Design a Zero Trust implementation roadmap for a large financial institution that currently relies on a perimeter-based VPN model. The plan must be phased over 18 months. Address the following critical components: 1) Identity and Access Management (IAM) migration towards phishing-resistant MFA (FIDO2). 2) Micro-segmentation strategy for lateral movement prevention in a hybrid cloud environment. 3) Continuous monitoring and verification algorithms for trust scoring. 4) Policy enforcement points (PEP) placement. Discuss how to handle legacy applications that cannot support modern authentication headers.