It's BeyondCorp done at a network layer. You have cryptographic trust that traffic from specific IP ranges are specific people, you get a flat network topology for your infra/team/etc, and it works in the most hostile network environments.

The tailscale team has gone through great lengths to handle a lot of edge cases and hacks in the infrastructure at many corporate networks.