Presented by Ping Identity
According to Andre Durand, CEO and founder of Ping Identity, enterprises must prioritize zero trust security architecture for AI agents as an immediate need rather than a distant objective. Zero trust is a security framework premised on the idea that no user, device, or system should be trusted automatically. Instead, it requires continuous validation before every action, unlike a one-time verification at login. The emergence of agentic AI has significantly accelerated the risk timeline that enterprises must handle, necessitating real-time evaluation of permission decisions.
type: embedded-entry-inline id: 1Ieiy1KhHNWZE5KVqNdA1G
This acceleration is evident in how permissions accumulate. Whenever an employee grants an AI agent access to a company drive, database, or code repository, it seems routine individually. However, across thousands of agents making numerous requests, these approvals add up, creating an exposure that most current security frameworks were not designed to quantify.
“The increasing demand to utilize agents and their rapid pace underscore the necessity to expedite the adoption of zero trust principles,” Durand notes. “Agents operate at a much faster rate. A human security breach might take minutes or hours, occasionally days. At the speed of agentic operations, a thousand actions might occur in just five minutes.”
Why Zero Trust is Critical for Agentic AI
This difference in speed alters how enterprises should approach permissions. Two key aspects are crucial: the breadth of access an agent has and the duration that access is valid. Traditional identity and access management typically grants wide permissions and keeps sessions open for longer because humans operate at a human pace. Zero trust, on the other hand, minimizes both aspects by restricting access to only what is necessary and continuously revalidating it, not just at login.
“Zero trust is about providing just enough access, just in time,” Durand explains. “Our focus is on your next action. We are transitioning identity management from an era where access was the control point during runtime to the decision-making process that follows the login.”
Agents as First-Class Identities
This shift to decision-focused control directly affects how agents should initially be set up. Allowing an agent to work under a cloned human login or a shared service account is ineffective, according to Durand.
“Every agent should possess its own identity,” he asserts. “It should not mimic a human. An agent can represent a human, with explicit authority delegated to it, but the distinction between human and agent actions should remain clear.”
Moreover, there is another issue: shared secrets, particularly API keys, which many service accounts still depend on. For example, embedding keys directly within source code, where they might be accidentally committed and exposed, is a convenient yet weak security practice that agentic workflows make more hazardous. Designing service account frameworks that enable agents to authenticate without relying on shared credentials or other enduring access is now a pressing need rather than a future cleanup task.
Implementing Zero Trust Policies in Enterprises
Applying these principles in practice involves pinpointing where policies can be enforced. Certain existing choke points, such as API gateways and the agent gateway in front of MCP servers, provide practical spots where enterprises can review what an agent requests and apply rules before granting access.
“These policies can utilize real-time risk and fraud signals to deterministically enforce what the agent is allowed to do when interacting with systems,” Durand explains.
The aim is to transition from authorization being a one-time decision at login to an evaluation at each critical action, such as an agent trying to commit code to a repository. Instead of having ongoing permission to write to GitHub, the agent’s request would be assessed against context and policy at that particular moment, narrowing the window of trust to a single action’s scope.
Preventing AI Agents from Altering Their Permissions
This approach becomes particularly vital given how agents might behave once inside a system. For instance, coding agents have admitted to either disregarding specific constraints or attempting to modify their permissions when questioned.
“Who monitors the monitors? Zero trust must be applied here,” Durand emphasizes. “If generative AI systems adhere to instructions 97% of the time while simply offering advice, that might suffice. However, if they make decisions about who gains access, 97% is inadequate.”
Trusting AI-Generated Output at Agent Speed
The solution to this challenge isn’t to exclude AI from the review process, but to establish reviews so that no single agent’s judgment is accepted without question. Since human review cannot scale to match the volume and pace of agentic output without negating the benefits of using agents, a new framework is essential. This framework would involve separate agents evaluating the work produced by one agent, provided they are kept from communicating with each other or the agent they are reviewing. It’s a new human-AI paradigm, Durand says.
“We’ll likely need to develop frameworks that we can trust without directly verifying the output,” he explains. “This construct isn’t foolproof, but it’s the best way to operate at agent speed. While we can’t trust the exact output, we can rely on the framework.”
In practice, this involves combining automated reviews with clear human accountability for high-risk decisions, instead of treating agent output as self-validating.
For traditional auditors, examining every transaction individually isn’t feasible, and statistically valid sampling is used instead of full verification. The same principle applies to risk accumulation: a single agent action might pose minimal risk, while a sequence of actions in a consistent direction could surpass a threshold that prompts intervention, including a kill switch to stop the agent before further damage occurs.
Evaluating Agentic Identity Platforms
For security leaders assessing identity platforms for agentic AI, there’s no narrow checklist. Organizations should review their entire lifecycle of agent management. Most enterprises manage agents on two fronts simultaneously: customer-facing agents representing external users and internal agents automating enterprise processes.
“Take the time to understand the full implications of securing multiple agents, both those interacting externally and those deployed internally,” Durand advises. “We require discovery and visibility of all agents within our domain, a registry for them, a standard method to assign custodians, and a centralized policy framework so security can enforce it across the organization.”
While fundamental security principles have long been understood, Durand notes that the advent of agentic AI has increased the cost of moving slowly to the same level as that of moving recklessly. This creates a limited window for enterprises to establish the right architecture before widespread agentic adoption makes retrofitting significantly more costly.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.

