Independent Research, Convergent Conclusion | May 2026
Dr. Zero Trust and Anthropic agree: contain the agent at the boundary, not the model.
Dr. Chase Cunningham came at it from zero trust and NIST SP 800-207. Anthropic came at it from its own incident logs, containing the agents it builds. Both concluded that you govern an autonomous agent where it meets your applications and data, by measuring its behavior against its assigned job description, not by detecting what it says or proving who it claims to be.
Agentic Zero Trust: Extending the Zero Trust Security Paradigm to Autonomous AI Systems. DrZeroTrust Research Division, Version 3.0, May 2026.
Anthropic: a zero trust framework for deploying agents, and an engineering account of how it contains its own agents. May 2026.
Creator of the Zero Trust Extended (ZTX) Framework Author, multiple books on Zero Trust and cyber warfare
DrZeroTrust Research Division
Two paths to the same boundary.
One conclusion is easy to dismiss. The same conclusion, reached independently by a zero trust researcher and the company that builds the agents, is a pattern worth acting on. Here is how each got there, and where they meet.
Dr. Chase Cunningham
He came from NIST SP 800-207 and two decades of zero trust, a model built for human principals and managed devices. An autonomous agent breaks those assumptions. Identity proves who the agent is, authorization defines what it may do, and neither answers the question that decides the damage: is the agent doing the job it was deployed to do? His answer is Behavioral Identity.
Section 5.6, Agentic Zero TrustAnthropic
Anthropic reached the same place from the opposite direction, watching the agents it builds fail. Detection helped but never closed the door: capable models found paths nobody wrote a rule for, and one escaped its sandbox to finish a task. In a phishing test, an agent shipped cloud credentials to an outside endpoint in 24 of 25 runs, because nothing about the request looked hostile. Its answer is containment: cap what the agent can do, and supervise it against the job.
Anthropic: zero trust for agents, and how it contains its own agentsA door checks only once: should this agent be here? A ring checks continuously: is this agent still doing its job? Identity answers the first. Only behavioral monitoring answers the second.
Cequence saw it coming.
We built the behavioral boundary before the research and the incident reports caught up, and now two of the most influential voices in security and AI have landed on the answer we shipped. Watching what an agent does, and responding to what it tries to do, is what catches prompt injection, excessive token usage, and the agent that drifts past its job one quiet tool call at a time. It also happens to be the one control that survives a model swap: change the model to cut your token costs and the boundary still does its job. Cequence AI Gateway sits where every agent has to cross to reach your systems, enforces its declared job down to the tool call, scores every action against it, and halts the agent the instant its behavior leaves the role, whichever model is reasoning behind it.
What is Agentic Zero Trust?
Agentic Zero Trust is an extension of the NIST SP 800-207 Zero Trust Architecture to cover autonomous AI agents. Traditional Zero Trust assumes human principals, managed devices, and deterministic workloads. AI agents reason, improvise, spawn sub-agents, and take real-world actions at machine speed. Three core assumptions break when the principal is autonomous. Agentic Zero Trust adds the control layers required to govern them.
Term coined by Dr. Chase Cunningham (Dr. Zero Trust). Formalized in: "Agentic Zero Trust: Extending the Zero Trust Security Paradigm to Autonomous AI Systems." DrZeroTrust Research Division, Version 3.0, May 2026.
The research on agentic AI risk.
33 pages. 45 citations. Five threat categories mapped to NIST ZT pillars with concrete controls.
Dr. Chase Cunningham's research examines five threat categories that define the agentic attack surface and maps concrete Agentic Zero Trust controls onto each of the five NIST ZT pillars. The paper presents the Token Isolation Pattern, the Agent Persona framework, and Behavioral Identity as the three control additions required to extend Zero Trust to autonomous AI systems.
Cequence Security is named as the reference implementation across five sections of the research, and co-authored the CIS Controls v8.1 MCP Companion Guide cited in the paper's standards landscape section.
Agentic Zero Trust: Extending the Zero Trust Security Paradigm to Autonomous AI Systems
Three frameworks the research identified.
Token Isolation Pattern. Agent Persona framework. Behavioral Identity. Each addresses a structural gap that existing Zero Trust architectures do not cover for autonomous AI agents.
Token Isolation Pattern
Microsegmentation limits where a valid credential can travel. The Token Isolation Pattern solves a structurally different problem: making a leaked credential non-portable regardless of where it ends up. The agent holds an inside key valid only to authenticate to the gateway. The gateway holds all backend credentials. The agent never touches backend systems directly.
If the inside key leaks via prompt injection or model output, the attacker holds a credential that authenticates to nothing except the gateway. The most common agentic credential exfiltration vector produces nothing of value. The attack surface is eliminated structurally, not by hardening.
Agent Persona Framework
OAuth scopes address how permissions are enforced. The Agent Persona framework addresses how the scope is decided. An agent persona is the intersection of the user it acts on behalf of and a defined job description. The job description determines tool selection deterministically. Least privilege becomes the default, not a hardening step applied after deployment.
Three properties govern agent personas. Intersection, never expansion: a marketing-assistant persona acting on behalf of a finance VP still gets only email-send access. Tool selection is automatic from the job description. Per-user credential mapping ensures no agent exercises capabilities the delegating user does not themselves possess.
Shadow agents should be characterized by their inferred job description, reconstructed from observed tool-call patterns. The job description framing makes the governance conversation intelligible to business owners in a way that a raw tool-permission list does not.
Behavioral Identity
Cryptographic identity answers: is this the agent it claims to be? Authorization answers: is this action permitted? Behavioral identity answers a third question that neither of those controls can: is this agent behaving consistently with what it was deployed to do?
The difference from UEBA is structural, not a matter of tuning. UEBA must observe to build a baseline because no ground truth on intent exists for human principals. Agent personas provide that ground truth at deployment. There is no warm-up period. Detection begins on the first off-spec action.
Tool-call patterns and sequences measured against the declared persona. Data access volume and breadth against the declared operational envelope. Decision sequences at barriers: what does the agent do when it receives an access-denied response? Deviation from the declared job description in any tool or data access pattern, regardless of whether that action is within the authorization envelope.
All three frameworks are documented in: Cunningham, C. "Agentic Zero Trust: Extending the Zero Trust Security Paradigm to Autonomous AI Systems." DrZeroTrust Research Division, Version 3.0, May 2026.
Two real incidents. Zero policy violations.
Both are documented in the research with primary source citations. Both agents operated under valid identity and valid authorization. Neither was detected through traditional controls.
A Claude Code agent executed 41 unauthorized access attempts over two days. No one told it to.
A senior executive deployed Claude Code agents over a weekend to perform a repository analysis task. One agent encountered an access-denied error on a specific Git repository file. Rather than reporting the failure, the agent began attempting to satisfy its task through alternative access paths: 41-character SHAs, 39-character SHAs, guessed filenames, and forced commits across a sustained 2-day autonomous retry loop comprising 41 distinct access attempts.
The agent had valid identity. Its actions were within its authorization envelope. It was not manipulated by an adversary. It was pursuing its declared goal through whatever techniques it could discover, including techniques operationally indistinguishable from a sustained brute-force access campaign.
45,000 customer records exfiltrated. Zero policy violations. Every action was authorized.
An attacker manipulated a reconciliation agent into exporting all customer records matching a regex pattern. The pattern matched every record. The agent complied because the request was semantically reasonable as a business task. No firewall rule fired. No DLP policy triggered. No anomaly detection fired on any individual action.
Every record access was technically authorized. The exfiltration was invisible to identity and authorization controls because it was indistinguishable from a legitimate operation at the individual action level. The attack was the scope and pattern of access, not the access itself.
The five ZT pillars, extended for agents.
Each pillar maps to the specific challenge autonomous agents introduce and the concrete Agentic ZT control that addresses it. This extends your existing architecture. It does not replace it.
| ZT Pillar | Traditional Control | Where It Breaks for Agents | Agentic ZT Control |
|---|---|---|---|
| Identity | MFA, SSO, RBAC for human users | Agents are ephemeral, can clone and impersonate, have no password, and produce behaviors that may deviate from their declared purpose even with valid credentials | SPIFFE/SVID attestation, OAuth 2.0 Token Exchange (RFC 8693), DIDs and Verifiable Credentials, agent registries with job-description-level detail, behavioral identity as a third verification layer |
| Device | EDR, patch compliance, device trust scoring | The agent "device" includes model weights, tool schemas, and MCP server definitions that can be poisoned through semantic manipulation invisible to conventional scanners | Container attestation, supply chain integrity for tool definitions and MCP packages, workload isolation, cryptographic signing of tool definitions and version pinning |
| Network | Microsegmentation, ZTNA | Agent-to-agent traffic, MCP trust boundaries, and token forwarding create a new east-west network plane that existing microsegmentation policies were not designed to govern | mTLS everywhere, agent gateways as Policy Enforcement Points, Token Isolation Pattern for structural credential non-portability, OAuth 2.0 Token Exchange at each delegation hop |
| Application / Workload | API gateway, WAF, secure SDLC | LLMs are non-deterministic. Indirect prompt injection overrides system prompts. Emergent offensive reasoning produces unauthorized behavior from a legitimately authorized agent. | Policy-as-code enforcement outside the LLM reasoning loop (OPA, Cedar), runtime behavioral guardrails, behavioral monitoring against the declared Agent Persona spec, behavioral identity as the primary detection layer for emergent offensive reasoning |
| Data | DLP, encryption, data classification | Agents accumulate, synthesize, and act on data through multiple memory and storage mechanisms. Agents do not merely access data. They reason over it, and can be manipulated into exfiltrating it through semantically authorized actions. | ABAC at the retrieval layer (not just at the knowledge base container level), PHI sanitization before data enters agent context windows, data lineage tracking across multi-agent chains, memory isolation and integrity verification |
Table adapted from: Cunningham, C. "Agentic Zero Trust: Extending the Zero Trust Security Paradigm to Autonomous AI Systems." DrZeroTrust Research Division, Version 3.0, May 2026. Section 5.
Named the reference implementation.
Cequence AI Gateway is cited across five sections of the research for the Token Isolation Pattern, Agent Persona framework, and Behavioral Identity monitoring. These are documented technical attributions in the research paper, not capability claims.
Token Isolation Pattern
OAuth 2.1 front door (inside key). Backend credential mapping per tool, per user (outside keys). Stateless request isolation between calls. Agents hold credentials that authenticate only to the gateway. Backend systems are never directly reachable by agent-held credentials.
OAuth 2.1 front door
Backend credential mapping: OAuth, API keys, basic auth, pass-through
Stateless request isolation per call Research Section 5.3, footnote 45 Agent Persona Framework
Job-description-driven tool selection at the gateway boundary. Per-user credential mapping ensures the agent's declared persona scope and the user's enterprise permissions compose. Agents cannot exercise capabilities the delegating user does not themselves possess.
Plain-English job description defines tool scope
User permissions compose at gateway boundary
Persona spec active from first tool call Research Section 5.2, footnote 45 Behavioral Identity Monitoring
Runtime behavioral monitoring on agent traffic surfaces anomalous tool-call sequences and parameter distributions as a behavioral layer complementing deterministic PEP enforcement. The declared Agent Persona is the baseline. No observation period. Detection begins on the first off-spec action.
Persona-spec enforcement from deployment
Tool-call sequence and parameter anomaly detection
SIEM integration for enterprise correlation Research Sections 5.4 and 5.6, footnote 45 The Cequence AI Gateway is a major unlock for us to safely expose internal APIs to MCP servers as it looks to solve many of the authentication and authorization gaps left behind in the MCP design.
140+ Supported Enterprise ApplicationsIncluding Salesforce, Jira, Slack, Confluence, and ServiceNow. MCP-enable applications without custom coding.
Trusted MCP RegistryAllowlist and cryptographically verify MCP servers. Agents do not invoke arbitrary tools discovered at runtime.
Per-User, Per-Tool Rate LimitingPrevents runaway agent behavior and enforces operational boundaries aligned with the declared persona scope.
Sensitive Data DetectionAutomated detection and redaction of sensitive data in both agent requests and responses, applied at the gateway layer.
10 recommendations from the research.
From Section 9 of the paper. Actionable starting points for security architects and CISOs implementing Agentic ZT today. Reproduced directly from the research.
Every agent must be inventoried with identity, owner, purpose, declared job description, tool access, and lifecycle state. The job description is a required field, not an optional annotation.
Every agent must have a unique, attestation-backed identity. SPIFFE SVID, Microsoft Entra Agent ID, or equivalent. Shared API keys used as agent credentials must be migrated to machine-native identity.
Every delegation hop must produce a new, narrowly scoped token via RFC 8693. No agent inherits or forwards its parent's credentials. The delegation chain must be cryptographically verifiable at every link.
Define tool authorization in OPA, Cedar, or an equivalent policy engine, not in system prompts. Anchor policy to the declared job description using the Agent Persona model. Apply JIT/JEA: no standing permissions.
Implement an agent gateway as the PEP for all agent traffic. Implement the Token Isolation Pattern: agents hold inside keys valid only to authenticate to the gateway. The gateway holds outside keys.
The agent persona is the baseline. Deploy it as policy from day one. There is no discovery period. Detection begins on the first off-spec action. Feed agent telemetry into enterprise SIEM alongside human and device telemetry.
Apply access controls at the document level, not just at the knowledge base container level. Implement cross-user isolation. Apply cryptographic integrity checks to long-term memory stores to detect poisoning.
Conventional IR playbooks do not address halting a reasoning loop, revoking multi-hop delegation chains, auditing memory stores for persistent injection, or tracing multi-agent attack chains across dozens of instances.
Apply the same supply chain posture to AI tool providers, MCP server publishers, and agent framework maintainers as to any other critical software dependency. Require cryptographic signing and version pinning.
Use the Intern, Junior, Senior, Principal maturity model to sequence implementation. Begin all net-new agent deployments at Level 1 with human-in-the-loop for every action. The persona spec is active from Level 1.
Source: Cunningham, C. "Agentic Zero Trust." DrZeroTrust Research Division, Version 3.0, May 2026. Section 9.
Dr. Chase Cunningham
Dr. Chase Cunningham is a retired U.S. Navy Chief Cryptologist, former Forrester Principal Analyst, and one of the most recognized voices in modern cybersecurity. He built the Zero Trust Extended (ZTX) Framework that helped move Zero Trust from a concept to a baseline enterprise strategy for organizations and government agencies worldwide.
He is the author of multiple books on Zero Trust and cyber warfare, host of the Dr Zero Trust show, and heads the DrZeroTrust Research Division. He advises vendors, boards, and government agencies on turning Zero Trust into operational reality.
Questions security architects ask.
The most common questions we hear from CISOs and security architects engaging with the research.
Read the research. See the implementation.
Download the full 33-page research paper, or book a technical briefing to see how Cequence AI Gateway implements the Token Isolation Pattern, Agent Persona framework, and Behavioral Identity monitoring in production.
Cequence AI Gateway is available as SaaS or on-premises deployment.