security framework · reference card

ZERO TRUST FOR AI AGENTS

A security framework for deploying autonomous AI agents in the enterprise

PRINCIPLES

Never trust, always verify

Every request is authenticated & authorized regardless of origin — inside the network gets no free pass.

A “trusted” internal agent calling the prod DB still needs a fresh OAuth token, an mTLS handshake, and a per-request scope check. No shared service accounts, no ambient trust.

Assume breach

Design to limit damage, not just prevent intrusion. Segment by identity, contain the blast radius.

Compromised RAG retriever can only read its own index, can’t pivot to the payments agent. Identity-scoped blast radius, not network-scoped.

Least privilege — least agency

Constrain not just what agents access, but what each tool can do, how often, and where.

The triage agent can `get_ticket` and `add_internal_note`. It cannot call `refund_payment` even if a prompt-injection thread asks it to. The capability isn’t throttled — it isn’t there.

THE DESIGN TEST: “Impossible, not tedious”

Agentic attackers have unlimited patience and near-zero per-attempt cost, so friction-only controls (rate limits, SMS MFA) fail. Prefer controls that remove a capability over ones that throttle it.

WHY NOW

months → hours: AI compresses vuln-to-exploit timelines, at marginal cost in dollars
0%: docs enough to backdoor LLMs (600k–138 params, surviving safety training)
0%: indirect injection success cut by spotlighting untrusted content
0%: of jailbreak attempts blocked by constitutional classifiers

CAPABILITY MATRIX — 3 TIERS × 7 DOMAINS

DOMAIN

FOUNDATION

minimum viable — the floor has been raised

ENTERPRISE

target maturity for most organizations

ADVANCED

regulated / high-consequence environments

Identity & authentication

Per-agent cryptographic IDs; short-lived IdP tokens — no static API keys

X.509 certs w/ full lifecycle; mutual TLS + certificate pinning

HSM/TPM hardware-backed identity with remote attestation

Access control & privilege

RBAC, deny-by-default; identity-based isolation of workloads

Context-aware ABAC; sandboxed execution per agent

Continuous authorization; IIT/IEA; confidential computing

Observability & auditing

Comprehensive action logs; request IDs link actions to triggers

Immutable audit trails; distributed tracing (OpenTelemetry)

Real-time SIEM streaming; full input→output provenance chains

Behavioral monitoring

Manual baselines; alerts with model-drafted first-pass triage

Learned baselines; automatic containment & access revocation

Continuous drift detection; orchestrated SOAR playbooks

Input / output controls

Input validation & length limits; PII/credential output filtering

Attack-pattern content filtering; semantic output analysis

Constitutional classifiers + spotlighting; human approval for high-risk actions

Integrity & recovery

Version-controlled configs; documented, tested rollback

Signed configurations; automated rollback with health checks

Immutable infrastructure; self-healing auto-remediation

AI governance

Documented acceptable-use & IR policies; address shadow AI

Formal framework with cross-functional stakeholder oversight

Automated compliance checks enforced in deployment pipelines

Each tier builds on the last. Skip one capability and attackers exploit the gap. Click any row for practice notes and failure modes.

IMPLEMENTATION WORKFLOW — 8 PHASES

Phase 1·

Identify requirements

Map every applicable regulation (EU AI Act, sectoral rules, data-residency) and every internal stakeholder. Define what data the agent may touch, what it may do, and what it must never do — in writing, before the first prototype.

Deliverables

AI acceptable-use policy
Stakeholder RACI
Regulatory scope memo

ZERO TRUST FOR AI AGENTS

Identify requirements

Secure supply chain

Define agent boundaries

Defend prompt injection

Secure tool access

Protect credentials

Safeguard memory

Measure what matters

Identify requirements