Zero trust has a dirty operational secret: the policies are brutal to write. “Least privilege” sounds clean, but specifying exactly which users and services should reach which of thousands of applications, and keeping it current, is a labor problem that defeats most deployments. Many zero-trust projects stall not on technology but on policy authoring.
Zscaler, Inc.'s US12348525B2, “Generating zero-trust policy for application access using machine learning” (issued July 1, 2025; CPC H04L 63/104 — network access control by group/role, and H04L 63/20 — security policy), describes using machine learning to generate the access policy itself. Read it at US12348525B2.
Mechanically, the system observes actual access behavior — who legitimately reaches what — and uses machine learning to propose the least-privilege rules that fit, rather than waiting for an administrator to write them from scratch. The CPC tag H04L 63/104, access control by role or group, is the target: turning observed patterns into role-shaped policy that a human can review and approve instead of author.
Why this is a business story: time-to-value is the metric that wins zero-trust deals, and policy authoring is the single biggest drag on it. A vendor that can generate good policy automatically shortens the path from purchase to enforcement — which directly improves the deployment and expansion economics investors watch. The long inventor list, including senior Zscaler technical leadership, signals how strategic the company considers automated policy. It is also the bridge from selling connectivity to selling autonomous security operations.
The grounded read: ML-generated zero-trust policy removes the biggest operational drag on zero trust — hand-authoring least-privilege rules — by learning them from behavior. Zscaler's 2025 grant names that capability, a time-to-value lever in the contested zero-trust market.