The vast majority of engineers are bypassing security controls just to get their job done – and most even retain access after leaving.
This is according to a new survey commissioned by Tailscale, which found 83% of IT and engineering professionals admitted to actively bypassing security controls in order to get their work done.
Drawn from the responses of 1,000 IT, security, and engineering professionals across North America, the survey also found that 99% of companies want to redesign their company’s access and networking setup from the ground up.
Two-thirds said their organization's IT and security policies actively block or misunderstand their workflows and almost half (49%) said their access infrastructure cannot be scaled.
For example, 68% of organizations are still reliant on manual processes to manage network access, using tools such as static firewalls and permissions based on user IP rather than software-defined access.
The findings made clear that this is not where leaders want to be. Though zero trust network access (ZTNA) was pointed to as an aspirational process for respondents to adopt, just 29% said they use identity-based access as their primary model.
The report underscored the shortcomings of relying on manual systems by revealing as many as 68% of respondents retained access to internal systems after leaving their previous employer.
While just under a third (32%) reported having access revoked immediately, 27% said they still had access for several weeks and 13% for a few months. In a small but not insignificant number of cases (6%), former employees could still access internal systems for a year or more.
The report also highlighted virtual private networks (VPNs) as a particular problem, with companies heavily reliant on them nearly twice as likely to report broken access or security workarounds compared to those using modern tools. Only 10% of respondents said their current VPN setup works well, with no major issues, while 90% reported limitations such as security risks, latency, or operational overhead.
“Security and productivity shouldn’t be at odds,” said Avery Pennarun, CEO at Tailscale.
“When developers, engineers, and IT all say the current system is broken — and worse, start working around it — that’s a sign the tools need to change, not the people. zero trust can solve this, but only if it’s actually implemented as a strategy, not just used as a buzzword.”
Tailscale said it expects security-minded organizations to retire or phase out their legacy VPNs by the end of 2026, making way for more flexible, composable solutions.
Over the next two years, it said, there will be a big move towards unified, cloud-native secure access platforms, sometimes referred to as universal ZTNA.
"Nearly every organization says they’re on a Zero Trust journey, which is a polite way of saying they aren’t done, and maybe never will be," the researchers said.
Meanwhile, many companies are juggling too many point solutions, with 92% using multiple tools for network security, and nearly a third using four or more.
Nearly half, though, are actively trying to consolidate their toolsets, and early adopters are moving to identity-first architectures and just-in-time access models that offer better security and a smoother user experience.
And at the same time, AI and automation are on the rise, not just for detecting threats, but also adjusting access dynamically in response to context.
But, the report found, 55% of respondents were sceptical or said they didn’t know where to look for better solutions.
"That knowledge gap is one of the biggest barriers to progress," the researchers said. "Education around adaptive access, AI-enhanced threat detection, and modern zero trust architectures will be critical over the next two years."
MORE FROM ITPRO
-
Intel to axe 24,000 roles, cancels factory plans in sweeping cost-cutting moveNews Despite better than expected revenue in its Q2 results, the chip giant is targeting a leaner operation
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
