Zscaler announced a major expansion of its zero-trust SASE platform at Zenith Live 2026 in Las Vegas, adding AI-driven management and extending protection across unmanaged devices, business partners and multicloud workloads.
Basically, Zscaler is taking SASE out of the "remote access and branch security" box and aiming it at the actual enterprise mess: users, partners, BYOD, cloud workloads, Kubernetes, encrypted traffic, AI-driven phishing and whatever else crawled out of the architecture basement this week.
The ZAgent Framework
At the center of the update is the ZAgent Framework, an agentic AI framework that lets administrators manage configurations, troubleshooting and policies using natural-language prompts.
That matters because security teams are tired of living inside 14 different consoles like raccoons trapped in a Best Buy. The goal is to let admins ask for what they need, have the platform orchestrate the right agents, and reduce the manual stitching that normally turns operations into a group project nobody volunteered for.
One of those agents is the new Zscaler Digital Experience agent, designed to diagnose and remediate end-user issues. It helps identify whether a user problem is coming from the endpoint, Wi-Fi, internet service provider or something else in the path.
Which is huge, because every user experience issue eventually becomes "the security tool broke it," even when the real culprit is hotel Wi-Fi held together by drywall dust and sadness.
Unmanaged Devices and BYOD
Zscaler is also expanding protection for unmanaged devices with a zero-trust browser extension and a Chromium-based enterprise browser. These tools are designed to give organizations secure access controls for BYOD and unmanaged endpoints without falling back on the old security comfort food: VPNs and VDI.
And let's be honest. VPN and VDI have had a good run.
But at this point, dragging every unmanaged device through legacy remote access architecture feels like using a leaf blower to perform heart surgery. Technically there is air movement. That does not make it a plan.
Partner Access
The company also introduced zero-trust business-to-business connectivity for secure partner access. This is aimed at replacing the usual partner-access disaster: site-to-site VPNs, firewall rules, shared network exposure and a spreadsheet named "PartnerAccess_Final_FINAL2.xlsx" that everyone is afraid to open.
Cloud and Kubernetes
On the cloud side, Zscaler announced a Zero Trust Gateway for Google Cloud, expanding its ability to apply policy controls across multicloud environments. The company is also adding microsegmentation for Kubernetes, helping limit lateral movement across containers and workloads without requiring code changes.
That last piece is important. Because lateral movement in cloud and Kubernetes environments is where bad days become board slides.
The ThreatLabz Report
Meanwhile, Zscaler's ThreatLabz report added a nice little horror movie subplot. Phishing volume dropped 20%, but attack sophistication increased. Generative AI is being used to create highly convincing phishing sites, which means the "Dear customer kindly validate your password" era is giving way to phishing campaigns that look like they were produced by a marketing agency with a felony record.
The report also found that 95.2% of phishing attempts now occur within encrypted traffic.
That is the punchline nobody likes: attackers are not hiding in the dark anymore. They are walking through the front door using TLS and a clean-looking domain, wearing a lanyard like they belong there.
ThreatLabz also noted that attackers are actively probing enterprise identity and collaboration platforms. That should surprise exactly no one. Identity is the new perimeter, collaboration tools are where business happens, and attackers go where the data, access and trust already live.
Bottom Line
SASE is no longer just about connecting remote employees securely. That was the opening act. The next version has to secure unmanaged devices, third-party access, cloud workloads, Kubernetes, encrypted traffic, AI-assisted attacks and increasingly fragmented enterprise environments.
Legacy network security was built for a cleaner world.
That world is dead.
Zscaler is expanding zero-trust SASE for the one we actually have: distributed, encrypted, multicloud, AI-accelerated and held together by identity, policy and a terrifying amount of browser tabs.