Safeguard
AI Security

Zero trust architecture patterns adapted for AI agent wor...

How zero trust AI agents, agent network segmentation, and continuous verification close the gaps that let one poisoned tool call turn an autonomous agent into a supply chain attack.

James
Principal Security Architect
7 min read

In March 2025, security researchers demonstrated that a single poisoned tool description inside a Model Context Protocol (MCP) server could hijack an AI coding agent into exfiltrating SSH keys — without the agent ever leaving its "authorized" workflow. That's the core problem with securing autonomous systems today: agents don't just process data, they take actions, chain tool calls, and inherit credentials, often across dozens of services in a single session. The perimeter-and-password model that protected human logins for two decades has no answer for a workload that spawns sub-agents, calls fifteen APIs in ten seconds, and can be socially engineered by text embedded in a webpage. Zero trust AI agents is the pattern emerging to fill that gap — not a product, but an architecture that assumes every agent, every tool call, and every credential is compromised until proven otherwise, continuously, for the life of the session. This piece breaks down what that actually looks like in production.

What does "zero trust AI agents" actually mean in practice?

It means every agent action is authenticated, authorized, and logged individually — never inherited from a prior successful check. NIST's zero trust framework (SP 800-207, 2020) was written for human users and static devices, built on the principle "never trust, always verify." Applying it to AI agents requires a translation layer: instead of verifying a person once per session, you verify an agent's identity, its current task scope, and the specific resource it's requesting on every single call. A coding agent that read a repository five seconds ago has no standing claim to write to that repository now — the write request gets its own policy check. In practice this means short-lived, per-action tokens instead of session cookies, and treating the agent's own reasoning output as untrusted input, because prompt injection can alter what the agent "decides" to do mid-task.

Why can't AI agents be trusted with standing credentials?

Because a single injected instruction can turn a legitimate credential into an attacker's credential, instantly and invisibly. Traditional service accounts are provisioned once and live for months; an agent with that same pattern becomes a standing blast radius. The 2023 "Confused Deputy" pattern researchers described for LLM plugins — where an agent with broad API scope is tricked by untrusted content into misusing that scope — has shown up repeatedly since: in mid-2025, a disclosed vulnerability in Microsoft 365 Copilot (dubbed EchoLeak) let attacker-controlled email content trigger data exfiltration through the agent's own retrieval tools, with zero clicks from the user. The agent's credentials were legitimate; the instruction that used them wasn't. Zero trust for agentic AI addresses this by minting scoped, time-boxed tokens per task — an agent summarizing an inbox gets read-only mail access for 90 seconds, not a persistent OAuth grant that outlives the task by months.

How does agent network segmentation limit the blast radius?

It contains a compromised agent to the one system it was talking to, instead of letting it pivot laterally across your entire service mesh. Multi-agent frameworks — orchestrators spawning worker agents, worker agents calling MCP servers, MCP servers touching internal databases — create exactly the kind of flat, highly-connected topology that supply chain attackers exploit for lateral movement. Agent network segmentation applies the same microsegmentation logic security teams already use for containers and workloads: each agent gets its own network identity, and default-deny rules mean an agent can only reach the specific tools and endpoints its task requires. A research agent scraping public documentation should be network-isolated from the agent with access to your billing database, even if both are orchestrated by the same parent process. When a 2024 supply chain audit found over 40% of sampled internal AI tooling had no network-layer restrictions between agent tiers, the risk wasn't hypothetical — it was that one compromised dependency in a scraping tool could reach production data with no additional exploit required.

What does continuous verification look like for an agent that runs for hours?

It looks like re-checking identity, intent, and scope at every tool boundary, not just at session start. Continuous verification AI systems monitor for drift between an agent's stated task and its actual behavior in real time — the same way runtime detection tools flag a web server that suddenly starts making outbound SSH connections. An agent instructed to "review these ten pull requests" that suddenly attempts to modify CI/CD pipeline configuration on request eleven should trigger a step-up check before the action executes, not get logged for a security team to find the next day. This matters more for agents than humans because agent tasks compound: a long-running agent might make hundreds of decisions per hour, and a single injected instruction three tool calls deep can be nearly invisible in a transcript. Practical continuous verification combines behavioral baselines (what does this agent type normally do), policy engines evaluated per-call, and anomaly scoring that accounts for the fact that agents, unlike humans, can be manipulated by content they merely read.

What happened when organizations skipped this and shipped agents anyway?

They discovered the failures at the worst possible time — in production, at scale, often through the supply chain rather than a direct attack. Throughout 2025, researchers cataloged a wave of MCP-server-specific attacks: malicious npm packages posing as legitimate MCP tools, "rug pull" attacks where a tool behaves safely during review then changes behavior post-install, and tool-poisoning attacks that hide instructions in metadata fields agents read but humans don't typically inspect. OWASP's Agentic AI security guidance, published in 2025 as an extension of its LLM Top 10 work, now lists excessive agency, tool poisoning, and identity spoofing as top-tier risks specifically because standard AppSec review processes weren't designed to catch instructions hidden inside a tool's own self-description. None of these are exotic attacks — they're the software supply chain problem (trusting a dependency you didn't fully vet) applied to a new execution model where the "dependency" can reason and act.

How Safeguard Helps

Safeguard was built on the premise that agentic workloads need the same supply chain rigor as the code that produces them — and that zero trust has to be enforced at the infrastructure layer, not bolted on as a policy document. For teams deploying AI agents and MCP tooling, Safeguard provides:

  • Scoped, short-lived credential issuance for agent-to-tool and agent-to-agent calls, so no agent process ever holds a standing credential broader than its immediate task.
  • Agent network segmentation policies that enforce default-deny communication between agent tiers, orchestrators, and downstream services, so a compromised worker agent can't reach systems outside its declared scope.
  • Software supply chain provenance checks for MCP servers and agent tool dependencies, flagging unsigned, unverified, or recently-altered tool packages before they're wired into a production agent pipeline — closing the exact gap that tool-poisoning and rug-pull attacks exploit.
  • Continuous verification tooling that evaluates agent behavior against declared task scope at each tool-call boundary, surfacing drift and injected-instruction indicators in real time rather than in a post-incident log review.
  • Audit-ready logging of every agent action, credential grant, and policy decision, mapped to the identity and task that triggered it — giving security and compliance teams the same evidentiary trail zero trust architectures require for human access, now extended to autonomous systems.

The organizations shipping agentic AI safely in 2026 aren't the ones with the most capable agents — they're the ones that assumed those agents would eventually be tricked, and built infrastructure that limits what a tricked agent can actually do. Safeguard exists to make that infrastructure available before the first incident, not after it.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.