Zero Trust Architecture for AI Systems: Beyond Network Perimeters

Zero trust has become the gold standard for enterprise IT security, but most implementations were designed for human users accessing applications through web browsers and VPN clients. AI agents present fundamentally different identity, authentication, and authorisation challenges that require zero trust principles to be reinterpreted and extended. An AI agent doesn't have a username and password. It doesn't use multi-factor authentication. It doesn't have a device posture that can be evaluated. Instead, it has a system prompt that defines its identity, a set of tool permissions that define its capabilities, a conversation context that changes with every message, and a model that can be manipulated through adversarial inputs. Extending zero trust to AI systems means rethinking identity verification for non-human actors, redefining trust boundaries to account for the fluid nature of agent contexts, implementing continuous verification mechanisms that work at the speed of tool invocations, and building policy enforcement infrastructure that can evaluate hundreds of access decisions per second. This article provides a comprehensive framework for building zero trust architecture that encompasses traditional IT infrastructure and AI systems in a unified security model.

Redefining Identity for AI Agents

In traditional zero trust, identity is the foundation: every access request must come from a verified identity. For human users, this means username plus password plus MFA device plus device posture check. For AI agents, identity must be constructed differently. An agent's identity is a composite of its deployment context including which orchestration platform launched it, its configuration including system prompt and tool permissions, its session metadata including originating user and conversation ID, and cryptographic attestation of the code that's running. A robust AI identity framework issues short-lived identity tokens that bind all of these attributes together, creating a verifiable identity claim that can be evaluated by every tool and service the agent interacts with. The token should be scoped to a single session and automatically revoked when the session ends, preventing token replay attacks. Every tool invocation should present this identity token, and the receiving service should verify not just the token's signature but also the agent's authorised scope for the specific tool being invoked. This approach transforms agent identity from a static configuration property into a dynamic, continuously verified attribute that adapts to the context of each interaction.

Continuous Verification at Tool Invocation Speed

Traditional zero trust systems evaluate access decisions on the order of seconds, typically during authentication flows or periodic re-verification. AI agents operate on a fundamentally different timescale—a single conversation can generate dozens of tool invocations within seconds, each of which crosses a trust boundary and requires an access decision. Building a policy enforcement engine that can handle this throughput requires careful architectural design. The policy engine should run as a sidecar process co-located with the MCP transport layer, evaluating each tool invocation against a cached policy set without making network calls for every decision. Policies should be expressed in a declarative language that supports conditions based on the agent's identity, the tool being invoked, the parameters being passed, the current time, the session's accumulated risk score, and the agent's behavioural profile. The engine should support both synchronous blocking enforcement for high-risk decisions and asynchronous monitoring mode for low-risk operations where adding latency would degrade the user experience. Critically, the policy engine must be hardened against tampering—it should run in its own security domain with its own credentials, and policy updates should require multi-party approval and cryptographic signing. An attacker who can modify the policy engine effectively owns the entire zero trust architecture.

Adaptive Trust Scoring for Agent Sessions

Static access control policies cannot capture the nuanced risk landscape of AI agent behaviour. A tool invocation that is perfectly normal in one context may be highly suspicious in another. Adaptive trust scoring adds a dynamic layer to the zero trust model by maintaining a running risk score for each agent session based on its accumulated behaviour. The score starts at a baseline determined by the agent's role and the sensitivity of the tools it has access to, then adjusts upward or downward based on observed behaviour. Accessing a table the agent has never accessed before increases the score. Issuing queries at an unusual rate increases the score. Attempting to access tools outside the agent's normal working set increases the score significantly. Conversely, behaviour that matches established baselines decreases the score. When the score crosses configurable thresholds, the system can take graduated responses: at a moderate threshold, it might require additional verification for the next tool call; at a high threshold, it might restrict the agent to a read-only subset of tools; at a critical threshold, it automatically suspends the session and alerts the security team. This adaptive approach provides security that scales with the actual risk of each interaction rather than applying blanket restrictions that would make agents unusable.

Unifying Human and AI Zero Trust

The most effective zero trust architectures for AI don't treat AI agents as a separate security domain but integrate them into a unified trust model alongside human users. When a human user triggers an AI agent through a chat interface or workflow automation, the agent inherits a trust context from the initiating user—including their role, their clearance level, and their access permissions. This inherited context bounds what the agent can do on behalf of that user, ensuring that agents can never exceed the permissions of the humans who deploy them. The unified model also enables end-to-end auditability: you can trace a data access event from the human who initiated the request through the agent that processed it to the specific tool invocation that retrieved the data. This traceability is essential for compliance with regulations that require demonstrable control over who accesses sensitive data, even when access is mediated through AI systems. Building a unified model requires a shared identity platform that can issue and verify tokens for both human and agent identities, a centralised policy engine that evaluates both types of access requests, and an integrated audit log that correlates agent actions with the human sessions that triggered them.