Agentic AI Governance in Zero Trust Architecture

Zero Trust frameworks were designed for a world where humans and traditional services were the primary actors. Autonomous AI agents are neither.

The good news is that the foundational Zero Trust frameworks already provide the structural vocabulary to address this challenge. The key is extending those frameworks intentionally rather than retrofitting controls after deployment.

The Zero Trust Foundation: DoD, NIST, and CISA

Zero Trust Architecture is primarily defined by seven key pillars in the DoD and NIST frameworks: User, Device, Network & Environment, Application & Workload, Data, Visibility & Analytics, and Automation & Orchestration. Together, these pillars describe an end-to-end security posture where no entity human or machine is implicitly trusted, and every access decision is continuously verified.

The CISA Zero Trust Maturity Model consolidates these into five core pillars (Identity, Devices, Networks, Applications & Workloads, and Data) with three cross-cutting capabilities: Visibility & Analytics, Automation & Orchestration, and Governance. CISA's model adds maturity stages (Traditional, Initial, Advanced, and Optimal) that give organizations a practical roadmap for incremental adoption.

Both frameworks share the same first principles:

• verify explicitly

• enforce least privilege

• and assume breach

But neither framework was written with autonomous AI agents as a primary actor class. The DoD's "User" pillar, for example, addresses "person and non-person entities," but the operational guidance was designed around service accounts and API clients, not agents that reason, delegate, chain actions, and adapt their behavior in real time. CISA's "Identity" pillar emphasizes continuous verification and behavioral baselining, concepts that translate directly to agentic governance, but the model stops short of addressing the unique lifecycle and accountability challenges that autonomous agents introduce.

This is the gap. The pillars below give security architects a suggested, structured, proactive foundation to close it not by replacing the DoD or CISA frameworks, but by extending their principles to the agentic layer.

Pillar 1: Least-Privilege Identity for Agents

Extends: DoD "User" Pillar · CISA "Identity" Pillar

Treat every AI agent as a distinct non-human identity (NHI) in your IAM system—not as a shared service account or an extension of its developer's credentials. Agents should receive scoped, time-limited, task-bounded credentials limited strictly to what each action requires.

This means more than traditional RBAC. Agentic identity requires just-in-time provisioning, delegation chains that trace authority back to a human principal, and ephemeral credentials that expire when the task completes. An HR agent should have no access to payroll databases. A customer-support agent shouldn't be able to write to production systems. And critically, the system should be able to answer the question "who authorized this agent to act, and on whose behalf?" at any point in its lifecycle.

The scale of this challenge is significant. Non-human identities now outnumber human identities by ratios of 50:1 or higher in many enterprises, and that ratio is accelerating as agentic deployments grow. Traditional IAM and PAM were not built for identities that are dynamic, autonomous, and capable of spawning sub-agents.

Recommended tooling: Azure Entra Workload ID, AWS IAM with session policies, Open Policy Agent (OPA) for fine-grained authorization, and emerging agentic identity platforms that support delegation-aware OAuth flows.

Pillar 2: Immutable Audit Trails and Decision Logging

Extends: DoD "Visibility & Analytics" Pillar · CISA Cross-Cutting "Visibility & Analytics" and "Governance"

Every tool call, memory read/write, reasoning step, and action an agent takes must be logged in tamper-evident, reconstructable form. This is both a security control and a regulatory prerequisite for explainability and accountability.

The distinction for agentic systems is that you need to log decisions, not just events. Traditional observability captures that an API was called. Agentic observability must capture what the agent was asked to do, what context it used to reason, what alternatives it considered, and why it took the action it did. Without this, incident response becomes forensic guesswork, and regulatory compliance around AI explainability becomes impossible.

This pillar also underpins the CISA maturity model's emphasis on cross-pillar correlation. Agent telemetry should feed into the same SIEM and analytics pipelines that monitor human and device behavior, enabling security teams to detect anomalous agent behavior in the context of broader enterprise activity.

Recommended tooling: OpenTelemetry for distributed tracing, Splunk or Elastic for log aggregation and correlation, and purpose-built agent observability layers like those emerging in the CSA Agentic Trust Framework.

Pillar 3: Defense-in-Depth—Input Validation and Behavioral Monitoring

Extends: DoD "Application & Workload" and "Network & Environment" Pillars · CISA "Applications & Workloads" and "Networks" Pillars

These two controls work together and should be treated as a unified defensive layer.

Input validation means establishing content inspection for all data entering agentic systems—PDFs, emails, web content, user-generated text, RAG knowledge bases—to neutralize prompt injection patterns before the agent processes them. At RSAC 2026, Cisco reported that 36% of skills in one popular agent marketplace contained detectable prompt injection. The threat is not theoretical; it is operational.

Behavioral monitoring means defining baselines for each agent's expected activity and flagging deviations for review. For a customer-support agent, "normal" might mean 5–10 tool calls per ticket and no access to PII outside business hours. For a code-review agent, normal might mean read-only repository access with no outbound network calls. Any deviation triggers a review process rather than a silent alert.

This maps directly to the DoD framework's emphasis on micro-segmentation and continuous monitoring at the network and application layers, extended to the agentic context. The CISA maturity model's "Advanced" and "Optimal" stages call for dynamic, context-aware policy enforcement—exactly the kind of adaptive security that agentic behavioral monitoring requires.

Recommended tooling: Darktrace or Vectra AI for behavioral anomaly detection, runtime policy engines like Microsoft's Agent Governance Toolkit for deterministic action-level enforcement, and MCP gateways for tool-use control.

Pillar 4: Data Governance for Agent Memory and Context

Extends: DoD "Data" Pillar · CISA "Data" Pillar

Both the DoD and CISA frameworks place data at the center of Zero Trust Architecture. In agentic systems, this pillar takes on additional dimensions because agents don't just access data—they accumulate, synthesize, and act on it through memory, retrieval-augmented generation (RAG), and context windows.

Governance here means classifying and controlling the data that agents can ingest, retain, and reference. An agent's memory store is a potential exfiltration vector and a poisoning surface. RAG knowledge bases must be treated as security-critical infrastructure, with integrity verification, access controls, and provenance tracking.

The practical question: can your security team audit what data an agent used to make a specific decision, verify that the data was not tampered with, and confirm that the agent was authorized to access that data in the first place? If the answer is no, you have a data governance gap that no amount of perimeter security will close.

Recommended approach: Data classification policies that extend to agent memory and context stores, DLP controls on agent output channels, integrity checks on RAG ingestion pipelines, and encryption for data at rest in agent state.

Pillar 5: Human-in-the-Loop Checkpoints for High-Stakes Actions

Extends: DoD "Automation & Orchestration" Pillar · CISA Cross-Cutting "Automation & Orchestration" and "Governance"

Define a tiered action policy based on risk:

• Low-risk actions proceed autonomously with standard logging.

• Medium-risk actions execute with automatic post-action notification and periodic human-on-the-loop (HOTL) review.

• High-risk actions—financial transactions, large data exports, system configuration changes, external communications—require explicit human-in-the-loop (HITL) authorization before execution.

This is where human-centric AI design meets security architecture. The DoD's "Automation & Orchestration" pillar calls for automated security responses, but in the agentic context, orchestration must include the human as a deliberate control point, not an afterthought. CISA's "Governance" cross-cutting capability emphasizes accountability and policy alignment—and for autonomous agents, accountability ultimately traces back to human authorization.

The design principle is straightforward: irreversible or high-impact decisions always carry human accountability. The agent is an extension of human intent, not a replacement for it. Building this into your architecture from the start is far less costly than retrofitting it after an autonomous agent takes an action that no human authorized.

Conclusion

The DoD, NIST, and CISA Zero Trust frameworks provide the right architectural vocabulary. The challenge is that autonomous AI agents introduce an actor class these frameworks did not fully anticipate. Rather than building a parallel governance structure, the more durable approach is to extend each existing pillar to address the unique identity, observability, behavioral, data, and accountability challenges that agentic systems create.

The first step is visibility. Start by inventorying your agents, mapping their access and data flows, and conducting a gap analysis against the five pillars above. The organizations that embed governance into their agentic architecture now will operate with both more velocity and more safety than those forced to retrofit controls under regulatory or incident pressure later.