Zero Trust means “zero implied trust of devices and people.”
It is not saying employees shouldn’t be trusted, but certainly insider threats are a huge problem that could start getting worse over the next few years.
The key ideas of Zero Trust involve cryptographic identities of devices AND of people. Services are protected by a system that uses a combination of signals to decide if they’re authorized access AND if they need to reauthenticate to prove they’re still trust worthy.
A known device, and it’s history, is tied to it’s cryptographic identity. Usually this would be stored inside the device’s TPM so it would be very difficult to extract and appear as that device somewhere else.
A person can login from whatever device (in theory) using their cryptographic identity (WebAuthN probably), but a login on a trusted device is obviously more trust worthy.
An example of how zero trust can work: You receive your work laptop which has been setup with a cryptographic identity and added to the inventory of company laptops. Your account on the computer has been setup and you login to the computer. You try to access an internal company service (not via VPN). Because it’s coming from a company laptop the system allows you to try to login.