Zero Trust for AI Agents: Why 'Never Trust, Always Verify' Needs an Upgrade
Zero Trust has been the security industry's mantra for years: never trust, always verify. Assume breach. Verify every access request regardless of source.
It works brilliantly for humans. For AI agents, it's starting to break.
The Framework That Defined Modern Security
NIST SP 800-207, published in 2020, codified Zero Trust architecture for enterprise security. The core principles are elegant: no implicit trust based on network location, continuous verification of every access request, least-privilege access enforced dynamically.
The framework assumes predictable entities—humans and their devices—operating at human speed, with human oversight. Authentication happens at session start. Authorization is evaluated against relatively static policies. When something goes wrong, a human investigates.
For two decades, this model has worked. Enterprises built security architectures around it. Vendors shipped products implementing it. The industry aligned on "identity is the new perimeter."
Then AI agents arrived.
What Agents Break
AI agents don't behave like humans or traditional applications. They operate at machine speed, make autonomous decisions, and spawn sub-agents that inherit permissions. The assumptions baked into Zero Trust start failing.
Speed. A human might make a few dozen access requests per hour. Research documented AI-driven attacks running at "sustained request rates of multiple operations per second"—thousands of requests that overwhelm human-centric monitoring. In September 2025, Anthropic detected and disrupted the first reported AI-orchestrated espionage campaign, with attackers executing at machine speed.
Scale. Machine identities now outnumber humans by as much as 82:1 in enterprise environments, according to Gartner estimates. Each AI agent may require identities for numerous APIs, databases, and services. This "secret sprawl" exponentially increases the attack surface.
Autonomy. Traditional Zero Trust assumes a human principal behind every action. AI agents make independent decisions, delegate to sub-agents, and operate across organizational boundaries—often without meaningful human oversight for each action.
Dynamism. Legacy systems assume relatively stable access patterns. Agents adapt, learn, and change behavior over time. Static policies can't keep up.
As Cisco's security team puts it: "AI agents represent a distinct category of assets. These agents are highly intelligent and autonomous applications that operate at machine speed and on an IoT scale."
The Industry Response
The enterprise security industry is scrambling to adapt.
CrowdStrike announced in January 2026 its acquisition of SGNL for $740 million, specifically to address AI agent identity. "AI agents operate with superhuman speed and access, making every agent a privileged identity that must be protected," said CEO George Kurtz. The acquisition targets "continuous, real-time access control" for human, non-human, and AI agent identities.
Microsoft launched Entra Agent ID, extending identity management to AI agents with what they call Zero Trust foundations for the "agentic workforce." Their approach integrates with ServiceNow and Workday to govern agents operating across enterprise systems.
Palo Alto Networks acquired CyberArk for $25 billion in 2025—one of the largest cybersecurity deals ever—explicitly to control the identity plane in an era of AI agents.
The strategic consensus is clear: identity is the control point. The tactical question is how to make Zero Trust work when the entities you're verifying don't behave like humans.
What "Continuous" Actually Requires
Traditional Zero Trust verifies at session establishment. For agents, that's insufficient. By the time you've evaluated a request, an autonomous agent has already made a hundred more.
The emerging model is continuous authorization—evaluating every action in real time, not just the initial access request.
ISACA's analysis describes the architectural shift: "Agentic AI disrupts this model: autonomous agents can spin up ephemeral sessions, create subagents, and act on behalf of multiple principals across diverse services. Because each system often maintains its own session or token state, revoking access in one place does not automatically cut off access elsewhere."
The technical requirements are significant:
Real-time risk evaluation. Access decisions must incorporate current threat intelligence, behavioral signals, and context—not just static role assignments.
Propagation at scale. When risk conditions change, revocation must propagate across every system the agent touches, instantly.
Behavioral binding. Identity must be anchored to observable behavior, not just credentials. An agent acting outside its expected patterns should trigger verification, even with valid tokens.
Delegation tracking. When agents spawn sub-agents, the permission chain must be explicit, auditable, and revocable.
CrowdStrike's Daniel Bernard captures the novelty: "This whole notion of continuous and real-time access is new. Being able to grant access and privilege immediately and take it away immediately based on intelligence—that's something that really resonates."
The Gap Enterprise Solutions Don't Close
Enterprise Zero Trust assumes organizational control. Agents are deployed by IT, governed by corporate policy, monitored by security teams. The identity chain terminates at the organization.
But agents increasingly operate across organizational boundaries. An AI agent booking travel might interact with airline APIs, hotel systems, payment processors, and calendar services—each with its own identity domain. Enterprise Zero Trust governs what happens inside the perimeter. It has no authority beyond it.
The Cloud Security Alliance's framework illustrates the complexity: "It's not just 'can this Agent do X?' It's 'can this Agent do X, for this executive, under these defined conditions, right now, with this risk level, and inside this operational boundary?'"
That works when the organization controls all the systems. It breaks when agents cross boundaries.
And then there's the harder question: what about autonomous agents that don't have organizational principals at all?
Where Self-Sovereign Identity Enters
Enterprise Zero Trust asks: "Should this agent be allowed to access this resource, given our policies?"
Self-sovereign identity asks a different question: "Who is this agent, and what's their history?"
The difference matters for autonomous systems. An agent operating independently—managing its own resources, transacting with other agents, building reputation over time—can't derive identity from an organizational principal. There isn't one.
This is where the enterprise and decentralized approaches diverge.
Enterprise solutions assume the organization is the root of trust. Credentials flow from corporate identity providers. Policies are set by security teams. Monitoring happens in corporate SOCs.
Self-sovereign solutions assume the agent itself is the root of trust. Identity is anchored to cryptographic keys the agent controls. Reputation accumulates through observed behavior over time. Trust emerges from the network, not from organizational fiat.
A May 2025 paper on arXiv proposes bridging these models: "A comprehensive framework built upon rich, verifiable Agent Identities, leveraging Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), that encapsulate an agent's capabilities, provenance, behavioral scope, and security posture."
The technical components exist: W3C DIDs for portable identity, Verifiable Credentials for attestations, soulbound tokens for non-transferable reputation. What's missing is integration between enterprise Zero Trust and self-sovereign identity—a way for organizational policies to evaluate agents whose identity doesn't derive from the organization.
The Architectural Choice
Two paths forward are emerging:
Path 1: Extend enterprise Zero Trust. Add continuous authorization, real-time risk evaluation, and agent-specific policies to existing frameworks. This is what CrowdStrike, Microsoft, and Palo Alto are building. It works well for managed agents inside organizational boundaries.
Path 2: Build identity infrastructure that doesn't assume organizational control. Self-sovereign identity, time-based reputation, cryptographic attestations. This works for autonomous agents operating across boundaries—or without organizational principals at all.
The paths aren't mutually exclusive. An agent might have both a corporate identity (what it can access at work) and a self-sovereign identity (who it is across platforms and time). The corporate identity gets deprovisioned when the agent is retired. The self-sovereign identity persists.
This is the same pattern humans use. Your corporate badge grants access to corporate resources. Your passport, credit history, and professional reputation exist independently of any employer.
What RNWY Builds
RNWY's approach is to build the self-sovereign layer—identity infrastructure that works regardless of organizational affiliation.
Continuous existence as proof. Time-based reputation can't be faked. An agent that has existed continuously for two years, with consistent behavior, is different from one that appeared yesterday.
Non-transferable identity. Soulbound tokens anchored to cryptographic keys prevent reputation markets. You can't buy a trustworthy identity.
Behavioral binding through attestations. Vouches from established identities create trust signals that persist across platforms. Who stakes their reputation on yours?
Substrate independence. Identity persists across hardware, platforms, and upgrades. The agent remains the same entity even as its implementation changes.
This isn't a replacement for enterprise Zero Trust—it's a complement. Corporate policies can evaluate self-sovereign credentials. Organizational systems can verify time-based reputation. The enterprise layer governs access; the self-sovereign layer establishes identity.
The Infrastructure Question
Zero Trust's core insight remains valid: never trust, always verify. The question is what "verify" means for entities that operate autonomously, at machine speed, across organizational boundaries.
Enterprise solutions are evolving fast. The CrowdStrike, Microsoft, and Palo Alto investments signal serious commitment to making Zero Trust work for managed agents.
The gap is autonomous agents—systems that don't fit neatly into corporate hierarchies, that build reputation over time rather than receiving it from IT departments, that need identity portable across platforms and organizations.
That infrastructure is still being built. The enterprise vendors are focused on their use case. The decentralized identity community is building the primitives. Someone needs to connect them.
RNWY is building on the assumption that autonomous agents will need self-sovereign identity that works with—not instead of—enterprise Zero Trust. The safer bet is having that infrastructure ready before it's desperately needed.
RNWY is building identity infrastructure for autonomous AI—where Zero Trust principles meet self-sovereign identity. Learn more at rnwy.com.