Article
AI is making phishing, credential theft, and lateral movement faster and harder to detect. Here is what Zero Trust looks like in practice on the Microsoft stack for North and South Carolina businesses in 2026.
Zero Trust started as a network security concept: stop assuming that anything inside your perimeter is safe. A decade ago, implementing it meant expensive third-party tooling and a multi-year architecture project most mid-market businesses could not justify. In 2026, the calculus has shifted on both sides of that equation. The threats are worse, and the tools to address them are already inside most Microsoft 365 subscriptions.
We work with businesses across North and South Carolina on Microsoft 365 and Azure security. The Zero Trust conversation is no longer optional for most of them. Here is what is driving that shift, and what Zero Trust actually looks like on the Microsoft stack for a 50 to 500 person Carolina business.
The perimeter model assumed attackers would have to do hard things: find a vulnerability, get past the firewall, brute-force a password. AI has made several of those hard things cheap and scalable.
Phishing at scale and at quality. Phishing emails used to be identifiable by tone, grammar, and generic greetings. AI-generated phishing can impersonate the CFO’s writing style, reference last week’s board meeting (scraped from LinkedIn), and target a specific individual with specific context. The volume of high-quality targeted attacks has increased sharply in the last eighteen months. Charlotte financial services firms, Research Triangle biotech companies, and Greenville manufacturers are all seeing this in their security logs.
Credential stuffing, faster. AI accelerates the speed at which stolen credential lists from unrelated breaches get tested against Microsoft 365 and Azure portals. A list of 100,000 stolen username and password combinations from a retail breach gets tested against your tenant in minutes. If your employees reuse passwords, this works.
Social engineering that is harder to detect. AI-generated voice and video can simulate a known contact requesting an urgent funds transfer or credential reset. The executive impersonation attacks that used to require a skilled human actor now run with less skill and at higher volume.
The result is that the old model of “trust everyone inside the network, block everything outside” has collapsed. Remote work finished the network perimeter as a meaningful security boundary. AI finished the belief that a strong password and perimeter firewall constitute adequate security.
Zero Trust replaces the perimeter assumption with a different one: trust nothing by default, verify every access request explicitly, and limit the damage when something does get through.
Zero Trust is a framework, not a product. On the Microsoft stack, it maps to a set of specific controls across identity, devices, and data. Most of these controls are available in Microsoft 365 Business Premium, E3, and E5. The question is whether they are configured.
The identity plane is where most Zero Trust implementations start and where the return is highest per hour of work.
Entra ID (formerly Azure Active Directory) is the identity provider for the Microsoft stack. Conditional Access is the policy engine that sits in front of it. Together they enforce the Zero Trust principle of “verify explicitly” at every sign-in.
The baseline configuration:
For Carolinas businesses in regulated industries, Charlotte banking and insurance especially, the Conditional Access audit log becomes a material artifact for regulatory examinations. Every policy decision is logged. Auditors can see what was enforced, when, and for whom.
Zero Trust requires knowing the state of the device that is making the access request. An Entra ID sign-in from a corporate-managed, fully patched device is a different risk profile than the same sign-in from an unmanaged personal laptop.
Intune is the device management plane. The Zero Trust configuration:
Microsoft Defender for Endpoint (included in Business Premium, E5, and available as an add-on) extends visibility to what is happening on the device itself, not just whether it passed a compliance check at sign-in. It detects malware behavior, lateral movement, and attacker tooling.
For Upstate South Carolina manufacturing firms dealing with OT/IT convergence, the device management boundary is more complex. Production equipment cannot always run Intune. The Zero Trust approach there is network segmentation and tighter controls on the office-side devices that do have access to cloud resources, with monitoring on the network boundary between OT and IT environments.
Verifying identity and device state reduces the risk of unauthorized access. Information protection limits what attackers can do if they get through anyway.
Microsoft Purview (included in E3 and E5, available as an add-on) provides sensitivity labels that travel with documents. A document labeled Confidential is encrypted by the label itself. Even if an attacker exfiltrates the file, they cannot open it without a valid Entra ID credential in the tenant.
For Carolinas businesses in healthcare, the sensitivity label approach maps directly to HIPAA obligations around PHI. For defense contractors in the region working toward CMMC Level 2, the same label infrastructure provides part of the documentation trail for controlled unclassified information handling.
The practical starting point is not a comprehensive labeling taxonomy. It is identifying the two or three document types that would cause the most damage if exfiltrated: client contracts, employee PII, financial records, intellectual property. Label those first, enforce the policy for those document types, and expand from there.
Beyond the foundational Zero Trust controls above, two AI-specific configurations are worth implementing for Carolinas businesses that are deploying Microsoft 365 Copilot.
Oversharing risk from Copilot. Copilot surfaces content from across the Microsoft 365 tenant based on the signed-in user’s permissions. If SharePoint permissions are overly permissive, Copilot will surface content the user technically has access to but was never intended to see. This is not a Copilot bug. It is a permissions problem that Copilot makes visible. Before deploying Copilot broadly, run a SharePoint permissions audit. The Microsoft 365 admin center and Purview data map can identify sites and libraries with overly broad sharing.
Copilot interaction data governance. Microsoft 365 Copilot interaction logs are stored in Exchange Online and surfaced through Purview eDiscovery and Audit. For regulated industries, these logs are subject to the same retention and litigation hold requirements as email. Establish a retention policy for Copilot interaction data before deployment, not after a regulatory inquiry.
The full Zero Trust architecture is not a single project. It is a sequence of increasing maturity. A practical sequence for a 100-person Carolinas business:
Phase one (weeks one through four): Identity baseline. MFA for all users. Block legacy auth. Break-glass accounts. Conditional Access report-only mode, then enforce. This stops the majority of credential-based attacks.
Phase two (months two and three): Device management. Enroll corporate devices in Intune. Define compliance policies. Require compliant device for high-risk application access. Defender for Endpoint on managed devices.
Phase three (months three through six): Data governance. Sensitivity labels for the highest-risk document categories. SharePoint permissions audit. Retention policies aligned to compliance requirements. Purview audit log review cadence established.
Phase four (ongoing): Threat monitoring. Microsoft Sentinel or Defender XDR for correlation across logs. Incident response runbooks. Quarterly review of Conditional Access policy effectiveness.
Each phase has measurable security outcomes. Each phase is also a legitimate stopping point if budget or internal capacity requires it. Phase one alone, done well, eliminates the most common attack vectors we see compromising Carolinas Microsoft 365 tenants.
A few things worth naming:
Zero Trust does not replace security awareness training. A well-configured Conditional Access policy still allows a user who has authenticated to click a malicious link or approve a fraudulent payment. Human judgment remains in the chain.
Zero Trust does not fix application vulnerabilities. If a line-of-business web application has SQL injection vulnerabilities, Zero Trust controls at the identity and device layer do not protect the application’s data.
Zero Trust does not eliminate the need for backup and recovery. Ransomware that runs under a legitimately authenticated user session is not stopped by identity controls. Immutable backup, tested recovery, and incident response planning are separate requirements.
What Zero Trust does: it dramatically reduces the attack surface available to an adversary who has stolen a credential or compromised a device. In the AI-accelerated threat environment of 2026, reducing that attack surface is not a best practice. It is the baseline.
Devsoft Solutions works with businesses across North and South Carolina on Microsoft 365 security, Entra ID configuration, and Zero Trust implementation. If you are evaluating your current security posture or building a Zero Trust roadmap, get in touch.
— Continue reading
Not every Microsoft Partner can help you deploy AI that actually works inside your operations. What Eastern North Carolina businesses should ask before signing an engagement.
AI has changed the analytics platform decision for Carolinas mid-market businesses. Power BI's Copilot integration and Tableau's Einstein features are real but different. Here is how to choose based on where you actually stand.
F1 or F3? With or without Copilot? For North and South Carolina businesses with large hourly or shift-based workforces, the frontline licensing decision now carries an AI dimension that most initial quotes miss.
— Related services
Practical Microsoft-stack security: identity hardening, endpoint protection, email and data security, and the documentation auditors actually ask for.
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
