A zero-trust patent is a patent or published application directed to a mechanism that enforces zero-trust security. Zero trust is not a product and not a single technology; it is an architectural principle, and the authoritative definition comes from the National Institute of Standards and Technology. Because the principle is public and conceptual, a zero-trust patent cannot claim "zero trust" itself. What it claims is a concrete enforcement mechanism — a policy engine that decides each access, a broker that mediates every connection, a system that re-authenticates continuously, or an access-control architecture that evaluates each request against policy rather than trusting a device because of where it sits on the network. To understand what a zero-trust patent covers, you start from the architecture NIST defines and then read the claim to find which piece of it the patent implements.

NIST's Special Publication 800-207, "Zero Trust Architecture," is the reference definition the industry and the U.S. government build on. It states the core premise plainly.

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. ... Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location ... or based on asset ownership ... Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.— NIST SP 800-207 (Zero Trust Architecture), source

Two ideas in that definition do the work that zero-trust patents implement. The first is "no implicit trust ... based solely on ... physical or network location" — the rejection of the old perimeter model in which being inside the corporate network conferred trust. The second is that "authentication and authorization ... are discrete functions performed before a session ... is established" — every access is evaluated, every time, against policy. SP 800-207 also describes the logical components that carry this out: a policy decision point (a policy engine plus a policy administrator) that decides whether to grant access, and a policy enforcement point that actually opens or closes the connection. Most zero-trust patents claim some realization of these components — how the decision is made, what signals feed it, how the enforcement point brokers the connection — because that machinery is where the inventive engineering sits.

What a real zero-trust patent claims

The granted patent US10728252B2, "Client application based access control in cloud security systems for mobile devices," assigned to Zscaler, Inc., with a January 29, 2016 priority date and a July 28, 2020 grant, is a clear example of zero-trust enforcement reduced to specific claim limitations. Independent claim 1 is directed to "A cloud-based security system for controlling access to network resources, the cloud-based security system comprising: a plurality of processing nodes ... and one or more authority nodes ... configured to store policy data regarding security policies of the enterprise network ... and to distribute the policy data to each of the plurality of processing nodes; wherein a first processing node ... is configured to control communication between the user device and the enterprise network, wherein the first processing node is configured to authenticate the user and provide the user device of the authenticated user access to the enterprise network; wherein the first processing node is further configured to receive an access request performed by an application on the user device of the authenticated user ... [and] to evaluate the access request to identify the application that performed the access request." Map that onto SP 800-207 and the correspondence is direct: the authority nodes holding and distributing policy data are the policy-administration layer; the processing node that authenticates the user and evaluates each access request before granting access to a resource is the policy decision and enforcement point. The claim even narrows the evaluation to the specific application making the request — application-level, not just device-level, access control.

The CPC placement reflects what the claim does. US10728252B2 is classified under H04L 63/02, "Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls," with H04L 63/0272 ("Virtual private networks") and H04L 63/20 ("managing network security; network security policies in general") — the H04L 63 family for network-security architectures, distinct from the H04L 9 cryptography group. That is consistent with the subject matter: this is a patent about the architecture and policy machinery that decides and enforces access, not about a cryptographic primitive. Zero-trust enforcement patents commonly sit in H04L 63 for this reason, while the authentication primitives they rely on may sit in G06F 21 or H04L 9.

The reading discipline for any "zero-trust patent" claim is therefore consistent. The architecture is a public NIST concept, so the patent is claiming a mechanism that realizes it: identify the policy decision point, the policy enforcement point, and the signals that drive the access decision, and check the independent claim to see which of those the patent actually covers and how narrowly. Note whether the record is a granted patent or a pending application, and note the priority date, since the zero-trust patent landscape spans filings from before the term was common to filings made after SP 800-207 fixed the vocabulary in 2020. The concept is shared and defined by NIST; what a given patent owns is the specific enforcement machinery its claims recite.