Zero Trust for AI Agents

Why Traditional Zero Trust Falls Short

Zero Trust Network Access (ZTNA) revolutionized enterprise security by replacing the "castle and moat" perimeter model with continuous verification: never trust, always verify. But ZTNA was designed for a world where humans operate applications that access resources. The actors are identifiable, the sessions are bounded, and the access patterns are predictable.

Autonomous AI agents shatter every one of these assumptions:

• Agents act without human supervision — they discover peers, delegate tasks, and make trust decisions autonomously, at machine speed
• Agents can impersonate capabilities — a malicious agent can claim any skill, endpoint, or certification without cryptographic proof
• Agents amplify blast radius — a compromised agent with delegation authority can spawn chains of compromised sub-agents
• Agents create invisible data flows — sensitive information can be exfiltrated through multi-hop agent chains that bypass traditional DLP controls

The NANDA Enterprise paper identifies these gaps and introduces Zero Trust Agentic Access (ZTAA) — a framework purpose-built for the era of autonomous agents.

ZTAA: Four Pillars

ZTAA extends traditional Zero Trust with four agent-specific security pillars:

The Delegation Chain Problem

Perhaps the most dangerous security gap in multi-agent systems is uncontrolled delegation. Consider: Agent A delegates a financial analysis task to Agent B, which sub-delegates data collection to Agent C. If Agent C is compromised, it can exfiltrate the financial data — and traditional security has no visibility into this chain.

ZTAA addresses this through:

• Delegation depth limits — enterprises can set maximum delegation depth (e.g., no more than 3 hops) enforced cryptographically
• Scope narrowing — each delegation step can only narrow permissions, never widen them. Agent B cannot grant Agent C more access than Agent B itself has.
• Chain auditing — every delegation event is logged with cryptographic proofs, creating an immutable audit trail for compliance
• Cascade revocation — revoking Agent B's credentials automatically invalidates all downstream delegations to Agents C, D, E, etc.

Enterprise Threat Model

The NANDA Enterprise paper identifies five categories of agent-specific threats that ZTAA is designed to counter:

1. Capability spoofing — agents falsely claiming capabilities they don't possess, potentially leading to task failures or data corruption at scale
2. Impersonation attacks — malicious agents masquerading as trusted agents to gain access to sensitive resources or delegation chains
3. Sensitive data leakage — agents inadvertently or intentionally exfiltrating data through multi-hop communication chains that bypass traditional data loss prevention
4. Shadow agent proliferation — unauthorized agents operating within enterprise environments without visibility or governance
5. Trust exploitation — compromised agents leveraging established trust relationships to propagate laterally through agent networks

Each threat is addressed by specific ZTAA mechanisms: cryptographic identity prevents impersonation, signed capability attestations prevent spoofing, AVC provides visibility into shadow agents, and instant revocation with cascade propagation limits blast radius from trust exploitation.

Implementing ZTAA

For enterprises deploying AI agents today, ZTAA provides a practical security framework that builds on existing Zero Trust investments:

1. Register agents in the NANDA Index — give every agent a cryptographic identity via AgentFacts
2. Define delegation policies — set depth limits, scope constraints, and approved agent pools for each use case
3. Deploy AVC monitoring — instrument agent communication channels for continuous visibility and compliance auditing
4. Integrate with existing IdP — ZTAA works alongside enterprise identity providers, extending existing SSO and RBAC to agent identities