AI agents complicate zero trust because they make repeated, autonomous access requests after the initial authentication step. Zero trust assumes continuous verification, but agentic workflows can create many machine-driven decisions that must be authorised, logged, and bounded in real time. Teams need policy that follows each action, not just each login.
Why Traditional Zero Trust Breaks Down for AI Agents
zero trust assumes every request can be evaluated on its own merits, but AI agents create a much harder pattern: they are autonomous, goal-driven workloads that can make repeated tool calls after the first login. That changes the security problem from “who signed in?” to “what is this agent trying to do right now, and is that action still acceptable?” Guidance in NIST SP 800-207 Zero Trust Architecture still matters, but agentic systems force those assumptions to be re-applied at runtime.
That is why the agentic AI risk literature now places such emphasis on action-level governance. The OWASP NHI Top 10 and CSA MAESTRO agentic AI threat modeling framework both reflect the same operational reality: once an agent can chain tools, prompt itself onward, or retry on failure, static role assumptions no longer describe the actual risk. In practice, many security teams encounter overreach only after an agent has already touched systems it was never intended to reach, rather than through intentional design.
NHIMG research also shows how quickly this becomes an enterprise issue: 80% of organisations report their AI agents have already performed actions beyond their intended scope, while only 44% have implemented policies to govern them, according to AI Agents: The New Attack Surface report from SailPoint.
How to Apply Zero Trust to Agentic Workflows
The practical shift is from identity-at-login to workload identity plus intent-based authorisation. An agent should prove what it is through cryptographic workload identity, then receive only the minimum capability needed for the current task. For implementation, current guidance suggests pairing workload identity controls such as Guide to SPIFFE and SPIRE with runtime policy evaluation from tools such as NIST AI Risk Management Framework and OWASP Agentic AI Top 10.
In practice, this means:
- issuing JIT credentials that expire after the task finishes, rather than leaving static secrets in the agent runtime;
- binding every action to a policy decision at request time, not just to a pre-approved role;
- scoping tools and data access to the smallest viable objective, especially for agents that can browse, code, or call internal APIs;
- logging both the decision context and the action result so auditors can reconstruct what the agent tried to do.
This is where NHI discipline becomes essential. If an agent can retrieve long-lived API keys, reuse tokens across tasks, or operate without clear workload identity, zero trust becomes a paper control. NHIMG guidance on the Top 10 NHI Issues and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is especially relevant here because lifecycle governance is what keeps agent privileges from accumulating unchecked. These controls tend to break down when an agent is allowed to self-extend tool use across multiple nested workflows because the policy engine no longer sees a clean task boundary.
Common Variations and Edge Cases
Tighter authorisation often increases orchestration overhead, requiring organisations to balance safety against latency, developer friction, and operational complexity. That tradeoff is real, especially where agents must respond quickly or coordinate across many services. There is no universal standard for this yet, but current guidance suggests that sensitive actions should be separated from low-risk retrieval or summarisation tasks.
One common edge case is multi-agent pipelines. When one agent plans, another executes, and a third validates, the access path can become harder to interpret than a human workflow. Another is delegated delegation, where an agent is permitted to create subtasks or call plugins on its own. In those environments, static RBAC fails because the permission set does not describe the actual sequence of actions. More mature programs are moving toward context-aware authorisation, short-lived Secrets, and JIT provisioning, but these patterns still need policy tuned to the specific toolchain.
Credential theft also changes the risk picture. NHIMG has documented cases where attackers move rapidly once credentials are exposed, including the AI LLM hijack breach and the Moltbook AI agent keys breach. That is why the question is not only whether the agent is trusted, but whether its secrets, tokens, and execution rights are ephemeral enough to limit blast radius. Best practice is evolving, but the safest baseline is to assume an agent can be redirected, chained, or tricked into actions the original designer did not anticipate.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic attack surfaces and tool misuse are the core issue here. |
| CSA MAESTRO | T1 | Threat modeling for autonomous workflows fits zero trust failures in agents. |
| NIST AI RMF | AI RMF governance is needed for accountable agent behaviour and oversight. |
Assign ownership, monitor outcomes, and review agent decisions under AI RMF GOVERN and MAP practices.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
