A question to my colleagues who are Zero Trust experts: are there standards that have emerged to help guide Zero Trust deployments to implement consistent architecture choices or designs that meet specific levels of risk mitigation? 

For example, I was recently asked what set of controls should a company, which is looking to embrace Zero Trust architecture and solution frameworks, seek to achieve when it comes to specifically securing highly sensitive data-in-transit communications? I provided a list that complements the typical Zero Trust user authentication/authorization, but was thinking that there should already some generally accepted standard or best-practices defined for different tiers of desired risk mitigation. 

Given the open flexibility of Zero Trust implementations, it makes sense that some standardized criteria would eventually emerge to help with design, investment, and risk mitigation decisions. But I haven't seen any such standards. Anyone know of any? Or perhaps we have not yet reached that level of maturity?

Any insights would be appreciated.