Default Deny as Ground State, and the Ethics of the Access Request
There is a question that the first four parts of this series have been quietly circling, and it is time to ask it directly.
When we say a Zero Trust system defaults to Deny, are we describing a policy choice — or are we describing something more fundamental?
The answer matters. Because if Default Deny is merely a design decision, then it is one option among many, a parameter that a sufficiently persuasive architect might configure otherwise. But if Default Deny is the system’s natural state — the condition that obtains in the absence of perturbation — then the entire ethics of access changes.
This essay argues the latter. And it argues that this understanding was never absent from the oldest frameworks we have for thinking about consciousness, action, and return.
The Ground State Is Not Hostile
We have built our organizational cultures around a fundamental misreading. We experience the denial of access as resistance — as a system that is, by default, against us. The firewall is an adversary. The MFA prompt is an imposition. The session timeout is a punishment.
But consider what Default Deny actually is, mechanically: it is the state the system occupies when nothing is happening. No tokens issued. No sessions active. No permissions flowing. It is not a locked door. It is an unlocked room in which nothing has yet arrived.
Silence is not the absence of sound. It is the ground from which sound arises and to which it returns. Default Deny is the silence of the system — not hostile, not incomplete, but prior. Prior to the request. Prior to the grant. Prior to the action.
Every access grant is a temporary departure from this ground. Every expiry, every revocation, every session termination is a return — not a loss, but a restoration of the natural state.
When we build systems that resist this return — systems that accumulate standing privileges, that never expire tokens, that allow access to outlive its justification — we are not building more capable systems. We are building systems that have forgotten how to be still.
Spanda: The Sacred Urge
The Kashmiri Shaivite tradition offers us a concept that the IAM industry has, unknowingly, been trying to engineer for decades: Spanda.
Spanda is the primordial pulse — the first vibration by which Shiva, in absolute stillness, moves toward manifestation. It is not a disruption of the ground state. It is the ground state’s own impulse, arising from within, purposive, and carrying within itself the inevitability of return.
The access request is Spanda.
When a principal requests access, something genuine is happening — a perturbation of ground state arising from the need of the present moment. The request carries intent. It carries context. It carries temporal truth. It says: right now, in this instant, this action is required.
This is not a transgression. Perturbation is how reality manifests. Without Spanda, Shiva remains in pure, undifferentiated stillness — and nothing is created. Without access requests, the system is inert. Purposive perturbation is legitimate. It is necessary.
But Spanda has a quality that our legacy access models have never honored: it pulses back. The vibration expands outward into manifestation, and then — inherently, naturally, without external compulsion — it returns to ground. The pulse does not stay at its outermost point. The system breathes.
This is what Just-In-Time access is trying to recover. Not a restriction on the principal’s freedom, but an honest expression of the rhythm that was always present in legitimate action: request, grant, act, release, return.
Vasana: What Privilege Creep Really Is
Patanjali’s Yoga Sutras describe a concept that every security architect should study: Vasana — the latent impressions left by past experience, accumulated over time into patterns of compulsive behavior that the actor is no longer even aware of.
Vasanas are not decisions. They are residues. The person who reaches for a cigarette out of habit is not choosing — they are obeying an impression that has calcified into reflex. The same is true of the organization that has forgotten to deprovision.
Privilege creep is systemic Vasana accumulation.
The engineer who was granted database access for a migration project three years ago still has that access — not because anyone decided it should persist, but because nobody decided it should not. The role that was created for a temporary integration still exists in the directory. The service account with broad permissions continues to authenticate, long after the service it served was decommissioned.
These are not security misconfigurations in any shallow sense. They are the system’s unresolved impressions — access that was once justified by a particular moment of truth, lingering past the dissolution of that truth, binding the system to a past state of reality.
The Zero Trust Invariant established in Part I is precise about this: Trust(t) ⇔ Align(I(t), A(t), T(t)). The T(t) — the system truth — has moved. The access has not. The invariant is broken. But no alert fires, because the system has mistaken Vasana for policy.
Access reviews, then, are not compliance theater. They are Vasana-clearing — a deliberate, periodic examination of what the system is still holding, and whether that holding reflects present truth or merely the residue of past action. They are the system sitting in deliberate stillness and asking: what am I carrying that no longer belongs to this moment?
Pratyahara: The Architecture of Withdrawal
Patanjali’s Ashtanga Yoga describes eight limbs of practice, and the fifth — Pratyahara — is the most architecturally interesting. It is the withdrawal of the senses from external objects back toward the source. Not suppression. Not denial. A deliberate, disciplined return.
The senses do not cease to function in Pratyahara. The ear still hears. The eye still sees. But the attention stops being dragged outward by every stimulus. It learns to rest at the center while remaining capable of full engagement.
Privileged Identity Management is Pratyahara for access systems.
PIM does not eliminate privilege. It withdraws it to its resting state — inactive, unexpressed, available but not standing — and re-activates it only when the present moment of truth justifies deployment. The privilege exists. It simply does not stand. It does not flow outward unless called.
The organization that has implemented mature PIM has taught its systems Pratyahara. Elevated access is available, but it no longer flows automatically. It must be deliberately called forward, justified by context, activated by request, and it returns to ground when the justification expires.
This is not a security control. It is a posture. It is the system learning to rest.
Nishkama Karma: The Ethics of the Mature Operator
Part III introduced the concept that the Zero Trust system’s friction dissolves for the operator who no longer desires to act continuously — who has released the ego of action. But we must be careful here. The conclusion is not passivity. The Gita does not counsel inaction.
What Krishna counsels in the Bhagavad Gita is Nishkama Karma — action without attachment to its fruit. The warrior acts. The archer releases the arrow. The operator provisions the resource. But none of them cling to the outcome, and none of them mistake the temporary holding of access for a permanent right.
The mature operator, in the Zero Trust model, embodies this exactly.
They do not request standing privilege because they fear they might need it later. They request JIT access because the present action is required, and they request precisely what is required. They exercise the access with focus. They do not accumulate more than the action demands. And when the session ends, they do not mourn the revocation, because they were never attached to the access as an extension of themselves.
This is not merely an ethical posture. It is the posture that makes the entire architecture function as designed.
The system was built on the assumption that access is temporary, purposive, and returnable. When the human treats it as permanent, personal, and irreversible, the system bends under the weight of that misalignment. Privilege creep is not a technical failure alone — it is a failure of relationship between the human and the system’s fundamental rhythm.
Nishkama Karma is the human’s half of the contract.
The Formal Extension
Part I gave us the Zero Trust Invariant:
Trust(t) ⇔ Align(I(t), A(t), T(t))
Part V proposes its natural extension — the Perturbation Model that describes the full lifecycle, not just the moment of evaluation:
GroundState(S) = DenyPerturbation = Request(I, intent, t) ← SpandaEvaluation = Align(I(t), A(t), T(t)) ← The InvariantGrant = Temporary departure from GroundStateAction = Purposive exercise of GrantReturn = Expiry | Revocation → GroundState restored
The system is always moving between these states. The Grant is never the destination. It is a phase — a necessary, legitimate, temporary perturbation — between two instances of ground.
A Zero Trust architecture that honors this model does not merely check access at each moment. It understands that access is, by its nature, a deviation from the resting state, and that its design must actively support the return. Not because return is punitive, but because return is natural.
The System That Breathes
We began this series with a question about trust — what it is, how it is maintained, why it cannot be assumed to persist. We established that trust is momentary correctness, not lasting belief. We followed that insight through the mechanics of impermanence, the mindfulness of friction, and the relief of surrendering the ego of administration.
What we arrive at, finally, is this:
A mature Zero Trust architecture does not merely defend. It breathes. Access expands from ground when truth justifies it. It contracts back to ground when truth no longer does. The expansion is Spanda — purposive, aligned, temporary. The contraction is Pratyahara — natural, disciplined, restorative. The action taken in between is Nishkama Karma — precise, detached, accountable.
The human who understands this does not fight the system. They move with it. They request what the present moment requires. They act with focus. They release without grief. They rest in Default Deny not as a limitation, but as the ground from which the next legitimate action will arise.
And the system, for its part, does not distrust its users. It simply remembers what they sometimes forget — that stillness was here first. That every grant is a gift from a momentary alignment of truth. That access, to be legitimate, must always know how to end.
This is the Zero Trust Invariant, completed. Not a formula for control — a formula for right relationship between the human and the system. Between the perturbation and the ground. Between the pulse and the silence from which it came.
Reinvent The Self! 
Leave a comment