Zero Trust for AI Agents at ATARC ZT4
I had the privilege of speaking at the ATARC Zero Trust Virtual Learning Exchange on a topic that has been keeping a lot of security architects up at night: how do you apply Zero Trust to AI agents that act on behalf of users, autonomously, across systems they were never explicitly granted access to?
The problem with treating agents like traditional workloads
For most of the last decade, our identity programs had two clean buckets: users (humans with credentials and MFA) and workloads (services with managed identities or service principals). Zero Trust strategies were built around those two shapes.
Agents do not fit either bucket cleanly. They act like a user (initiating actions, making decisions, holding context) but they scale like a workload (spun up programmatically, ephemeral, fan-out across resources). Trying to model them with one set of controls or the other leaves gaps.
What Zero Trust looks like for agents
In the session I walked through three pillars that practitioners can start applying today:
Identity verification. Agents need first class identities that are distinct from the humans they serve. Inheriting a user’s token end-to-end is the path to over-permissioned automation. Frameworks like Microsoft Entra Agent ID give you a real construct for an agent identity with its own lifecycle.
Access control. Standing privileges age badly when the entity holding them can fan out to thousands of operations per minute. Just-in-time access, scoped tokens, and policy-based authorization (think OAuth 2.0 with proper audience binding, plus emerging standards like MCP and A2A) are the difference between a useful agent and a confused-deputy waiting to happen.
Behavioral monitoring. Agent activity is the new audit log. The volume is high and the patterns are unfamiliar, so you need behavioral baselines, anomaly detection, and human-in-the-loop review on the edges. Logs that group activity by agent identity (not by the upstream user) are essential for any meaningful investigation. If you missed it, slides and reference material are available at Zero Trust for AI Agents
Why this matters now
Boards are asking about AI risk. CISOs are being asked to approve agentic deployments. The teams shipping these agents are moving faster than the policy frameworks can catch up. Zero Trust gives us a vocabulary and a set of controls that already exist, and the work is in extending them, not inventing new ones.
If you want the deeper coverage, the agenda and replay are linked from ATARC’s event page.
Thanks to the ATARC team and everyone who joined live. Good questions, great discussion, and a clear signal that this conversation is moving from theory to production fast.
Read next
- Digital Identity
Entra Agent ID Across Clouds: Part 5, Anti-Patterns
Final article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Closes the loop with the variants and failure modes that consume the same operational budget as the federated pattern without delivering its security properties, and ends with the takeaways worth pinning to the team wiki.
- Digital Identity
Entra Agent ID Across Clouds: Part 4, FIC, Cross-Tenant, and OBO
Fourth article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Opens up the Federated Identity Credential as a first-class object: single-tenant, cross-tenant SaaS shape, and the orthogonal world of on-behalf-of (OBO) where the agent acts for a signed-in user.
- Digital Identity
Entra Agent ID Across Clouds: Part 3, Managed Identity and Entra Objects
Third article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Pins down what the UAMI actually is in this architecture, why SAMI breaks federation, the three distinct Entra objects (UAMI, Blueprint, Agent Identity) and the three claims (sub, azp, oid) they each populate, and the production trade-off between federating the UAMI or the Agent Identity to the cloud.
Worth reading again?
Get the next one in your inbox.