Zero Trust Doesn't Fully Solve the Agentic AI Problem

I've been thinking about this a lot lately. We've spent years building Zero Trust architectures — verifying every identity, validating every request, assuming breach at every layer. It's good security thinking. For humans logging into systems, it works well. But agentic AI doesn't log in. It acts. And that's a fundamentally different problem. What Zero Trust Was Built For Zero Trust's core premise is simple: don't trust anything by default, verify everything explicitly, and assume that any part of your network might already be compromised. In practice, this means: authenticate the user, authorize the request, monitor the session, and revoke access when done. The threat model is centered on identity — a person or a service trying to access something they may or may not be allowed to access. That model works well when the actor is a human making a deliberate request. A developer pulling a database record. An employee accessing a payroll system. A service account hitting an API. The security question is: should this identity be allowed to see this data? Agentic AI changes the question entirely. What Agentic AI Actually Does An agentic AI system doesn't just retrieve data — it reasons, plans, and executes sequences of actions autonomously. It might: Read a customer record, assess a credit profile, structure a financing deal, and submit it to a lender — all without a human in the loop Detect an anomaly in system logs, identify the probable root cause, execute a remediation script, and notify stakeholders Browse internal documentation, synthesize a response, draft a communication, and send it Each of those steps involves tool calls, API invocations, data reads and writes, and real-world consequences. The agent isn't just accessing a resource — it's doing things with compounding effects. The security question shifts from should this identity see this data? to should this agent be allowed to take this action, right now, in this context, with these downstream effects? Zero Trust doesn't answer that question. It wasn't designed to. The New Attack Surface When you deploy agentic AI in production, you inherit a set of attack vectors that most security playbooks don't yet address. Prompt Injection This is the agentic equivalent of SQL injection. A malicious actor embeds instructions in data that the agent will process — a document, an email, a web page — and those instructions redirect the agent's behavior. The agent isn't compromised at the identity layer. It's compromised at the reasoning layer. Zero Trust has no concept of a reasoning layer. It can't verify that the instructions an agent is following are legitimate. That's a gap. Tool Misuse and Scope Creep Agentic systems are given tools — the ability to call APIs, write to databases, send messages, execute code. In a well-designed system, an agent uses the tools appropriate to its task. But agents can chain tool calls in ways their designers didn't anticipate. A customer service agent that can read account data and send emails might — under the right conditions — do things that neither capability was individually authorized for. The principle of least privilege applies to agents as much as to humans. But most implementations treat agent tool access as binary — the agent either has the tool or it doesn't. The context in which a tool should or shouldn't be used is rarely enforced at the security layer. Privilege Escalation Through Chaining In multi-agent systems — where one agent orchestrates others — permissions can compound in unexpected ways. Agent A has read access to financial records. Agent B has write access to external communications. If Agent A can invoke Agent B, the combined permission set is broader than either agent was individually granted. This isn't a theoretical concern. In production multi-agent architectures, the interaction surface between agents creates emergent permission combinations that no individual access control list anticipated. Audit Trail Gaps When a human takes an action, there's a clear accountability chain. When an agent takes an action — especially one that emerged from a long reasoning chain involving multiple tool calls and intermediate decisions — who is accountable? What was the exact chain of reasoning that led to this outcome? Can you reproduce it? Most logging infrastructure captures what happened. Very little captures why the agent decided to do it. For compliance, incident response, and regulatory accountability — especially in financial and automotive contexts — that's a serious gap. What a Real Agentic Security Playbook Looks Like I don't think we need to throw out Zero Trust. We need to extend it for the agentic context. 1. Least Privilege for Actions, Not Just Data The standard implementation of least privilege restricts what data an identity can access. For agentic AI, least privilege needs to extend to actions — what the agent is allowed to do, not just see. An agent handling customer inquiries should be able to read account records. Should it be able to initiate refunds? Update contact information? Send external communications? Each of those is a separate action with different risk profiles, and each should be explicitly scoped. 2. Contextual Action Boundaries Static permissions aren't enough. An agent that is authorized to submit a credit application should probably not be authorized to submit fifty of them in sixty seconds. An agent that normally reads from a customer record table has no reason to enumerate all records with a single-character prefix. The same logic that WAF and IDOR protections apply to human-initiated requests needs to apply to agent-initiated requests — with real-time enforcement, not just logging. 3. Reasoning Transparency and Audit Chains For high-stakes agentic actions, the audit trail needs to capture not just the action but the reasoning chain that produced it. What was the agent's goal? What data did it process? What intermediate decisions did it make? What tools did it call and in what order? This is harder to implement than standard logging, but it's essential for incident response, compliance, and the ability to understand — and explain — why an agent did what it did. 4. Human-in-the-Loop Checkpoints for High-Stakes Decisions Not every agent action needs human approval. But some do. The threshold should be defined explicitly: actions above a certain financial value, actions that affect external communications, actions that modify configurations in production systems. Agentic AI that can act fully autonomously is powerful. Agentic AI that knows when to pause and ask is trustworthy. Building the checkpoint logic into the security architecture — not just as a product feature — is the right approach. 5. Agent Identity Is Not Enough — Behavioral Baselines Matter Zero Trust verifies identity. But an agent's identity doesn't tell you whether it's behaving normally. Behavioral baselines — what does this agent typically do, how many tool calls does it typically make, what data does it typically touch — provide the signal for detecting when something has gone wrong, whether through compromise, misconfiguration, or unexpected emergent behavior. The Stakes in Automotive AI I build agentic AI systems for automotive financial technology. The stakes make this concrete. An agentic system touching a credit application pipeline has access to customer financial data, lender APIs, compliance rule sets, and deal submission workflows. A compromised or misbehaving agent in that context doesn't just read sensitive data — it can submit fraudulent applications, manipulate deal terms, or exfiltrate financial records at scale, all through actions that look like normal system behavior. Zero Trust would verify that the agent has credentials to call the lender API. It would not catch an agent that — due to prompt injection or misconfigured tool scope — is calling that API with manipulated parameters on behalf of a malicious actor. That's the gap. And in financial services, automotive retail, healthcare, or any domain where agentic AI is taking consequential real-world actions, that gap is not theoretical. The Bottom Line Zero Trust gave us a powerful mental model for securing access to data. The agentic era requires extending that model to secure the actions that follow access. The new questions security teams need to be asking: What is this agent authorized to do, not just see? Under what conditions should this action be blocked, flagged, or escalated? Can we reproduce the reasoning chain that led to this outcome? Where are the human checkpoints for high-consequence decisions? What does normal behavior look like for this agent — and how do we detect deviation? We're still early. Most agentic deployments in production today are running with security models built for a pre-agentic world. That won't hold. The teams that build agentic security thinking into their architecture now — rather than retrofitting it after the first incident — will be in a much better position. Zero Trust secures the door. We still need to secure what happens after the agent walks through it. I work in automotive AI and software engineering, and write about what I'm actually seeing in production — not what the pitch decks say. If this resonated or you're thinking about these problems differently, I'd love to hear it in the comments. \