To me, zero-trust is a mashup of the concepts of deny by default, least privilege access, and defense in depth in conjunction with regular verification that your policies (user profile capabilities and group membership, global security settings, access control settings, etc.) are regularly reviewed and verified and not assumed to be correct or still required.
That said, if you are truly implementing a pure zero-trust architecture, you’d leave those profiles with an expiring password and change them regularly. Read More