Continuous Verification and Software Supply Chain Security

Presented by Forescout & Carahsoft

Olschewske explained that zero trust is evolving from “never trust, always verify” to “never trust, continuously verify.” Organizations must constantly validate both users and devices because risk conditions can change dynamically over time.

He emphasized that users should increasingly be treated like endpoints, with organizations continuously monitoring behavior, access patterns, locations, and anomalies to identify suspicious activity. AI complicates this challenge because attackers can leverage AI-generated identities, synthetic behaviors, and automated tools to mimic legitimate users.

The conversation also highlighted the importance of software bill of materials practices. Olschewske argued that organizations must understand exactly what exists inside the software and firmware they deploy before connecting systems to operational networks. Supply chain validation is now essential because trusted vendors can still inadvertently introduce vulnerabilities or compromised components.

He used physical supply chain analogies to explain that organizations should not inherently trust delivered products without inspection and validation. The same principle applies to software, firmware, and digital infrastructure.

Key Takeaways

• Zero trust is evolving toward continuous verification of users, devices, and behaviors.
• AI-enabled threats make identity monitoring and behavioral analysis increasingly important.
• Organizations must validate software and firmware integrity before deployment.