Notifications
Clear all
Topic starter
07/06/2026 8:44 pm
TL;DR: Traditional Zero Trust frameworks were built for human users and static systems, but AI agents move across platforms, handle sensitive data in seconds, and can outpace controls that rely on identity checks alone, according to Cyera. Data-centric enforcement is now the practical boundary because access governance at human speed cannot reliably govern machine-speed behaviour.
NHIMG editorial — based on content published by Cyera: Rethinking Zero Trust in the Age of AI
Questions worth separating out
Q: How should security teams govern AI systems under Zero Trust?
A: Security teams should govern AI systems at the data layer as well as the identity layer.
Q: Why do traditional Zero Trust controls struggle with AI agents?
A: Traditional Zero Trust controls struggle because they assume access can be verified and then monitored through stable human-oriented patterns.
Q: What do teams get wrong about least privilege in AI environments?
A: Teams often focus on data access and ignore action scope.
Practitioner guidance
- Map data before you map AI access Inventory where sensitive data resides, which AI systems can reach it, and which workflows can move it across boundaries.
- Define least agency for every AI workflow Document the exact actions an AI system may take, not only the data it may see.
- Bind monitoring to data movement events Alert on unauthorized prompts, unexpected transformations, and abnormal sharing patterns instead of relying only on authentication logs.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- How Cyera positions DSPM and AI-SPM together across cloud, SaaS, and hybrid environments
- The article's own walkthrough of data-layer monitoring and policy enforcement concepts for AI workflows
- Cyera's explanation of how its platform links AI activity to the data it touches
- The source article's examples of prompt, sharing, and movement controls for AI systems
👉 Read Cyera's analysis of Zero Trust for AI and data-centric enforcement →
Zero trust for AI and data-centric control - are your controls keeping up?
Explore further
08/06/2026 8:25 am
Traditional Zero Trust for people does not survive contact with AI agents. Zero Trust was built around predictable human access patterns, device trust, and policy checks that happen before or during a session. AI systems can cross platforms, re-use context, and act at speeds that make those assumptions brittle. The implication is that practitioners need a control model that governs behaviour after authentication, not just access at the edge.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 44% have implemented any policies to govern AI agents, while 92% agree governing them is critical to enterprise security.
A question worth separating out:
Q: Who is accountable when an AI system moves data outside policy?
A: Accountability should sit with the team that owns the AI workflow, the data it touches, and the credentials that enable it. If governance stops at authentication, ownership becomes blurred. Clear accountability means mapping the data path, the action scope, and the approving function before deployment.
👉 Read our full editorial: Zero trust for AI fails when data becomes the trust boundary
