AI agents complicate zero trust because they can make runtime decisions, chain actions, and hold delegated permissions across multiple systems. That means trust has to be verified repeatedly at the point of action, not assumed from the initial authentication event. Continuous policy checks and narrow scope become essential.
Why Traditional Zero Trust Breaks Down for AI Agents
AI agents are not passive users. They can interpret goals, choose tools, call APIs, and chain actions across systems without a person approving each step. That turns an initial login event into only the starting point. zero trust still applies, but the trust decision has to move to the point of action, not stay attached to the session. This is why the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both matter here: the risk is not only compromise, but autonomous misuse within granted authority.
NHIMG research shows how fast that can become real. In AI Agents: The New Attack Surface, SailPoint reports that 80% of organisations have seen agents act beyond intended scope, including unauthorised access, sensitive data sharing, and credential exposure. That is a zero trust problem because policy is being tested continuously by behaviour, not just by identity proof at sign-in. In practice, many security teams discover this only after an agent has already chained tools and crossed a trust boundary, rather than through intentional design.
How to Apply Zero Trust to Autonomous Workloads
The practical shift is from static entitlement models to runtime authorisation. Static RBAC is useful for humans, but it fails when an agent’s next step depends on context, tool output, or a changing objective. Current guidance suggests using intent-based or context-aware authorisation so the system evaluates what the agent is trying to do at the moment of request. That means every sensitive action should be checked against policy, risk, and task scope before it is executed.
For agents, JIT credential issuance is usually a better fit than long-lived secrets. Short-lived tokens, task-scoped permissions, and automatic revocation reduce the blast radius when an agent drifts or is manipulated. Workload identity is also essential. A strong agent identity should prove what the workload is, not just what secret it holds. That is why Guide to SPIFFE and SPIRE is relevant: cryptographic workload identity supports repeatable authentication for non-human systems, while policy engines decide whether an action is allowed right now. The broader NHI context is covered in Top 10 NHI Issues.
- Issue ephemeral credentials per task, not per environment.
- Bind permissions to the specific intent, tool, and data class involved.
- Re-evaluate access on every high-risk request with policy-as-code.
- Revoke or quarantine the agent when behaviour deviates from its approved task.
These controls tend to break down when agents operate across many SaaS systems with weak API-level visibility, because policy decisions cannot be enforced consistently at each hop.
Where the Model Still Fails in Real Deployments
Tighter control often increases operational overhead, requiring organisations to balance security with developer velocity and runtime complexity. There is no universal standard for agent authorisation design yet, so teams should treat this as an evolving practice rather than a solved one. The main tradeoff is between flexibility and containment: the more autonomy an agent has, the more precise the guardrails must be.
Edge cases appear when agents span multiple identities, inherit permissions from a human, or use shared service accounts. Those patterns blur accountability and make least privilege hard to prove. They also complicate incident response because logs may show the service account, not the actual agent intent. For that reason, NIST Cybersecurity Framework 2.0 is helpful for governance and monitoring, while OWASP NHI Top 10 highlights the agentic attack surface that static controls miss. When teams need a deeper threat-model view, CSA MAESTRO agentic AI threat modeling framework offers a useful reference point.
The practical answer is not to abandon zero trust, but to extend it so every agent action is verified, time-bounded, and narrowly scoped. That becomes especially important when an agent can plan, retry, and self-correct faster than a human operator can intervene.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Agentic risks center on autonomous action and tool abuse, which this framework addresses. |
| CSA MAESTRO | MAESTRO models agentic AI threats and control gaps across runtime behaviour. | |
| NIST AI RMF | AI RMF governance covers accountability for autonomous model-driven decisions. |
Apply AI RMF GOVERN and MAP activities to define ownership, monitoring, and escalation for agents.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 28, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
