Zero-trust gets used to sell almost everything. Stripped of marketing, it is three small ideas: never trust based on network location, verify identity continuously, and apply the principle of least privilege to every request.
The hardest part isn't the architecture — it's the operational discipline. Identity becomes the new perimeter, and identity systems must be operated with the rigor previously reserved for the network.
Practical starting points: get to centralized identity, eliminate long-lived credentials, instrument every access decision, and adopt policy-as-code. Do those four things and you are most of the way there.