"There are many trust models to choose from with GPG"
And all of them imply you trust them - aka some kind of "authority" which is trusted by default, or because you choose to trust it - where's the difference from a CA?
Good, inside your company, but outside of it? If you have to communicate, say, place an order with a company for the first time? Do you go through "old school notarised documents on paper" to ensure their website is actually theirs? Or when you book a room in an hotel in a city you never been before?
All the authentication model work or on mutual trust, on relying on a third party "authority" trusted by both parties.