For many organisations, zero trust has been a principle longer than it has been a daily practice.
The framework is approved, and some foundations are already in place, such as multi-factor authentication and conditional access for key applications, but the journey has stalled somewhere between the plan and the finished model.
AI makes that harder to put off. When AI agents can access data, use tools and take actions across systems, organisations need greater confidence in who, or what, is requesting access, what they’re allowed to do, and whether that activity makes sense in the context. Identity, verification and least-privilege access move from good practice to essential controls.
This blog looks at why AI makes zero trust more urgent, why identity becomes the main control point, and what organisations can do to govern human and non-human identities before things get lively.
From principle to pressure
Zero trust is built on a simple idea: no user, device, workload or agent is trusted automatically. Access is granted based on verification, context and need, not assumptions.
For many organisations, that has been easier to agree with than to fully implement. Many environments could still operate with a degree of implicit trust, so zero trust often remained a work in progress rather than an urgent priority. AI is changing that.
Generative AI tools depend on access to business data and if identity controls are loose, people may be able to surface, summarise or share information they should not have access to in the first place. The AI may be new, but the access problem is familiar enough.
Agents raise the stakes again. They do not just respond to prompts, they can use tools, move between systems and take action on a user’s behalf. That makes identity even more important, because organisations need to know not only who is asking, but what is acting, what it can reach and whether it should be allowed to continue.
Why implicit trust no longer works
Implicit trust is what happens when access is allowed because a user, device or workload is already known, already inside the network, or already approved for something else. That may have been manageable when most actions were taken by people, at human speed. With generative AI and agents, it becomes much harder to defend.
Traditional security has often relied on three assumptions.
First, network boundaries helped define where trust began and ended. AI doesn’t fit neatly inside those boundaries. It works across systems, services and data sources.
Second, persistent access was manageable because a person could only do so much with it. Give the same standing access to an autonomous agent and it can be used continuously, in ways that may not have been expected.
Third, intent could often be inferred from human behaviour. An agent does what it is instructed, or manipulated, to do. It does not stop to wonder whether that is wise.
In an AI-driven environment, implicit trust is not just weakened, it becomes difficult to defend. Microsoft makes a similar point in its zero trust guidance for AI. As AI connects users, agents, models, data and automated decisions, it creates new places where trust has to be checked. That is where the core zero trust principles become practical: verify explicitly, apply least privilege and assume breach. In plain English, know who or what is acting, limit what it can do, and design controls on the basis that something may go wrong.
From access to action
Traditional identity and access management was built around a clear question: Who can access what?
AI adds a tougher one: What can act, when, how, and on whose behalf?
That’s where many organisations are still catching up. Steven Parker, practice lead for secure identity at CWSI, describes today’s AI agent deployment as “the Wild West”. CEOs are pushing adoption. Staff have Copilot and Copilot Studio licences. Teams are being encouraged to experiment. But in many cases, the governance has not caught up.
Few organisations have a clear view of how agents are created, whether their permissions are appropriate, who owns them, or how access changes when an agent moves from development into production.
Steven calls this the ‘governance illusion’: the belief that existing identity controls are enough, when many were not designed for autonomous, non-human identities making real-time decisions across live systems.
Once the question moves from access to action, identity is no longer just a directory. It becomes the place where governance either holds or starts to fray.
Identity becomes the control point
Identity matters because it is the one control point that spans every actor in an AI environment. That includes people, service accounts, API keys, workloads and AI agents.
Applications differ. Data stores differ. Networks differ. Identity is the common layer through which actions can be authorised, limited and traced. That makes it the natural place to enforce zero trust in practice, rather than simply describing it in policy.
Microsoft’s zero trust model for AI rests on three familiar principles:
Verify explicitly
Continuously check the identity and behaviour of users, workloads and agents.
Apply least privilege
Give access only to the models, data, prompts and tools needed for the task.
Assume breach
Design controls so that a compromised or manipulated agent cannot move freely.
Each of those decisions depends on identity, not as a side issue, but as the control point.
What this means in practice
The model is simple to describe. As ever, it’s the running of it that takes discipline.
Every identity needs to be known, scoped and governed. Whether human or non-human, it should have an owner, a purpose, a managed lifecycle and the least privilege needed to do its job.
Every action needs to be authorised, context-aware and traceable. Access should be granted for a specific task and removed when that task ends. The level of verification should match the sensitivity of what is being accessed.
Governance needs to be continuous, not occasional. A quarterly access review cannot keep pace with identities that act in seconds. Controls need to work at the point of action, so issues can be prevented rather than found later in a log.
“Never trust, always verify” still stands. AI simply changes the speed at which it must work.
The cost of weak governance
The risks are no longer theoretical. Recent AI-related incidents show a familiar pattern: overprivileged identities, limited visibility and controls that were not enforced when it mattered.
In the Salesloft breach, stolen OAuth tokens linked to a third-party AI chat agent gave attackers access to data across more than 700 Salesforce environments. The access existed but the governance around it did not keep pace.
In a separate Meta incident, an AI agent exposed sensitive data to staff who were not authorised to see it. The harder question afterwards was accountability. If nobody clearly owns the agent, responsibility becomes slippery.
The lesson is consistent. AI doesn’t create the identity problem on its own, it exposes it, accelerates it and makes it harder to manage manually.
Microsoft reports that only 9% of organisations feel prepared for AI-era risks such as prompt injection and shadow AI. That suggests many teams know there is work to do. Which, in fairness, is usually where good security starts.
Zero trust becomes real
Zero trust has always been about two things: never trust and always verify. For years, organisations could treat that as a direction of travel. AI makes it more immediate. When actions happen without a human in the loop, at machine speed, across systems a perimeter cannot contain, trust by default is no longer a safe operating model.
Zero trust is not just something to mature towards. In an AI-driven world, it becomes the basic working model. Identity is how it is enforced.
The organisations that get this right will be better placed to use AI with confidence. Not because every risk disappears because they can see what agents are doing, control what they can reach and act before small gaps become larger problems.
Get your identity foundations ready
AI makes identity governance harder to leave for later. As organisations introduce AI agents alongside human users, understanding who has access to what, and whether those permissions are still appropriate, becomes increasingly important.
Through our Zero Trust security services, we help organisations assess their current identity controls, identify gaps, and build a practical roadmap for secure AI adoption. The aim is not to start again, but to strengthen the foundations already in place so AI can be introduced with confidence.