Security teams would create rules that attempted to predict how an employee would use a particular system, as well as how the data they manipulated should flow, how systems and applications should act. As systems became more complex and the number of applications and amount of data grew, it became an exercise in futility. Today, there are infinite combinations of potential scenarios that must be accounted for. It s just too complicated to predict every possible combination for rules to function effectively. The sheer volume of alerts they generate and the errors they produce overwhelm security analysts and IT managers.
Source: https://threatpost.com/rules-based-policy-zero-trust/146301/