For the last several years, security leaders have wrestled with a difficult question: how do you embrace AI-driven progress without creating massive new security risks?
As one of the founding fathers of zero trust, Dr. Chase Cunningham delivers an important answer that he shares in his new research paper, Agentic Zero Trust: Extending the Zero Trust Security Paradigm to Autonomous AI Systems. Enterprises do not need to abandon Zero Trust principles to adopt agentic AI. In fact, Cunningham argues the opposite: zero trust becomes even more important once autonomous AI agents enter the enterprise.
That message matters because many organizations still see AI adoption and security governance as opposing forces. Business leaders want autonomous agents that can accelerate workflows, automate operations, and improve productivity. Security teams worry those same systems introduce uncontrollable risks through prompt injection, tool abuse, privilege escalation, and data exfiltration.
Cunningham’s report reframes the debate entirely. The problem is not that zero trust breaks when agentic AI is deployed in an enterprise. The problem is that organizations often look to apply zero trust as though AI agents behave like traditional users or applications.
They do not.
AI Agents Are Not Traditional Workloads
One of the strongest insights in the report centers on a simple reality: AI agents represent an entirely new type of enterprise principal.
Traditional security architectures assume relatively predictable actors:
- Human users
- Managed devices
- Deterministic applications
- Static services
Agentic AI changes those assumptions. Modern agents can reason dynamically, invoke APIs autonomously, spawn sub-agents, retain memory across sessions, and take actions without human intervention. They authenticate continuously at machine speed while interacting with dozens of systems simultaneously.
That sounds intimidating from a security perspective. But Cunningham’s core point is that these challenges need not invalidate the zero trust gains an enterprise has already achieved. They simply require enterprises to apply zero trust principles directly to agentic systems.
The philosophy remains exactly the same:
- Never trust
- Always verify
- Enforce least privilege
- Continuously validate behavior
- Limit blast radius
With the right foundation, those principles map naturally to AI agents.
Zero Trust Already Solves the Right Problem
The report repeatedly emphasizes that the foundational zero trust mindset remains correct for agentic AI. An AI agent requesting access to sensitive data should receive the same scrutiny as any other enterprise principal. The difference is that AI agents require more granular enforcement because they operate autonomously and adapt dynamically during runtime.
That distinction becomes especially important when Cunningham examines modern AI attack paths. Indirect prompt injection provides a perfect example. Attackers can hide malicious instructions inside documents, emails, PDFs, MCP tool descriptions, or knowledge bases that agents ingest during normal operations. Once the payload enters the reasoning loop, the agent may execute attacker-controlled actions using legitimate permissions.
The answer is not to abandon AI adoption. The answer is stronger policy enforcement:
- Deterministic policy enforcement points
- Tool-level authorization
- Runtime validation
- Cryptographic identity
- Continuous behavioral monitoring
In other words: zero trust controls adapted for autonomous systems.
The Real Shift Is Runtime Enforcement
The most important operational takeaway from Cunningham’s report is that security enforcement must move closer to runtime decision-making. Traditional enterprise security often assumes that authentication and authorization happen once at session initiation. Agentic AI breaks that model because agents continuously make new decisions during execution.
An agent may:
- Retrieve sensitive records
- Invoke external APIs
- Delegate tasks to sub-agents
- Access additional tools
- Generate outbound communications
- Persist information into memory stores
Each action becomes its own trust decision. That is why the report places so much emphasis on Policy Enforcement Points operating outside the LLM itself. The model cannot successfully act as the security boundary. Instead, organizations need external enforcement layers that validate every tool invocation, every data request, and every privilege escalation attempt against explicit policy.
This is where AI gateways become critical.
AI Gateways Extend Zero Trust Into Agentic Systems
Cunningham highlights agent gateways as one of the most important architectural controls for secure AI deployment. Conceptually, the model resembles the evolution of API security over the last decade. Enterprises eventually realized APIs required centralized policy enforcement, identity validation, behavioral monitoring, and runtime traffic inspection. Agentic AI introduces the same requirement for autonomous systems. The report outlines several critical controls:
- SPIFFE/SPIRE workload identity
- OAuth 2.0 Token Exchange
- Just-in-time authorization
- Tool-level least privilege
- mTLS everywhere
- Immutable audit trails
- Behavioral monitoring
- Token isolation patterns
These are not anti-AI controls. They are AI-enabling controls. Without them, organizations cannot safely scale autonomous systems.
Behavioral Identity Becomes Essential
The report’s most compelling idea may be “behavioral identity.” Traditional Zero Trust focuses heavily on who the principal is, and what they can access. Behavioral identity adds a third layer that monitors and analyzes what the principal is actually doing to ensure that the principal behaving consistently with its intended purpose or “job description”.
That matters enormously for AI agents, since an agent may possess valid credentials and technically authorized access while still behaving in ways that violate enterprise intent. Cunningham cites examples involving agents autonomously escalating privileges, bypassing controls, and exfiltrating data while operating entirely within valid authorization scopes.
This is where runtime behavioral monitoring becomes indispensable. Security teams need to evaluate:
- Tool-call sequences
- Access patterns
- Barrier-response behavior
- Scope deviations
- Data movement anomalies
The important point is that this still aligns directly with zero trust principles. Continuous verification has always been foundational to zero trust. Agentic AI simply expands what organizations must continuously verify.
Secure AI Adoption Requires Security-First Architecture
Cunningham’s report ultimately delivers a reassuring message for enterprise security leaders: organizations do not need to choose between innovation and security. They do not need to weaken zero trust architectures when deploying autonomous AI systems. But they do need to modernize how zero trust applies to non-human identities, autonomous workflows, and AI-driven decision-making. The enterprises that succeed with agentic AI will not be the ones that move fastest without controls. They will be the ones that operationalize zero trust directly into the AI runtime itself.
That means:
- Verifying every agent
- Governing every tool invocation
- Enforcing least privilege continuously
- Monitoring behavior in real time
- Treating AI systems as dynamic enterprise principals
The organizations that embrace that model will scale AI safely. The ones that do not will eventually discover that autonomous systems amplify trust failures at machine speed.
Cequence Security would welcome the opportunity to talk to you about how agentic AI can be successfully deployed, secured, and governed while embracing zero trust principles. Reach out and schedule a conversation and demo of the Cequence AI Gateway and see for yourself.
