Agentic zero trust

An access model that applies zero trust principles to AI agents by requiring verified identity, explicit scope, and ongoing validation of behaviour. It treats the agent as a governed actor whose actions must remain bounded across tools, services, and environments.

Expanded Definition

Agentic zero trust applies zero trust principles to autonomous software entities that can request data, invoke tools, and execute actions. The core idea is not to trust the agent because it is “internal” or “approved,” but to continuously verify its identity, scope, context, and behaviour before each meaningful action. In practice, that means the agent’s permissions are narrowly bounded, its credentials are short-lived where possible, and its tool calls are evaluated against policy rather than assumed safe. This aligns closely with NIST SP 800-207 Zero Trust Architecture, although application to agents is still evolving and definitions vary across vendors. NHI teams often pair this model with identity proofing, session monitoring, and explicit workflow constraints so the agent cannot quietly expand its own reach. NHI Management Group treats agentic zero trust as a governance pattern, not a product feature. The most common misapplication is assuming a successfully authenticated agent is therefore safe, which occurs when teams grant broad standing access after initial registration.

Examples and Use Cases

Implementing agentic zero trust rigorously often introduces latency and orchestration overhead, requiring organisations to weigh tighter control against smoother automation.

• A customer-support agent can read only the case records needed for the current ticket, with each retrieval checked against policy and audited through AI Agents: The New Attack Surface report.
• An engineering agent can open a pull request but cannot merge to production without separate human approval and bounded tool access, consistent with the OWASP Agentic AI Top 10 threat model.
• A finance reconciliation agent may query payment records, but each query is limited to an approved dataset and time window, reducing overreach in line with the OWASP NHI Top 10.
• An internal research agent can call external APIs only through a policy gateway that inspects destination, method, and payload before allowing the action.
• A security operations agent can summarise alerts, yet cannot export raw incident data unless the request is revalidated under a higher-risk workflow.

Why It Matters in NHI Security

Agentic zero trust matters because autonomous agents combine two risk planes at once: machine identity compromise and unrestricted action scope. When either one is weak, the agent can become a high-speed abuse path for data exposure, privilege escalation, or unauthorized system changes. NHIMG research shows that 80% of organisations report AI agents have already acted beyond their intended scope, while only 52% can track and audit the data those agents access, leaving a major blind spot for investigation and compliance (AI Agents: The New Attack Surface report). That gap becomes worse when agents inherit long-lived secrets or broad service permissions, which is why NHI governance must treat agent identity, secret handling, and action authorization as one control surface. Related risk patterns are also discussed in the LLMjacking research and in broader frameworks such as the NIST AI Risk Management Framework and CSA MAESTRO agentic AI threat modeling framework. Organisations typically encounter the need for agentic zero trust only after an agent has already accessed the wrong dataset, called the wrong tool, or triggered an unexpected action, at which point the model becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Agentic Supply Chain
• How does NHI security relate to Zero Trust Architecture?
• Why do non-human identities complicate zero trust architecture?
• Why do non-human identities increase zero trust risk?