Skip to main content


Continuous Adaptive Risk and Trust Assessment (CARTA)

Gartner is a leading IT research and consulting firm based in Stamford, CT.

In 2017, building on their Adaptative Security Architecture, Gartner introduced their Continuous Adapative Risk and Trust Assessment (CARTA) security model.

CARTA was positioned as an alternative to Zero Trust - that is, Forrester's Zero Trust.

According to Gartner, the flaw in the Forrester model is that there is only a one-time allow/deny gate for user authentication. This contrasts with the continuous assessment emphasized in the Gartner model.

Some analysts do see CARTA as building upon and extending Forrester's Zero Trust model. Others believe the frameworks are remarkably similar.

The CARTA model has 7 imperatives:

  • Replace one-time security gates with context-aware, adaptive and programmable security platforms

  • Continuously discover, monitor, assess and prioritize risk - proactively and reactively

  • Perform risk and trust assessments early in digital business initiatives

  • Instrument infrastructure for comprehensive, full-stack risk visibility, including sensitive data handling

  • Use analytics, AI, automation, and orchestration to speed the time to detect and respond and to scale

  • Architect security as an integrated, adaptive programmable system, not silos

  • Put continuous data-driven risk decision making and risk ownerships into BUs and product owners