When organizations ask how to secure their AI adoption, they are usually expecting a conversation about models. The more useful conversation is about identity. Every AI system you deploy — a copilot, an agent, a model endpoint, an automation — is a new actor in your environment that needs to authenticate, be authorized, and be audited. AI adoption at enterprise scale is, structurally, the fastest creation of new privileged identities most organizations have ever experienced. And most are doing it without noticing.

Zero Trust is the security model built for exactly this situation: many identities, no trusted perimeter, every access decision made explicitly. This piece connects the two.

AI adoption is an identity event

Consider what actually gets created when a team “adds AI” to a workflow:

  • a model endpoint that holds credentials to be called,
  • a copilot or assistant that acts on behalf of users and needs access to their data,
  • an agent that calls tools and APIs under some identity,
  • integration credentials connecting all of the above to internal systems.

Each of these is a non-human identity with real privilege. Multiply across every team adopting AI, and you have an identity sprawl problem developing faster than your governance can track it. The systems acting in your environment increasingly are not people, and the security model has to account for that.

The organizations that handle AI security well are, almost without exception, the ones that already took identity seriously. The ones that struggle are the ones still operating on perimeter assumptions — trusting things because of where they sit in the network rather than what they have proven about who they are.

The three Zero Trust principles, applied to AI

Zero Trust is often over-complicated. At its core it is three commitments. Each maps cleanly onto AI systems.

Verify explicitly

Every access decision is made based on all available signals — identity, device, context — every time, not inferred from network location. For AI systems this means: an agent calling an internal API authenticates and is authorized on that call, with no implicit trust granted because it runs inside the corporate network. A model endpoint reachable on an internal network is not therefore safe to call without authentication. Network position is not identity.

Use least-privilege access

Grant the minimum access required, for the minimum time. This is the principle AI systems violate most often, because it is inconvenient during development. An agent gets broad database access “to keep things simple.” A copilot is granted access to an entire data store when it needs three tables. Every excess grant becomes capability available to an attacker who compromises or manipulates that system.

For AI, least privilege has a temporal dimension that matters enormously: credentials should be short-lived and scoped to the task, not long-lived standing grants. An agent should receive a narrowly-scoped, short-lived token for the operation in front of it, not a permanent key to everything it might ever need.

Assume breach

Design as though any given component is already compromised, and limit what that compromise yields. For AI systems this is the assumption that the model can be manipulated — through prompt injection or otherwise — and that its actions therefore cannot be fully trusted. Assume-breach thinking is what leads you to segment, to scope, and to require explicit authorization on consequential actions, rather than trusting an AI system simply because it is yours.

The agent identity is the control point

If there is one place to concentrate effort, it is the identity that an agent uses to act. Get this right and most other controls have something solid to attach to. Get it wrong and nothing downstream can compensate.

Three properties define a well-designed agent identity.

Distinct and attributable

Each agent has its own identity. Not a shared service account, not an engineer’s personal credentials, not an ambient platform key. When an action happens, you can attribute it to a specific agent. Shared identities destroy auditability and make least privilege impossible, because the shared credential accumulates the union of everyone’s needs.

Scoped and short-lived

The agent’s identity carries only the permissions its function requires, via credentials that expire quickly. The mechanism here is the same one mature organizations already use for workloads: a workload identity that exchanges its base identity for short-lived, scoped tokens per operation. The long-lived API key sitting in an environment variable is the anti-pattern to eliminate first.

Acts with the user’s authority, not its own

This is the subtle and important one. When an agent does something for a user, the authorization decision should be evaluated against that user’s permissions, not the agent’s broader ambient privilege. Otherwise you have built a confused deputy — a system an attacker can induce to perform actions the requesting user could never authorize on their own. Identity propagation, where the user’s authority flows through to the action, closes this gap.

A practical sequence

Translating this into action, in priority order:

  1. Inventory the AI identities you already have. Find the model endpoints, agents, and integration credentials in use. Most organizations are surprised by how many exist and how broadly they are scoped.
  2. Eliminate long-lived shared credentials. Replace standing API keys with workload identities issuing short-lived, scoped tokens. This single change removes a large class of risk.
  3. Scope down. Take each AI identity’s permissions to the minimum its function requires. Expect resistance; expect to break a few things that were quietly relying on excess privilege. That breakage is information.
  4. Propagate user identity through agents. Where agents act for users, make authorization evaluate against the user, not the agent.
  5. Audit AI actions as privileged activity. Treat the logs of what your AI systems did with the same seriousness as any other privileged-access audit trail.

The shift in thinking

The instinct with AI security is to look at the model — to ask about its training, its guardrails, its outputs. Those questions matter, but they are not where enterprise risk concentrates. Risk concentrates in what your AI systems are allowed to do and who they can act as. That is an identity question, and Zero Trust is the discipline for answering it.

An organization that treats every AI system as a non-human identity subject to verify-explicitly, least-privilege, assume-breach discipline can adopt AI aggressively and safely. One that treats AI as a special case exempt from its identity model is building privilege sprawl faster than it can see it — and will eventually find out the hard way that the model was never the risky part.

Related reading

5 min read

AI Security Governance in the Enterprise: A Working Model

Most enterprise AI governance stalls because it is written as policy and never wired into engineering. Here is a model that treats governance as a control plane — owned, measurable, and enforced where AI actually runs.

AI Security Governance Enterprise Architecture
5 min read

Securing AI Agents and Agentic Workflows

Agents turn a model from something that answers into something that acts. That single shift breaks most of the assumptions behind traditional application security. Here is a concrete threat model and a control set for agentic systems.

AI Security AI Agents Zero Trust

Discussion

Comments are powered by Giscus / GitHub Discussions. They appear here once configured — see Configure Giscus in the project README and update GISCUS in src/consts.ts.