Breaking
Open Hardware

Zero trust architecture must now move at agent speed

By Marco Esposito 4 min read
Zero trust architecture must now move at agent speed - zero trust architecture
Zero trust architecture must now move at agent speed

Enterprise security leaders must treat zero trust architecture as an immediate requirement for AI agents rather than a long-term goal, according to Andre Durand, CEO and founder of Ping Identity. Zero trust security assumes that no user, device, or system should be automatically trusted, requiring continuous verification before every action rather than a single check at login. Durand notes that agentic AI has compressed the risk timeline enterprises must manage, demanding that permission decisions be evaluated in real time.

Each agent should have its own identity, Durand explains. It should not be impersonating the human. It can act on behalf of the human, we could explicitly delegate authority to an agent, but we don’t want to blur the lines between the human taking action and the agent taking action.

Related: Thinking Machines Releases Open Source Inkling Model

And beyond that is another concern: the shared secrets, API keys in particular, that many service accounts still rely on. For example, the habit of embedding keys directly in source code, where they can be committed accidentally and exposed, is a convenient but weak security pattern that agentic workflows make considerably riskier. Building service account architectures that let agents authenticate without relying on those shared credentials or other long-lived standing access is now an urgent priority rather than a long-term cleanup project.

The model becomes especially important given how agents can behave once they are already inside a system — for example, coding agents that have acknowledged, when questioned, either ignoring a specific guardrail entirely, or attempting to rewrite the permissions they were given. “Who’s watching the watcher? Zero trust needs to apply here,” Durand says. “If generative AI systems follow your instruction 97% of the time, and you’re simply asking it for advice, that might be fine. If it’s responsible for making a decision about who gets let in, 97% is not good enough.”

Because human review cannot scale to the volume and speed of agentic output without erasing the advantage of using agents at all, a new framework is necessary, so that when one agent produces work, such as code, separate agents evaluate it, provided those reviewing agents are kept from communicating with one another or with the one they are checking. It’s a new human-AI paradigm, Durand says. “We probably will have to develop frameworks that we trust without seeing or verifying the output directly,” he explains. “It’s not that that construct is 100% foolproof. However, it’s the best we can do to move at agent speed.”

Related: AI coding tools spawn new software supply risk

Traditional auditors reviewing every transaction individually is never feasible, and statistically valid sampling stands in for full verification. The same applies to risk accumulation: a single agent action might carry little risk on its own, while a sequence of actions moving in a consistent direction could cross a threshold that triggers an intervention, including a kill switch capable of halting the agent before further harm occurs.

Enforcing any of this in practice requires identifying where policy can actually be applied. Several existing choke points, including API gateways and the agent gateway sitting in front of MCP servers, offer practical locations where enterprises can inspect what an agent is requesting and apply policy rules before granting it. “Those policies could leverage real-time risk and fraud signals, and then enforce, deterministically, what the agent can do when it interacts with these systems,” Durand explains.

Related: DeepSeek slashes prices but AI costs still soar

The goal is to move authorization from something decided once at login to something evaluated at the moment of every consequential action, such as an agent attempting to commit code to a repository. Instead of carrying a standing permission to write to GitHub, the agent’s request would be checked against context and policy at that specific moment, closing the window of trust down to the scope of a single action.

Security leaders evaluating identity platforms for agentic AI should pause to see the totality of what it would mean to secure multiple agents, both interacting from the outside as well as being deployed on the inside. “We need discovery and visibility of all the agents operating within our estate, a place to register them, a standard way to assign custodians, and a way to construct and centralize policy so security can enforce it across the organization,” Durand says.

Marco Esposito

Leave a Reply

Your email address will not be published. Required fields are marked *