Zero trust for AI fails when data becomes the trust boundary

At a glance

What this is: This is an analysis of why traditional Zero Trust breaks down for AI systems and agents, with the key finding that data, not identity alone, becomes the enforceable trust boundary.

Why it matters: It matters because IAM, NHI, and emerging agent governance programmes all need controls that can keep pace with machine-speed access, data movement, and action-taking.

👉 Read Cyera's analysis of Zero Trust for AI and data-centric enforcement

Context

Zero Trust for AI is the idea that access, action, and data handling by AI systems should be continuously verified rather than assumed safe after login. The article argues that identity-centric controls designed for people do not keep up when AI systems move faster, cross more boundaries, and touch sensitive data in ways human workflows rarely do.

That creates a governance gap for NHI programmes, because the control problem is no longer only who or what authenticated. It is whether the system can govern how data is discovered, transformed, shared, and acted on once an AI system is already inside the environment.

Key questions

Q: How should security teams govern AI systems under Zero Trust?

A: Security teams should govern AI systems at the data layer as well as the identity layer. That means combining least privilege with visibility into what data the system can reach, how it transforms that data, and which actions it can trigger. The goal is to control behaviour after authentication, not just approve access at login.

Q: Why do traditional Zero Trust controls struggle with AI agents?

A: Traditional Zero Trust controls struggle because they assume access can be verified and then monitored through stable human-oriented patterns. AI agents move faster, cross more platforms, and can initiate actions that outpace review cycles. The result is a trust model that sees the login but not the full runtime behaviour.

Q: What do teams get wrong about least privilege in AI environments?

A: Teams often focus on data access and ignore action scope. An AI system may have valid credentials and still perform unsafe operations such as sharing data, modifying files, or starting workflows. Least privilege for AI must include both what the system can see and what it is allowed to do with that access.

Q: Who is accountable when an AI system moves data outside policy?

A: Accountability should sit with the team that owns the AI workflow, the data it touches, and the credentials that enable it. If governance stops at authentication, ownership becomes blurred. Clear accountability means mapping the data path, the action scope, and the approving function before deployment.

Technical breakdown

Why identity-centric Zero Trust fails for AI agents

Traditional Zero Trust assumes an identity can be authenticated, bound to a device or session, and then governed through least privilege and continuous verification. AI agents break that model because they do not behave like static users. They can traverse systems, touch multiple datasets, and initiate actions faster than human review cycles or conventional monitoring can react. The issue is not only access volume, but the speed and variability of access paths. Once an AI system can decide what to do next in runtime, identity checks at the edge no longer describe the full risk surface.

Practical implication: teams must stop treating sign-in as the main control point for AI and shift to governing post-authentication behaviour.

Data-centric Zero Trust and AI security posture management

A data-centric model moves enforcement from the user boundary to the data boundary. Data Security Posture Management, or DSPM, maps where sensitive data lives, while AI Security Posture Management, or AI-SPM, tracks how AI systems access, transform, and share that data. Together they create visibility into both the asset and the actor. That matters because AI risk often emerges after access is granted, when prompts, outputs, file modifications, or workflow actions can spread sensitive information into places identity controls do not directly observe.

Practical implication: classify sensitive data first, then tie AI permissions and monitoring to the data paths it can reach.

Least agency is the control model Zero Trust now needs

OWASP’s 'excessive agency' idea captures the failure mode where AI is allowed to do more than the trust model can safely explain. For AI, least privilege is not enough if the system can also trigger emails, modify files, or initiate workflows without proportionate guardrails. Least agency extends the governance question beyond access to action. That means the control model must constrain not just what data AI can see, but what it is allowed to do with that data, and under what observable conditions.

Practical implication: define action limits for AI systems as explicitly as you define data access limits.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Traditional Zero Trust for people does not survive contact with AI agents. Zero Trust was built around predictable human access patterns, device trust, and policy checks that happen before or during a session. AI systems can cross platforms, re-use context, and act at speeds that make those assumptions brittle. The implication is that practitioners need a control model that governs behaviour after authentication, not just access at the edge.

Data is becoming the only enforceable trust boundary for AI security. When AI systems can move across cloud, SaaS, and internal tools in seconds, identity alone no longer explains risk. Data-centric enforcement gives security teams a boundary they can actually observe, classify, and govern across the lifecycle of an AI interaction. Practitioners should treat data lineage and data context as core security primitives, not supporting evidence.

Least agency is the right named concept for AI governance because privilege and action are no longer separable. The article’s core tension is that AI can have legitimate access yet still produce unsafe action sequences. That breaks the old assumption that access review and authorization alone are sufficient. The implication is that governance must move from entitlement thinking to action-scope thinking across AI systems and the NHIs they use.

AI governance and NHI governance are converging on the same problem: machine-speed decisioning. Whether the actor is an AI agent, a service account, or a workflow-connected system, the programme challenge is no longer simply credential control. It is ensuring that the system’s runtime behaviour stays within a boundary security can measure. Practitioners should unify NHI, DSPM, and AI oversight rather than treat them as separate programmes.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 44% have implemented any policies to govern AI agents, while 92% agree governing them is critical to enterprise security.
• For a practical governance lens, see OWASP Agentic AI Top 10 for the controls most likely to matter as autonomous behaviour scales.

What this signals

The next phase of AI governance will be measured by whether teams can connect identity, data, and action in a single control plane. A data-centric approach does not replace IAM or NHI controls, but it does expose where those controls stop being sufficient once AI starts moving information faster than policy review cycles.

Least agency: the useful boundary for AI programmes is no longer just who can authenticate, but what actions the system can legitimately take after access is granted. That distinction will shape how security leaders scope monitoring, recertification, and incident response as AI usage spreads.

With 98% of companies planning to deploy more AI agents within 12 months, governance programmes that wait for perfect standards alignment will fall behind operating reality. Teams should prepare for a world where AI oversight sits alongside NHI and human identity management, not after them.

For practitioners

• Map data before you map AI access Inventory where sensitive data resides, which AI systems can reach it, and which workflows can move it across boundaries. Use that map to decide where monitoring and blocking belong.
• Define least agency for every AI workflow Document the exact actions an AI system may take, not only the data it may see. Include file changes, outbound sharing, workflow initiation, and approval thresholds in scope.
• Bind monitoring to data movement events Alert on unauthorized prompts, unexpected transformations, and abnormal sharing patterns instead of relying only on authentication logs. Data-layer signals are more durable than session logs for AI governance.
• Align NHI controls with AI behaviour Review service accounts, tokens, and API keys used by AI systems to see whether their entitlement scope exceeds the specific data paths and actions those systems actually need.

Key takeaways

• AI systems expose a Zero Trust gap because they change the risk model from human-paced access to machine-speed behaviour.
• Data layer visibility is becoming the decisive control because identity checks alone do not capture how AI moves, reshapes, or shares sensitive information.
• Practitioners should define least agency, align NHI controls to AI workflows, and monitor data movement as a first-class security signal.

Key terms

• Zero Trust for AI: A control model that applies continuous verification and least privilege to AI systems, but extends enforcement into data access and action scope. It recognises that AI risk is not limited to authentication and must include how systems move, transform, and share information.
• Data Security Posture Management: A discipline for discovering where sensitive data lives and how it is exposed across environments. In AI governance, DSPM becomes the visibility layer that shows which datasets can be reached by models, agents, and connected workflows.
• Least agency: A governance principle that limits not only what an AI system can access, but also what it can do with that access. It is a practical extension of least privilege for AI agents and other machine identities whose risk is defined by runtime action, not just entitlement.
• AI Security Posture Management: A control approach that tracks how AI systems use data, invoke tools, and create risk across workflows. It complements data discovery by focusing on the operational behaviour of AI after access is granted, which is where many governance failures begin.

Deepen your knowledge

Zero Trust for AI, least agency, and data-centric control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance into AI workflows, it is worth exploring.

This post draws on content published by Cyera: Rethinking Zero Trust in the Age of AI. Read the original.