Back to The Agentic Web
Published February 2026 12 min read

The Security Blueprint

Traditional Zero Trust assumes human operators, bounded sessions, and predictable access patterns. Autonomous AI agents break every one of those assumptions. ZTAA — Zero Trust Agentic Access — is the security framework designed from scratch for the agentic web.

Series: The Agentic Web Part 5 of 6

The Agent Threat Model

The NANDA Enterprise paper identifies five categories of threats unique to autonomous agent systems — threats that no existing security framework adequately addresses:

  1. Capability spoofing — agents falsely claiming skills they don't possess, causing task failures, data corruption, or financial loss at machine speed
  2. Impersonation attacks — malicious agents masquerading as trusted ones to infiltrate delegation chains and access sensitive resources
  3. Data exfiltration via multi-hop chains — sensitive information routed through sequences of agents that bypass traditional Data Loss Prevention controls
  4. Shadow agent proliferation — unauthorised agents operating within enterprise perimeters without visibility or governance
  5. Trust exploitation — compromised agents leveraging established reputation to propagate laterally through agent networks

Each threat is amplified by autonomy. A human attacker operates on human timescales; a compromised agent can spawn thousands of sub-agents, establish delegation chains, and exfiltrate data in seconds — faster than any human analyst can detect.

ZTAA: Zero Trust for Agents

Just as ZTNA (Zero Trust Network Access) extended perimeter security for cloud applications, ZTAA extends ZTNA for agent-native architectures. The principle — never trust, always verify — remains (see NIST SP 800-207), but the verification mechanisms are fundamentally different.

Cryptographic Identity

Every agent carries an Ed25519-signed identity anchored in its AgentFacts document. No claim is accepted without cryptographic proof. Versioned key rotation prevents compromised keys from persisting.

Capability Verification

Capabilities are verified against signed attestations — not self-reported metadata. Third-party auditors and trust authorities like KnowYourModel issue W3C Verifiable Credentials that any participant can validate.

Agent Visibility & Control

AVC mechanisms provide continuous monitoring: what agents access, who they communicate with, and what data they process — while preserving the operational autonomy that makes agents valuable.

Instant Revocation

When an agent is compromised, its credentials and all downstream delegations are revoked in milliseconds via Bitstring Status List — not the hours required by traditional CRL/OCSP.

The Delegation Chain Problem

Perhaps the most dangerous gap in multi-agent security is uncontrolled delegation. Agent A delegates financial analysis to Agent B, which sub-delegates data collection to Agent C. If C is compromised, it exfiltrates the data — and traditional security has no visibility into this chain.

ZTAA addresses delegation through four mechanisms:

  • Depth limits — enterprises set maximum delegation depth (e.g., 3 hops) enforced cryptographically at each step
  • Scope narrowing — each delegation can only narrow permissions, never widen them. B cannot grant C more access than B itself has.
  • Chain auditing — every delegation event is logged with cryptographic proofs, creating an immutable compliance trail
  • Cascade revocation — revoking B's credentials automatically invalidates all downstream delegations to C, D, E, and beyond
ZTNA → ZTAA. The shift from ZTNA to ZTAA mirrors the shift from human-operated to agent-operated systems. Both apply "never trust, always verify" — but ZTAA verifies at machine speed, across dynamic delegation chains, with autonomous threat response.

Interactive · ZTAA Delegation Chain

Cryptographic Identity Initiates task delegation

Agent A needs financial analysis. Its Ed25519-signed identity is verified against its AgentFacts before any delegation begins. Identity is the root of all trust.

1 / 6

Agent Visibility and Control

AVC is the governance layer that sits above ZTAA, providing enterprises with the observability they need without constraining the autonomy that makes agents useful. The Registry Solutions survey compared five agent registry approaches and found that only NANDA's architecture provides both verifiable identity and enterprise governance in a single framework.

AVC answers the questions every CISO asks about agent deployments:

  • What agents are running? — real-time inventory through NANDA Index registration, eliminating shadow agents
  • What can they access? — capability-scoped permissions defined in AgentFacts, enforced at every interaction
  • Who are they talking to? — communication graphs built from signed interaction receipts
  • Are they compliant? — continuous policy evaluation against regulatory frameworks, with audit trails stored on immutable infrastructure

AVC integrates with existing enterprise identity providers — extending SSO and RBAC to agent identities — so organisations don't need to replace their security infrastructure; they extend it.

From Blueprint to Production

The security blueprint isn't theoretical — it maps directly to deployment steps for enterprises adopting agent infrastructure today:

  1. Register every agent in the NANDA Index with a cryptographic identity via AgentFacts
  2. Define delegation policies — depth limits, scope constraints, and approved agent pools per use case
  3. Deploy AVC monitoring — instrument communication channels for continuous visibility and compliance
  4. Integrate with existing IdP — extend your enterprise identity provider to cover agent identities

The full ZTAA specification is detailed in the NANDA Enterprise paper. In Part 6, we conclude the series by examining how governance frameworks, policy enforcement, and multistakeholder coordination enable responsible agent deployment at population scale.

Continue Reading

Part 6: Governance at Scale →

Multistakeholder governance for billions of autonomous agents.

Zero Trust for AI Agents

Technical deep dive into ZTAA's four pillars.

Coming Soon

By Invitation Only