What is the core principle of zero trust in DSAC Annex F?

Zero trust begins with the idea that nothing should be trusted by default, inside or outside the network. Access is granted only after thorough verification of identity, device health, and context, and this verification happens for every access attempt. That makes “trust no one by default” the best way to express the overall principle, because it captures the default posture that drives the entire approach: you don’t assume anyone or any device is trustworthy simply for being on the network. Verification and authorization are continuous and context-driven, rather than relying on a fixed perimeter or assuming internal entities are safe. The other options imply relying on a boundary or trusting internal networks, which runs opposite to zero trust.