Zero Trust in the Era of Agentic AI

AI Agent and Agentic Network

Traditional security products protect assets such as devices, endpoints, users, applications, and workloads. AI agents represent a distinct category of assets. These agents are highly intelligent and autonomous applications that operate at machine speed and on an IoT scale. The rise of Agentic AI, the emergence and adoption of AI agents and agent-to-agent networking to autonomously perform tasks on behalf of humans, has introduced unique challenges for existing security products.

At the same time, AI agents utilize the same networking infrastructure as users and applications to communicate. This infrastructure encompasses Internet, private and public clouds, and organization's internal networks, including campus, branches, and data centers. Consequently, security solutions such as zero trust should, and can, be evolved to protect agentic AI communications.

Limitations of Today's Security Solutions

Traditional network-based security, from firewalls devices to cloud services, carries the following characteristics despite decades of evolution.

• It intercepts network traffic and attempts to obtain plain-text data for inspection and policy control. The inspection and policy apply to all layers up to the application contents.
• It retrieves context from packet data, which includes (but is not limited to) identity, posture, and risk scores from endpoints, applications, and services. It also incorporates security intelligence. This context and intelligence guide security policy decisions in conjunction with the packet data at hand. The contextual data may be synthetic, spanning a period or across multiple transactions.
• It strives to make real-time policy decisions on the transactions but also leans on offline analysis and heuristics.
• It follows the security policies set by the administrators, from the simple network block list to least-privilege zero trust policy to advanced scanning profiles. The goal is maximum security while maintaining efficiency and best user experience.

Even with the recent evolution of zero trust and Security SaaS (SSE and SASE), most security solutions on the market remain:

• Static: Security policies and intelligence feeds are mostly static or slow to update. Even with "intent-based" policies, most of the time these only abstract policy attributes. They cannot keep up with the dynamics of agentic AI.
• Pattern-based: Detection mechanisms, whether on transactional data or external contextual data, are largely based on pattern matching or signatures.
• Isolated: Security inspections and detections operate on individual transactions. External SIEM and UEBA functions can correlate transactional logs, but the outcome is not in real time.

The following chart illustrates the evolution of network-based security. Agentic AI is driving a new wave of transformation.

Security for Agentic AI

AI agents can be deployed within the same network and infrastructure as traditional assets such as devices, endpoints, users, applications, and workloads. However, the dynamic nature of AI agents requires a new security workflow, including the following elements.

Agent Onboarding and Authorization

An AI agent must be onboarded and assigned appropriate privileges and roles before performing tasks on behalf of a human user. In this step, the human user is "in the loop" for the agents.

Unlike traditional assets such as applications, both administrators and end users can onboard agents and delegate roles. The role of the end user is unique. On one hand, the end user is onboarded and granted "agent-onboarding" privileges by their administrator. On the other hand, the end user acts as a manager for their agents. To address this dual role, security products should offer an agent management workflow for end users as a self-service option, and something similar for administrators but with certain restrictions. For example, the user would only be allowed to use the workflow for their designated agents and would not have the authority to override the guardrail policies set by the administrator.

Segmentation and Zero Trust

Dynamic macro- and micro-segmentation of AI agents is an effective first-line security measure. The evolution of segmentation technologies will play a critical role in handling the large scale of agents and agent-initiated traffic. This includes software-controlled tagging for both source and destination agents.

It is crucial to apply zero trust practices to agents, starting with least privilege access. An agent may inherit the user's access privilege after being onboarded, but security products should provide agent specific authentication and authorization options to enforce the scope defined during onboarding.

Security Inspection and Enforcement

Traditional zero trust practices focus on the "access control" aspect of enforcement, often neglecting other important security controls. Given the dynamic nature of agents, all agent communications - whether between an agent and a traditional asset (such as a database application) or between agents - must be continuously inspected with real-time enforcement.

This is accomplished by leveraging various inline enforcement products with enhanced capabilities such as "Semantic Inspection" using lightweight models built into the inspection engine. Inspection and enforcement are automatic, matching the speed and scale of agents. In this function, the human user stays "over the loop", overseeing the process rather than being directly involved in every decision.

Depending on where agents are deployed, agent communications can be categorized into "access" and "cloud east-west" use cases:

• In the "access" use case, the AI agent could reside on a remote user's device, be deployed in a remote branch, or serve as the "MCP Server" positioned in front of SaaS applications and tools hosted in the private/public cloud or data center.
• In the "cloud east-west" use case, agents communicate with each other either within the same cloud and data center or across clouds and data centers. When communication spans data centers or clouds, it is carried over the customer's private inter-DC or inter-cloud network, not exposed to the public network or the general Internet.

An effective agentic AI security solution should have a unified approach for all the networking and communication use cases. The solution needs to address two seemingly conflicting requirements: being real-time and low latency, while also providing deep and comprehensive security controls. This "conflicting" goal is not unique to agentic networks; it has been the benchmark for network-based security solutions for decades. However, the scale and intelligence of AI agents are driving this requirement to a new level.

Security practitioners are encouraged to carefully examine security solutions for their completeness, coherence and efficiency in handling the unique scale and dynamics of AI agents.

Role Adjustment and Revocation

An agent's authorization is not static. The agent may make requests that would require an expansion of its original authorization. Security inspections may detect anomaly from the agent's communications and requests, and decides to limit, re-authorize or revoke the agent's access.

Security solutions must provide mechanisms to adjust and revoke the agent's privileges and roles as needed. This requires seamless collaboration of the authorization and enforcement functions.

Conclusions

As organizations embrace the potential of agentic AI, the need to evolve security practices becomes paramount. Existing security solutions rooted in traditional approaches struggle to keep pace with the scale, speed, dynamics and autonomy of AI agents. By rethinking workflows for onboarding, authorization, segmentation, inspection, enforcement and role management, security teams can build more adaptive and resilient defenses. Extending zero trust principles with Semantic Inspection for agentic environments ensures that AI agents are securely integrated, dynamically managed, and continuously protected against emerging threats. Ultimately, a comprehensive and forward-looking security strategy will be essential to realize the benefits of agentic AI while safeguarding organizational assets and operations.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X