← All resources

Framework

Zero Trust Framework for AI Identities

A reference framework for applying Zero Trust to the non-human identities that AI adoption creates — verify explicitly, least privilege, assume breach — with the agent identity as the central control point.

Enterprise AI adoption creates non-human identities — model endpoints, copilots, agents, integration credentials — faster than most governance can track. This framework applies Zero Trust to them so adoption can be aggressive and safe at the same time.

Principle 1 — Verify explicitly

Every access decision is made on identity and context, every time, never inferred from network location.

  • AI systems authenticate and are authorized on every call to internal resources.
  • A model endpoint reachable on the internal network is not therefore safe to call unauthenticated. Network position is not identity.

Principle 2 — Least privilege

Grant the minimum access, for the minimum time.

  • Scope each AI identity’s permissions to exactly what its function requires.
  • Make credentials short-lived and task-scoped, not long-lived standing grants.
  • Eliminate the long-lived API key in an environment variable — it is the first anti-pattern to remove.

Principle 3 — Assume breach

Design as though the AI component is already compromised and limit what that yields.

  • Assume the model can be manipulated; treat its actions as not fully trusted.
  • Segment, scope, and require explicit authorization on consequential actions.

The agent identity — the central control point

Three properties define a well-designed agent identity:

  • Distinct and attributable — its own identity, never shared, so every action is traceable to a specific agent.
  • Scoped and short-lived — a workload identity exchanging its base identity for short-lived, scoped tokens per operation.
  • Acts with the user’s authority — when serving a user, authorization evaluates against that user’s permissions, closing the confused-deputy gap.

Implementation sequence

  1. Inventory the AI identities you already have.
  2. Replace long-lived shared credentials with workload identities issuing short-lived scoped tokens.
  3. Scope each identity down to its minimum; treat what breaks as information.
  4. Propagate user identity through agents that act on users’ behalf.
  5. Audit AI actions as privileged activity.

How to adapt it

Map each principle to the identity provider and workload-identity mechanism you already run. The framework is platform-agnostic; the value is in the discipline, not a specific vendor feature. Start with the inventory and the elimination of standing credentials — those two steps remove the largest share of risk.

Want this tailored to your stack?

I adapt these for specific environments and risk profiles as part of advisory and workshop engagements.

Work with me More resources