Zero Trust Was Built for Users. Agentic AI Breaks the Model.

Zero trust rests on a clean conceptual model: every request comes from an identity, that identity is verified continuously, and access is granted narrowly based on who is asking and in what context.^[1] The federal zero-trust push has spent years operationalizing that model around two kinds of actors — human users and the services they run. Agentic AI introduces a third kind of actor that fits neither category cleanly, and the architecture has no settled way to reason about it. An agent is not a user; it has no person behind it making a judgment call at the moment of access. It is not a conventional service either; it does not execute a fixed, auditable code path. It decides, at runtime, what to do next. That single property — runtime autonomy — is what breaks the assumptions zero trust was built on.

The actor the architecture forgot

Zero-trust access decisions are designed around predictable behavior. A user's access pattern is shaped by their role; a service's by its code. Both are knowable in advance, which is what lets an access engine reason about whether a given request is normal. An agent's behavior is shaped by a model interpreting a goal, which means its access pattern is emergent rather than specified. The same agent, given a slightly different prompt or a different state of the world, will reach for different systems and different data. The access engine cannot pre-reason about a request it could not have predicted.

This is not a theoretical concern. It is the reason agentic deployments quietly accumulate broad permissions. Because the agent might legitimately need to touch many systems to accomplish its goals, the path of least resistance is to grant it access to all of them. The agent ends up with a standing privilege footprint that no human in the organization holds — and that footprint is exactly what zero trust was created to eliminate.

"An agent given broad access to 'be useful' becomes the single most over-privileged identity in the agency — and the one least able to explain, at the moment of access, why it needs what it is reaching for."

The standing-privilege trap

The core tension is between capability and least privilege. An agent is valuable in proportion to what it can reach and act on. Zero trust is protective in proportion to how tightly that reach is constrained. Every agentic deployment lives on this trade-off, and most resolve it in the wrong direction because the wrong direction is easier to build.

The pattern repeats across federal agentic pilots. A workforce-systems agent is given write access to the systems of record so it can complete tasks end to end. A case-management agent is granted read access across the full case store so it never lacks context. A data agent is wired into every source it might conceivably need. Each decision is locally reasonable. The aggregate is an identity with more standing access than any team in the building — and a behavior pattern no access engine can predict. The federal integration seam between agents and the systems of record is precisely where this concentration of privilege accumulates, which is why it has to be designed deliberately rather than granted incrementally.

Non-human identity becomes the main event

For most of the zero-trust era, non-human identity — service accounts, machine credentials, API keys — was a secondary concern, managed adequately but rarely the headline. Agentic AI inverts that. The number of non-human identities in an agency running agents at scale will exceed the number of human identities, and the non-human ones will be the more privileged, more dynamic, and harder to govern. The identity program that was built primarily for people now has to treat machine and agent identity as a first-class problem, not a footnote.

• Lifecycle. Human identities have hire and offboard events that drive provisioning. Agents are spun up and retired far more fluidly, and the credentials they hold can outlive the task that needed them. Orphaned agent credentials are the new orphaned service account.
• Attribution. When an agent acts, the audit log needs to capture not just which agent, but on whose behalf and under what goal. Conventional identity logging captures the actor, not the intent — and intent is what an investigator will need.
• Delegation. Agents that invoke other agents create chains of delegated authority. Zero trust has no native concept for an identity acting on behalf of another identity acting on behalf of a user. That chain has to be made explicit or it becomes unauditable.

Designing zero trust for agents

The answer is not to abandon zero trust — its principles are more relevant to agents, not less. The answer is to extend the model so it can reason about an actor whose behavior is emergent. Several design moves are proving durable in federal agentic work.

• Just-in-time over standing access. Replace the agent's broad permission footprint with narrowly-scoped, time-boxed grants issued per task. The agent requests access to what the current task needs and the access expires when the task ends. This restores least privilege to an actor that cannot have its needs specified in advance.
• Goal-scoped credentials. Bind the agent's authority to the specific goal it was instantiated to pursue, so an agent tasked with one objective cannot quietly use its credentials for another. The credential carries the scope, not just the identity.
• Mediated access through a control point. Route agent access to systems of record through a policy-enforcing intermediary rather than granting the agent direct credentials. The intermediary applies least privilege, logs intent, and gives the agency one place to govern what every agent can reach.
• Human-in-the-loop as an access control. For high-consequence actions, require a human approval step as part of the access decision itself, not as an after-the-fact review. The approval becomes the verification zero trust demands at the moment that matters most.

The control-plane decision

Underneath all of this is a single architectural decision: where does the agency put the control point that governs agent access? Agencies that leave it implicit — that grant agents direct credentials and hope least privilege holds — will discover that their most powerful identities are the ones they understand least. Agencies that make identity and access the deliberate control plane for agentic AI keep the zero-trust property they spent years building, and extend it to the actor that needs it most. The mandate did not anticipate the agent. The architecture can still accommodate it — but only if the control plane is designed in, not bolted on after the agents are already loose in the environment.^[2]