A security control used to ensure that your vendor’s access to privileged networks and sensitive information is limited to the minimum requirements needed to perform normal operations. A contract may not mention a zero-trust model by name; however, it must have information regarding the vendor’s security controls and how they effectively protect your information.