> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cast.digitalfinancehq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Zero-trust operations

> Trust is not a control.

Network security abandoned the trusted perimeter a decade ago. Every request is authenticated, every action is verified, nothing is trusted by virtue of its location. Commercial payments never made that shift. CAST is zero-trust architecture applied to the movement of value.

## The implicit-trust perimeter still exists in finance

Most payment controls assume that an instruction originating *inside* the organization — from a known email, an approved user, a familiar vendor record — is trustworthy. That is the perimeter model. Business Email Compromise is simply an attacker crossing the perimeter once and inheriting all the trust inside it.

<Note>
  Never trust, always verify — extended from packets to payments. No covered payment is trusted because of who submitted it. It is trusted only after the counterparty independently co-authors the terms through a cryptographically bound channel.
</Note>

## Three zero-trust properties CAST inherits

<CardGroup cols={2}>
  <Card title="Identity-bound action" icon="fingerprint">
    WebAuthn ties each confirmation to a hardware-backed key — not a password, not an inbox an attacker can capture.
  </Card>

  <Card title="Least-privilege verification" icon="eye-slash">
    The vendor sees only their own confirmation record. Buyer GL codes, budgets, and other vendors are never exposed across the counterparty surface.
  </Card>

  <Card title="Continuous validation" icon="rotate">
    A bank-account change re-triggers the gate. Trust is not granted once and inherited forever — it is re-established at every covered event.
  </Card>

  <Card title="Separation of decision and execution" icon="code-branch">
    The actor that proposes a payment is never the sole authority that releases it.
  </Card>
</CardGroup>

## What the gap costs

Business Email Compromise alone accounts for roughly **\$2.9 billion** in annual U.S. losses. The attack works by inserting a fraudulent instruction into a process that was never designed to verify the other party before payment. Zero-trust closes that exact gap: the bilateral confirmation is the verification step the payment perimeter never had.
