The perimeter has been declared dead approximately every two years for the last decade and a half. Forrester announced its demise in 2010. Google formalized the alternative as BeyondCorp in 2014. Gartner branded it Zero Trust. Every major security vendor has had a "the perimeter is dead" keynote at some point. The slideware has been consistent.
The actual operational reality has been less consistent. Most enterprises have continued to operate, in practice, as if the perimeter still exists. Firewalls remain the largest line item in many security budgets. Network segmentation is mostly aspirational. Identity-based access controls are layered on top of older network-based assumptions, with the network assumptions still doing most of the actual work. The perimeter was declared dead and then quietly kept on life support because abandoning it required architectural commitments most enterprises were not ready to make.
The bluff is now structurally impossible.
When every endpoint, every dependency, every cloud API, every third-party integration can be probed for zero-days at machine speed, "the perimeter holds" stops being a defensible operational assumption. The probability that something inside your environment is currently compromised, or has been compromised at some point in the recent past without your knowledge, approaches one. Not as a metaphor. As a working assumption that has to inform the architecture.
The only coherent posture is assume continuous compromise. Not "assume occasional breach", that was the framing that justified the perimeter staying alive in modified form. Continuous, ongoing, presumed compromise of some unknown subset of your environment at all times. The architectural implications are different from the implications of "assume occasional breach," and the difference matters.
Identity becomes the perimeter, in the strong sense rather than the slideware sense. Every access request gets evaluated on its own merits, not on the basis of which network the request originated from. The security model treats every identity as potentially compromised and every action as requiring justification. This is genuinely different from "we have SSO and MFA", it requires re-architecting how access decisions get made, often invasively, often expensively.
Behavior becomes the perimeter. The old detection model assumed you knew what malicious behavior looked like and could write rules to spot it. The new detection model has to assume you don't necessarily know, that AI-enabled attackers will exhibit behaviors you have not seen before, and has to detect on anomaly rather than signature. This requires baselines that go back years rather than weeks, comprehensive cross-domain telemetry, and the ability to reason about behavior at the entity level rather than at the event level.
Comprehensive telemetry becomes the new must-have rather than the nice-to-have. If you cannot reconstruct what happened in your environment over the last 18 months in detail, you cannot answer the questions that matter when something does go wrong. Sampled telemetry, dropped fields, cold-tiered data, all of these become operational liabilities under continuous-compromise assumptions.
Recovery time becomes a more important metric than prevention rate. If compromise is continuous and inevitable, the question is not "how often do we get breached" but "how quickly can we contain and recover." Backup integrity, immutable infrastructure, well-rehearsed recovery procedures, blast radius limits, these stop being secondary considerations and become the primary security investments.
Everything else, the firewall renewal, the next-gen anti-virus upgrade, the additional perimeter monitoring layer, is theater. Not useless theater, necessarily. Some of these controls still have value at the margin. But they are not the primary defense, and treating them as the primary defense gets you the operational posture that has been quietly inadequate for years and will be obviously inadequate by 2027.
The honest reckoning for security leaders: most of the perimeter spend in your current budget would be better redirected. Not because perimeter controls are worthless, but because the marginal dollar spent on perimeter is producing much less security than the marginal dollar spent on identity, telemetry, segmentation, and recovery would produce in the AI vulnerability era.
This is a politically uncomfortable conversation because it implies admitting that significant prior security investments are now misallocated. CISOs who have built their tenure around the legacy perimeter stack will resist the framing. Boards who approved the perimeter spend will not be excited about being told the spend was wrong. Both reactions are predictable. Neither is a reason to keep funding theater while the actual defense gets neglected.
The perimeter has been dead in theory since 2010. It just became dead in practice.
Read the deep dive: AI-Native Incident Response Needs Full-Fidelity History, the architectural anchor for what replaces the perimeter, including the substrate requirements for identity-based and behavior-based defense.