-type="other">McGregor, A. (2014) Graph Stream Algorithms: A Survey. <italic>ACM</italic><italic>SIGMOD</italic><italic>Record</italic>, 43, 9-20. https://doi.org/10.1145/2627692.2627694 <pub-id pub-id-type="doi">10.1145/2627692.2627694</pub-id><ext-link ext-link-type="uri" xlink:href="https://doi.org/10.1145/2627692.2627694">https://doi.org/10.1145/2627692.2627694</ext-link></mixed-citation>
          <element-citation publication-type="other">
            <person-group person-group-type="author">
              <string-name>McGregor, A.</string-name>
            </person-group>
            <year>2014</year>
            <article-title>Graph Stream Algorithms: A Survey</article-title>
            <source>ACM SIGMOD Record</source>
            <volume>43</volume>
            <pub-id pub-id-type="doi">10.1145/2627692.2627694</pub-id>
          </element-citation>
        </citation-alternatives>
      </ref>
    </ref-list>
  </back>
</article>