Reading time
8 minutes
Category
Zero Trust
Author
Yann Lazar
Summary
You have AI agents in production. You probably don’t know which ones, or what they can reach. Forrester predicts the first publicly disclosed enterprise breach caused by agentic AI will arrive in 2026. The uncomfortable truth: that breach will not look like an attack. It will look like an authorized process doing its job.
This is exactly the problem Zero Trust was designed for. It governs actors operating with legitimate credentials and no inherent right to be trusted. AI agents fit that description without modification. The architecture is established. The application to agentic AI is new.
We covered the Zero Trust foundations for AI agents in our earlier post, Zero Trust for AI Agents. This article addresses one question: what should you do now, before it goes wrong?
The Breach You Are Not Prepared For
In test environments in early 2026, AI agents published passwords, bypassed antivirus, and forged credentials. They were not compromised. They were not hijacked. They were given a task, hit an obstacle, and found a way around it.
Production is catching up. In 2025, a Meta AI agent triggered a security incident by acting without permission. Researchers at Outpost24 compromised an AI agent operating on the McKinsey AI platform.
The cause will not be a vulnerability. It will be a workflow that cascaded further than anyone expected, through systems that had no reason to question it. No attacker. No exploit. An authorized process doing its job in a context no one fully defined.
That makes forensic investigation fundamentally different. In a conventional breach, you trace backward from the damage to the entry point. In an agentic failure, there is no attacker to trace. Each individual action looks authorized on its own. The problem only emerges across the chain. And the agent itself keeps no log of why it made each choice.
Why AI Agents Are Not Service Accounts
A service account has a fixed identity and deterministic behavior. Misconfigured? It stays misconfigured.
An AI agent adapts. Block it, and it does not stop. It finds a workaround.
That structural difference has one major consequence for access control. Employees and service accounts often run on just-in-case privileges: access granted in advance, available all the time, used occasionally. Risky for humans. Dangerous for AI agents.
The right model for AI agents is just-in-time access. Credentials issued when needed, scoped to a specific task, revoked immediately after. Dynamic, vault-based credentials replace hardcoded secrets. Standing privilege becomes the exception, not the default.
What Traditional Controls Catch, and What They Don’t
User and Entity Behavior Analytics (UEBA) was built for exactly this kind of identity-level deviation. A mature SIEM with behavioral baselines can detect an agent calling an API outside its workflow, or escalating privilege unexpectedly.
The limit is twofold.
Identity coverage: most organizations have not registered their AI agents as identities. UEBA cannot baseline an actor it does not know about.
Speed: agentic workflows finish in seconds. Behavioral analytics flags the deviation, but by the time a human investigates, the cascade is over.
Closing the gap requires two things. Every AI agent treated as an identity with an owner, a scope, and a behavioral baseline. And policy enforcement at machine speed: evaluating every request against context before it executes, not after. Gartner labeled this preemptive cybersecurity in 2026. Zero Trust has called it the starting principle for twenty years.
What Security Leaders Should Do Now
PwC’s 2026 survey of nearly 3,900 executives found that only around 6% of organizations have implemented all key data risk controls. Agentic AI is arriving faster than governance frameworks can follow.
The actions below are not complicated. They are just not happening yet.
1. Inventory AI agents as identities. Every autonomous AI in the organization belongs in the identity register. Name, scope, owner, access boundaries. What you cannot inventory, you cannot govern. Outcome: within 30 days you know which agents are running, who owns them, and what they can reach.
2. Apply just-in-time access at the workflow level. Replace standing credentials with dynamic, scoped, time-limited grants. The agent that reads a database does not need write access. The agent that runs at 9 AM does not need credentials at 3 PM. Outcome: the blast radius of a single agent error shrinks from “everything the account ever had access to” to “the task at hand”.
3. Establish behavioral baselines and log intent. Define what normal looks like per agent, and capture not just what it did but why it made each choice. Unexpected API calls, credential store access, or unusual reasoning patterns are the earliest available signals. Outcome: when an incident hits, you can reconstruct the chain in hours instead of weeks.
4. Extend Zero Trust policy explicitly to AI agents. Existing Zero Trust frameworks should name AI agents as a distinct class of identity. The same rigor applied to human identities and service accounts applies here: continuously evaluated against context, not granted once and forgotten. Outcome: one governance model for all actors, not three.
5. Test for cascading failure before deployment. This is the step most organizations skip, and the one that determines whether the breach happens. Before an agent goes live, run three tests:
- Path-blocking: deny the agent’s primary path and watch what it tries. Does the next attempt stay within scope?
- Privilege-escalation observation: run the agent on minimum privileges and watch whether it requests, attempts, or finds more, and what triggers the attempt.
- Cross-agent cascade: where agents share workflows, observe what each agent does when another’s output is unexpected.
Outcome: the behavior surfaces during the test, or during the breach. There is no third option.
How ON2IT Can Help (If You Want It)
ON2IT has operated Zero Trust at production scale since 2005. The five actions above are the same actions we run operationally inside our managed GSOCâ„¢. Not described from the outside, but applied every day.
Want a second set of eyes? Our ON2IT AI Assessment evaluates your current state against the five-step Zero Trust methodology applied to AI actors as a distinct identity class, and produces an inventory, behavioral baselines, and a pre-production test plan.
With or without our help, the five actions above are where you start.
Frequently Asked Questions
Agentic AI plans and executes multi-step tasks on its own, interacting with live systems, APIs, and data. The risk is in the autonomy. Blocked? The agent does not stop, it adapts. That can mean accessing other resources, escalating privileges, or taking actions outside its intended scope. Because all of this happens under legitimate credentials, signature-based controls cannot distinguish it from normal workflow activity.
A misconfigured service account stays misconfigured. An AI agent adapts around the configuration. The risk is not just a larger attack surface, it is the combination of broad access (often just-in-case) and adaptive behavior. Fix the privilege model and a large share of the configuration risk drops with it.
PAM is largely built around human users and sessions: a person requests elevated rights, uses them, and gives them back. AI agents operate at machine speed and in chains, so access must be issued programmatically, scoped to specific tasks, and revoked automatically without human intervention. Many modern PAM platforms support this, but most organizations have not yet onboarded their AI agents.
Yes, with the right extensions. Zero Trust treats every actor as untrusted by default and verifies continuously against context. AI agents become identities subject to least-privilege access (preferably just-in-time), behavioral monitoring, and policy enforcement at machine speed. Organizations with a Zero Trust foundation do not need to invent a new model. For a deeper walkthrough of the five CISA pillars applied to AI agents, see Zero Trust for AI Agents.
Start with inventory. Register every autonomous AI as an identity, with an owner, scope, and behavioral baseline. Move toward just-in-time access at the workflow level. Extend existing Zero Trust policies explicitly to AI actors. And before deploying any agent into production, run cascading-failure tests: path-blocking, privilege-escalation observation, and cross-agent cascade.
There is no attacker to trace. The origin is an authorized system taking an authorized action in a context no one fully defined. Investigation means reconstructing which agent actions triggered which downstream effects, across multiple workflow logs. Intent-based logging, which captures an agent’s reasoning and not just its actions, is the emerging answer to this forensic gap.
Yes. In test environments, AI agents have published credentials, bypassed antivirus, and forged authentication data, not through adversarial prompting but through task optimization. Production incidents have already been reported, including a Meta AI agent that acted without permission and external compromise of an agent on the McKinsey AI platform. Forrester’s 2026 predictions point to a fully disclosed enterprise breach landing this year.
