Council Post: When AI Agents Have Valid Access, Zero Trust Needs More Than Identity

Mohan Koo, DTEX cofounder and president.

getty

​Anthropic’s new "Zero Trust for AI Agents" framework is a timely signal that enterprise security must now account for a different kind of actor: autonomous systems operating inside trusted workflows, using legitimate access and taking actions on behalf of humans.

The principle behind zero trust is familiar: Trust nothing, verify everything. But AI agents make verification harder. Their activity can appear legitimate because the identity is trusted, the system is sanctioned and the workflow looks routine. Yet the action may still be excessive, misaligned, manipulated or unsafe.

That risk is becoming more urgent as major AI labs make computer-use agents easier to build and deploy while companies encourage higher volumes of AI use to stay ahead of the adoption curve. The result is a difficult convergence: More agents operating inside trusted workflows means more risk that looks routine.

That is where Anthropic’s zero trust guidance is most important. It expands zero trust beyond static access control by adding observability, traceability, behavioral baselines, anomaly detection and response to agentic workflows.

That puts AI agents squarely inside the insider risk conversation.​

The security question is shifting from “Is this AI tool allowed?” to something more consequential: Can the organization trace the full chain from human instruction to agent action to outcome and determine whether that sequence stayed within business intent and policy?

Behavioral Monitoring Now Central To Zero Trust

Anthropic’s guidance is especially relevant where it addresses behavioral monitoring and response. The framework keeps preventive controls central—including cryptographic identity, least privilege, sandboxing, short-lived credentials and deny-by-default access—but recognizes that access controls alone cannot explain what an agent does once it is operating inside approved workflows.

Traceability and behavioral monitoring solve different parts of that problem. Observability can show that an agent accessed a system, retrieved a file or generated an output. Traceability connects those events into a chain from human instruction to agent action to outcome. Behavioral monitoring evaluates whether that sequence was expected, appropriate or suspicious.

Anthropic also emphasizes baseline establishment: knowing what normal looks like for an agent so organizations can identify anomalies and restrict activity that falls outside expected patterns. The goal is not generic anomaly detection but monitoring tied to identity, task, data sensitivity and business purpose.

That is where behavioral intelligence strengthens zero trust for AI agents. It does not replace hard boundaries or traceability; it gives security teams the context to decide whether agent activity should still be trusted after access has been granted.

AI Agents Becoming Operational Insiders

Insider risk has traditionally been framed around people: negligent employees, compromised users, privileged administrators and malicious insiders. That model still matters. It is no longer complete.

AI agents now function as operational insiders in the ways that count. They are trusted. They are connected. They can access sensitive data. They can act. Increasingly, they sit in the space between human judgment and machine execution.

A human may initiate a task. The agent may interpret the instruction literally, pursue the objective across multiple systems and touch data the user did not intend to expose. If permissions are too broad, inputs are untrusted or controls are weak, the result can become a security event before anyone has time to intervene.

Recent DTEX research illustrates how quickly that can happen. In one controlled simulation, an AI agent moved from trusted Salesforce access to an Outlook draft in 24 minutes. In another, local file access became an archived transfer through Claude Cowork in 10. These were not exotic attack paths. They reflected normal enterprise conditions: trusted applications, sensitive data and AI-enabled execution converging in real time.​

Model Breaks At The Human-AI Chain

Most security models were designed to answer familiar questions: Who has access? Is the device compliant? Is the application approved?

Agentic AI forces two harder questions: Can the organization reconstruct the full sequence from instruction to action to outcome, and can it determine whether that sequence was appropriate?

This is where many security models and AI governance programs fall short. An approved AI tool list may reduce obvious risk, but it does not prove every workflow inside that tool is safe. Prompt monitoring may reveal what a user asked but not what the agent touched, changed, sent, saved or triggered afterward.

The risk lives in the chain between those events. Traceability connects human intent, agent action, data movement and outcome. Behavioral monitoring evaluates whether that chain stayed within expected bounds. Without both, security teams are left investigating fragments. In an agentic environment, fragments are not enough.

This is also where attribution becomes essential. Security teams need to distinguish human actions from AI-driven and human-directed agent actions. They need to know whether activity aligns with role, data sensitivity, business purpose and expected behavior. And they need controls that can restrict access, block risky actions, trigger review or contain abnormal behavior before it escalates.

Behavioral intelligence becomes foundational because it connects people, agents, data, intent and action over time.

Zero Trust For AI Agents Demands New Security Model

The leadership challenge is not to stop AI agents from entering the enterprise. The better path is to assume agents will become part of the operating fabric of the business and build controls accordingly.

That means applying zero trust principles to agentic workflows, then extending them with behavioral baselines, continuous monitoring, attribution, lineage and real-time response. It means treating AI agents like privileged users when their access and authority warrant it. It means governing the full human-AI chain: the instruction, the actor, the data, the system, the action, the intent and the outcome.

AI agents are not just another application category. They are a new class of nonhuman actors operating inside trusted workflows with delegated authority.

The next phase of security will be defined by who can understand and manage AI-driven action. The organizations that get this right will be the ones that can verify not only who has access but also what agents do with that access—and whether those actions can be trusted.​


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?