The Guide to Agentic AI Connectivity & Security

These models were built on the assumption that activity is user-driven, predictable, and follows deterministic workflows. Identity, access, and network controls were designed to enforce boundaries and monitor behavior within known patterns.

AI agents break these assumptions.

Already embedded across enterprise environments, AI agents execute tasks autonomously, interact with systems and APIs, and make decisions in real time. They operate at machine speed, often without direct human oversight, and frequently span multiple systems and environments. As a result, they introduce a new category of risk that traditional security architectures weren’t designed to address.

However, this new breed of risk isn’t just an AI problem—it’s also an identity, access, and execution problem.

AI agents act as non-human identities (NHIs) with privileges but often without clear ownership, attribution, or behavioral constraints. They expand the enterprise attack surface through dynamic interactions across systems, while decentralized adoption leads to “shadow AI” that lacks visibility and governance.

At the same time, emerging threats, such as automated goal hijacking, demonstrate that prompt-level defenses are insufficient. The real risk lies in how agents execute actions across systems.

To address agentic AI security risks, organizations must evolve their security models.

Zero Trust remains the foundation, but it must extend beyond access control to include execution control. This requires treating AI agents as first-class identities, continuously validating their behavior, and enforcing real-time controls at the network and session layers.

Organizations that adopt this approach can scale AI securely. Those that don’t will face increasing visibility gaps and unmanaged risk as agentic systems become core to enterprise operations.

In these models, tools and controls focus on keeping attackers out and monitoring user-initiated actions and predictable application behavior. Identity, access, and network security tools were built to support this model, creating layered defenses based on a core assumption: Activity has clear ownership, and actions follow deterministic paths.

That assumption no longer holds.

AI agents are already operating inside enterprise environments, executing tasks across systems, invoking APIs, and interacting with both internal and external services—often without direct human oversight. They don’t follow fixed workflows or predictable patterns that traditional security controls are designed to monitor. Instead, they make decisions in real time and move across systems at machine speed.

This shift fundamentally changes what system interactions look like—and how risk is introduced—inside the enterprise.

For organizations that haven’t yet begun adapting their security models to this new pace and autonomy of business, the gap is already widening. AI agents aren’t just disrupting business operations—they’re also redefining the assumptions that modern cybersecurity was built on.

The Shift Is Already Underway

No matter the organization's scope or scale, AI agents are already working hard to automate workflows, ease decision-making, and accelerate tasks across the operational spectrum. However, these systems aren’t just simple scripts or tools embedded in other applications; they’re autonomous actors able to execute functions across systems, perform data calls, invoke APIs, interact with other services, and connect to external platforms during execution.

AI agents already have broad access to systems and data, from administrators using AI agents for document development and engineers leveraging them to accelerate development to network operations teams automating infrastructure changes and business units turning to AI-driven workflows for customer-facing work.

But with that breadth and access comes a fundamental change in how activity occurs and how security risk is measured within an enterprise.

This is because agents don’t simply respond to user input; they make decisions in real time and can execute sequences of actions spanning multiple systems. They also operate at a rapid pace, often without direct human oversight, and frequently across environments without explicit governance from traditional identity or security controls.

Unmanaged agentic AI use is introducing a new level of risk exposure.

Why It Isn’t Just an AI Problem

These new risks aren’t just limited to the AI models themselves, where concerns about prompt injection or model accuracy typically focus. Instead, AI agent security goes further, introducing access, identity, and workflow problems that now span identity systems, application logic, and network infrastructure.

AI agents move across these layers and can authenticate to other resources using existing credentials, execute workflows across systems, and interact with resources in ways that traditional security tools weren’t designed to protect. Adding further complications, AI agents don’t just have access privileges. They also frequently lack clear singular ownership and can take actions outside of predictable boundaries.

This new dynamic risk environment creates a sizable security gap that traditional tools and architectures aren’t designed to address.

The Evolution of Zero Trust

The Zero Trust principles that have brought new levels of protection to today’s dynamic, hybrid environments—explicit verification, least-privilege access controls, and the assumption of breach—are still relevant for organizations running AI agents. However, they must evolve.

Instead of focusing solely on what users can access, organizations must now extend Zero Trust principles to govern what autonomous AI agents can do.

This resource is designed to show how organizations can confront this emerging operational reality and shift how they approach identity, control, and policy enforcement.

Human- and application-led behaviors are mostly deterministic and predictable, following well-worn digital paths, predefined logic, and established boundaries. Security tools and the policies that guide them are built around this predictability, enforcing access controls and monitoring behaviors that follow these known patterns.

AI agents don’t follow this model.

AI agents are autonomous, goal-driven systems that are capable of making multiple decisions in the span of milliseconds. They can also take broad objectives, interpret them differently each time, and define their own path toward achieving them across different systems. AI agents can invoke tools, call application APIs, query data services, interact with often external large language models (LLMs), and more as part of a single workflow.

A New Operational Reality

The breadth and scope of their execution paths also evolve dynamically based on the context, follow-on decisions or calculations, and other inputs. An AI agent may take different actions each time it performs a task, even when given similar objectives or prompts.

From a cybersecurity perspective, this breaks many of the key assumptions traditional security tools are designed to monitor.

The New Security Problem

AI agents effectively operate as insiders—entities with legitimate access and the ability to interact with internal digital resources but without the governance and accountability controls typically applied to human users.

This insider-like level of access is a new kind of security problem.

Instead of focusing solely on who can access a system, organizations must now understand and control how AI agents access resources and how those permissions are used over time. In other words, the security challenge is no longer just access control but also execution control.

Historically, NHIs included service accounts, automation scripts, and system processes. These accounts, despite having elevated permissions, are relatively predictable, tightly scoped, and easier to manage within existing identity and access management (IAM) and privileged access management (PAM) frameworks.

How AI Agents Change the Security Dynamics

AI agents, however, operate independently. They make decisions. They interact with multiple systems and can initiate actions that affect data, infrastructure, and workflows.

When they do, AI agents become powerful, active participants in the enterprise environment rather than passive components or accounts that humans use.

More specifically, IAM solutions authenticate users and assign roles, while PAM solutions control privileged access sessions. Both assume that identities are either humans or systems with well-defined behavior.

They often operate using shared credentials or inherited permissions, making it difficult to identify and track their actions uniquely. When an action occurs, organizations may know which system was accessed but not which agent initiated the action, the connection, or the reason.

The New Security Governance Gap

This inability to clearly link activity to AI agent behavior creates a new, pressing governance gap.

However, NHI governance addresses this risk by treating agents as privileged accounts and identities. In practice, this means each agent will be assigned a unique, verifiable identity tied to its origin, purpose, and ownership. This agent identity will be tracked using existing identity providers and managed using PAM tools to maintain consistent control across the environment.

However, identity management alone won’t be enough.

Because agents operate dynamically, this new level of governance must also include continuous validation of behavior and monitoring of agent activity; it’s no longer enough to authenticate their initial access request. Every action that an AI agent performs must also be traceable, enabling organizations to investigate incidents, understand system interactions, and meet compliance requirements.

At the same time, the permissions granted to AI agents must also be more precise and scoped to the context and actions they need to perform. This level of specificity ensures that, even as agents execute complex workflows, their behavior remains within defined boundaries.

Ultimately, NHI governance delivers the visibility, accountability, and control that enterprises need in a rapidly changing digital environment where AI agents can operate alongside their most critical assets.

This new dimension of the attack surface isn’t limited to endpoints or applications that security teams are used to managing. Instead, it’s defined by interactions—how agents connect to systems, invoke tools, access data, and interact with internal and external services. All of these represent a new type of potential risk pathway.

Adding further complications, unlike the traditional attack surface, which is better understood, the AI agentic attack surface is dynamic. Each agent can create new interaction pathways as it executes tasks, and each of these pathways can span internal systems, cross organizational boundaries, and evolve as agents chain together workflows. The number of possible interactions—and the cybersecurity risks they bring—increases significantly.

How AI Adoption Methods Compound Security Risks

The above attack surface could describe just one AI agent. This new level of risk complexity is only compounded by the number of AI agents adopted and the way they’re deployed.

In most organizations, AI adoption is decentralized. Teams—each with their own controls, access, and rules to solve specific problems—deploy AI agents independently. While developers integrate LLM capabilities into applications, business units experiment with automation tools. Over time, organizations experience what is known as shadow AI.

Shadow AI refers to agents and AI-driven workflows that operate outside formal governance structures. They can be created quickly, deployed informally, and integrated into production environments without a comprehensive security review.

As a result, many organizations lack visibility into:

• Which AI agents—both sanctioned and informal—are running in the network
• What systems these AI agents access, and why
• Which users created and maintained the identified AI agents
• If the AI agents interact with external services, such as LLMs

This lack of visibility runs counter to the fact that effective cybersecurity depends on understanding the environment. Without the visibility needed to understand agent activity, organizations can’t assess risk, enforce policies, or detect anomalous behavior, especially at the speeds at which AI agents perform.

A single agent can perform hundreds of interactions in just a few seconds, interacting with systems, spanning networks, and accessing data before traditional controls can respond. For example, just one AI agent used for development might:

• Access source code repositories.
• Query internal documentation or code libraries.
• Call external APIs for additional content.
• Generate code changes.
• Commit updates back into production pipelines for release.

If the AI agent is misconfigured or compromised and operates without controls, it can propagate errors or malicious actions across systems, introducing instability or exposing sensitive systems.

This new type of instability is why securing agentic environments begins with a foundational requirement: knowing where agents are, how they operate, and what systems they interact with.

More advanced threats involve cyberattackers manipulating agent behavior at a deeper level. These attacks, known as automated goal hijacking, occur when an agent’s objectives are subtly redirected or manipulated so that, instead of executing its intended task, the AI agent is shifted to take actions that could enable a larger attack. For example, an attacker may:

• Introduce malicious instructions into data sources that the agent processes.
• Manipulate intermediate outputs to alter downstream execution.
• Exploit tool integrations or API responses that the agent trusts to shift agent behavior.

After one or several of these attacks, an AI agent will continue to operate, but its actions will begin to extend beyond its intended purpose to access unauthorized data, initiate unintended workflows, or interact with systems in harmful ways. Without proper introspection and control, these AI agent actions may appear legitimate because they occur within expected workflows, leaving malicious code, data leaks, or misconfigurations to be found later.

Prompt-Level Defenses Aren’t Enough

Techniques such as input filtering and validation focus only on preventing malicious instructions or prompts from being interpreted by the model. Put another way, these controls and checks only operate at the interface between user input and model output.

However, they don’t control what happens after execution begins. Once an agent starts interacting with systems, it operates at the application and network layers, making decisions, invoking tools, and accessing resources beyond the reach of traditional security controls—and well outside the scope of prompt-level controls.

The Real Risks Lie in AI Agent Execution

In the face of these risks, security teams must strengthen their defenses to enforce controls at the layers where agentic AI operates. These layers include:

• Network-level enforcement
• Session-level monitoring
• Real-time policy application

At a granular level, organizations must define what agents are allowed to do and ensure those constraints are continuously enforced. Once in place, these security controls will limit the impact of manipulation so that, even if an AI agent’s reasoning is influenced, its actions will remain constrained within defined boundaries. Together, these permissions will prevent unauthorized access, limit lateral movement, and reduce the risk of data exfiltration.

Ultimately, when managing agentic environments, security teams can no longer rely solely on controlling inputs. They must also have the tools and controls in place to manage outcomes.

These same principles can apply in the context of agentic AI. However, they must be extended beyond access control to include execution control.

Traditional Zero Trust implementations focus on user-to-application or user-to-database access. Zero Trust tools verify identity at the point of entry to the asset and then continuously enforce access policies based on their defined roles and permissions.

Agentic AI environments need the Zero Trust model to be broadened to include NHI considerations—not only asking whether an identity should be allowed to connect to an asset but also to enable organizations to continuously evaluate what an AI agent is doing during runtime, keeping up as it moves at machine speed.

The New Governance Framework

To grow and adapt their Zero Trust security models to incorporate NHI to address agentic AI security, organizations can use a structured governance framework to strengthen their security posture. This framework could include the following steps, which can be reviewed iteratively over time:

Visibility

Organizations should begin by identifying and inventorying agents across their environment. This includes documenting where agents are deployed, what systems they interact with, the accesses they require, and how they’re used in workflows.

Identity

Organizations should assign each AI agent a unique, verifiable identity. This identity should then be used with existing identity management tools to ensure consistent authentication, auditing, and access attribution.

Risk

Organizations should organize AI agents by risk, including evaluating their access rights, behavior, and how their execution affects other digital assets. Agents identified as high-risk will include those with broad access rights or who perform critical functions, and they will require stricter controls.

Policy

Organizations—supported by a comprehensive inventory and risk evaluation—can then define clear rules governing what agents are allowed to do. These rules should include specific boundaries for system access, data interaction, and workflow execution.

Enforcement

Organizations should then leverage Zero Trust tools to apply these controls at the network and session layers. This level of control will ensure that AI agent behavior is verified in real time, preventing unauthorized actions if an agent is misconfigured or compromised.

Audit

Organizations must implement continuous activity logging. Without it, security teams won’t be able to evaluate whether the current policies provide the level of protection each AI agent requires. And in the event of an incident, this data will provide a digital trail to support investigations, demonstrate compliance, and refine policies and access controls as agent use and the network environment evolve.

Lifecycle Management

Organizations must govern how agents work and the resources they interact with throughout their lifecycle because they will continually change. This governance includes guidelines on how they’re created and trained, deployed across the enterprise, modified, and decommissioned. This structure helps to ensure that active agents will always align with organizational standards for use and security.

As AI agents become more deeply embedded into business processes, their access, autonomy, and impact—and their associated risks—will continue to expand.

Organizations that fail to adapt their security models to this new digital world will face growing visibility gaps, powered by AI agents that introduce risks that are difficult to detect, contain, or remediate. Over time, this erodes trust in the systems that organizations depend on to operate and innovate.

Fortunately, we believe that those security teams that act early won’t only better protect their operations but also help to define the next evolution of the Zero Trust security model.

We see this being accomplished by extending Zero Trust principles to govern autonomous systems and implementing strong NHI governance. When done, organizations can move from reactive defense to proactive control of their agentic AI resources, enabling them to scale AI safely, maintain visibility across dynamic environments, and enforce security at the speed at which modern systems operate.

Agentic AI security isn’t a trend, fad, or niche concern. It’s now a foundational requirement for the next generation of security professionals to understand and harness.