Three 2025-2026 Zero-Trust Patents, Three Different Places to Put the Enforcement

"Zero trust" is the most over-used phrase in enterprise security, but underneath the slogan is a real architectural question that vendors answer differently where, physically, does the access decision get made? Three grants issued within about six months of each other let you read that disagreement directly off the claims, which is the kind of pattern this column exists to surface.

Zscaler, whose entire business is cloud-delivered security, stakes the cloud answer. US12381916B2, "Zero trust policy engine for controlling access to network applications" (issued August 2025, H04L 63/20), claims a policy engine that sits between users and applications and evaluates every request. The decision lives in the cloud service. That is exactly what you would predict from Zscaler's architecture — and the patent confirms the strategy rather than merely describing a feature.

Sophos answers differently, and the difference is the story. US12549523B2, "Hybrid appliance for zero trust network access to customer applications" (issued February 2026), claims a hybrid appliance — an enforcement point that bridges customer premises and cloud. Sophos's broader portfolio in this space is deep; related grants like US12413558B2 (cloud-based ZTNA, 2025) and US12153948B2 (distributed ZTNA, 2024) cluster around the same theme. A cluster of filings from one assignee in one subclass is the textbook portfolio signal that a vendor is investing seriously, not dabbling.

Capital One — not a security vendor but a bank — stakes the third position, and it is the most telling. US12556537B2, "Zero trust authentication and authorization system" (issued February 2026), places the enforcement inside the enterprise's own identity and authorization stack. That a financial institution is filing its own zero-trust enforcement patents, rather than only buying a vendor's, says something about how large regulated enterprises now treat access control as core IP worth owning.

Put the three together and the portfolio reading is clear there is no single agreed enforcement point for zero trust. The cloud-security vendor puts it in the cloud; the endpoint-and-network vendor puts it in a hybrid appliance; the enterprise puts it in its own identity system. All three are classified under or near H04L 63/20, the security-policy subclass, and all three are 2024-2026 grants — the recency tells you this architectural competition is live right now.

The strategic caveat this desk always attaches a patent shows where a company is investing and what it wants to protect; it does not prove market success or that the claimed architecture is the best one. But filing velocity and placement are real signals, and three differently-placed enforcement points from three different kinds of player is a genuine snapshot of an unsettled architecture.