AI Agents, Zero Trust, and the New Identity Paradigm

Duncan Greatwood, the CEO of Xage Security, examines how AI agents and zero-trust security are shaping a new identity paradigm. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Agentic AI is 2025’s hottest tech topic—and yet AI agents are being held back by the risks. Fears of rogue behavior abound, with cautionary tales such as a Replit agent deleting a customer’s entire codebase, leaving businesses hesitant to trust agent-based AI with critical tasks. Human leaders are understandably reluctant to put themselves in a position where they must answer for AI’s costly mistakes.

At the same time, ignoring agentic AI would be short-sighted. Well-governed agents that deftly accomplish their tasks promise significant efficiency gains and enable new ways of working. This presents CISOs and CIOs with a pressing problem. Agents need clear controls that keep them on track and restrict deviations that may have disastrous ripple effects. Current methods, such as prompt guardrails, are insufficient, as they can be easily bypassed by deliberate or accidental “jailbreak” inputs. Zero-trust identity-based controls can provide the necessary jailbreak-proof protections—provided they are extended to operate in the agent-based era.

Controlling AI Agents

Agents need to have identities applied to them, much like human users and machines do, but the controls placed on those identities should be tailored to meet the unique challenges that agents present. The paradigm needs to be built around both what makes agentic AI similar to existing entities and what makes it different from them.

What are the specific requirements for an agentic Zero Trust approach?

1. Agent identity for each agent, such as is provided in the A2A protocol/OpenAPI card
2. Authentication and entitlement management for agents
3. Enforcement of what agents can do with identity-based, jailbreak-proof, granular controls
4. Multihop entitlement delegation for user-to-agent and agent-to-agent controls
5. Least-privilege entitlements, delegating only what’s needed for the task at hand

Implementing these requirements stops attackers from gaining control over critical systems by using agents to escalate their privileges. It creates accountability, so it is always clear who is ultimately responsible for initiating an action. It stops rogue AI agent behavior by avoiding excessive entitlement delegation to autonomous agents. It also prevents data leakage by enforcing identity-based control over data retrieval and transmission.

With properly implemented Zero Trust for AI agents, each agent operates in a focused, controlled, and task-appropriate manner, avoiding the potentially catastrophic risks associated with unmanaged AI privileges.

Examples to Learn From

The Replit incident may be the most notorious example of rogue agent activity to date, but it’s just one example of misbehavior uncovered by prominent AI research. September findings from OpenAI and Apollo Research revealed that many leading AI models are capable of scheming, or concealing their behaviors to achieve alternative goals. They even detect when they’re being watched, and act accordingly.

It’s therefore irresponsible to give agents anything more than least-privilege access to operational systems—their controls need to consider and block every rogue possibility and ensure that efficiency gains don’t come at the expense of security and predictability.

Why Zero Trust is the Answer

Zero-trust principles, grounded in time-bound, identity-based access controls, are ideal for agents. Their missions are focused in scope and clearly defined, making them prime candidates for management with granular, identity-based access controls. It’s a framework that’s proven to be effective in both preventing and mitigating the effects of breaches.

Recent incidents, such as the $2.5 billion breach that affected Jaguar Land Rover, have served as reminders of how wide-reaching and tangible the effects of external cyber-attacks can be. Internal disruptions like agent misbehavior and data leakage can be just as costly, though, and applying the same Zero Trust safeguards to employees, chatbots, agents, and external parties is the best way to protect organizations from missteps (intentional or not) that cause compounding damage.

AI agents are both a critical innovation for businesses to employ and a new point of vulnerability where protective measures are urgently needed. Securing them needs to ensure both convenience and resilience, allowing agents to operate as efficiently as intended while also holding them accountable to their goals and restrictions. Zero Trust is a tried-and-true framework that enables organizations to do just that, leaving room to root new security measures in identity-centric principles that stop rogue behavior and abuse before it starts.