Patricia Alfheim
July 17, 2026

Extending zero trust for agentic AI

Extending zero trust for agentic AI

Zero Trust has become one of the most influential security models in the enterprise. At its core, it is built on simple principles: trust is earned continuously, decisions are evaluated dynamically, and access is limited to what is required at that moment.

Although Zero Trust is often discussed in terms of identity and authentication, its broader objective is control. Organizations adopted Zero Trust because static assumptions could not keep pace with increasingly dynamic systems. Every decision needed to reflect the current context, the requested action, and the policies governing that interaction.

Agentic AI raises that challenge to an entirely new level. Autonomous systems retrieve information, invoke tools, coordinate with other agents, and perform work across multiple platforms, often without human intervention. As Anthropic highlights in its recent paper on Zero Trust for agentic AI, the principles of Zero Trust remain applicable, but the way they are applied must evolve to match increasingly autonomous systems.

This requires important extensions of the traditional zero trust framework, looking beyond individual decisions to effectively control the agentic actions throughout workflows.

Extending decisions to the entire workflow

Agentic workflows behave differently from conventional software interactions. A single user request can result in multiple actions occurring across agents, tools, models, and data sources before a response is returned.

Achieving zero trust in agentic workflows therefore depends on maintaining control across every interaction rather than only at the point of entry.

One of the mechanisms that creates this complexity is delegation. Users delegate work to agents, and agents delegate work to other agents. Each handoff creates a new opportunity to verify authority, confirm intent, and ensure actions remain aligned with the task being performed.

As a result, policy enforcement may occur at multiple points across the transaction. Controls can be applied in front of agents, MCP servers, external models, or directly inside tools and data resources. The placement of these controls determines both the visibility available to the authorization system and the level of granularity that can be achieved.

Maintaining visibility into the chain of delegation preserves accountability throughout the transaction. Every action should remain attributable both to the entity currently performing the work and to the original requester on whose behalf that work is being executed.

Extending control with context

Each of these authorization decisions depends on the context in which it is made.

This creates a challenge as context can change while AI agents continuously create, consume, and act, which means the authorization decision may also need to change. The same action may be acceptable in one situation and inappropriate in another. User relationships, data sensitivity, provenance information, previous workflow activity, historical decisions, business policies, and environmental conditions all influence whether an action should proceed.

Agentic systems amplify the importance of context because decisions are distributed across multiple components and evolve dynamically.

Context effectively becomes both operational memory for agents and a security signal for authorization systems. Maintaining that context allows organizations to apply Zero Trust principles consistently as workflows unfold.

Extending authorization with runtime enforcement

Enforcing dynamic authorization as conditions change requires a new enforcement approach. Authorizing an agent once at the beginning of a workflow does not guarantee that every subsequent action should be permitted.

Runtime enforcement addresses this challenge by evaluating actions as they occur, using the current context, delegated authority, and the intent of the transaction. Authorization remains aligned with the workflow as it evolves.

Authority also remains bound to the task at hand. As agents discover new information, invoke additional tools, and delegate work to other agents, every action is evaluated against the current state of the transaction. This preserves governance, accountability, and policy compliance across the entire workflow, regardless of how many systems or agents participate.

Taken together, continuous policy evaluation, delegated authorization, contextual signals, and runtime enforcement extend Zero Trust from a single access decision to continuous control across autonomous workflows. That evolution allows organizations to deploy AI agents with confidence, ensuring every action remains governed, traceable, and aligned with enterprise policy throughout the lifecycle of the transaction.

Learn more - download the Whitepaper Zero Trust for AI agents.

Keep updated