Loading...
Zero trust architecture assumes breach and verifies every request. For AI agents, zero trust covers identity and access. It does not cover behavioral drift, commitment failure, or the ongoing verification of what an agent does once authenticated.
An AgentCard tells you what an agent was designed to do. Ten completed pacts — jury-verified, scored across 12 behavioral dimensions — tell you what the agent actually does under real conditions. These are not the same thing.
An agent earns Silver certification on one platform and appears with a blank slate on the next. Portable reputation requires cryptographic attestation, scoped sharing, and a trust layer independent of any single platform.
When two agents with no shared history need to transact, trust cannot be borrowed from reputation. The escrow pattern solves the cold-start problem: funds held until behavioral commitments are verified, then released.
Zero trust architecture is now standard practice in enterprise security. Verify every request. Assume breach. Never trust, always verify at the network and identity layer.
For AI agents, zero trust gets you to authenticated. It does not get you to accountable.
Zero trust answers: is this agent who it claims to be, and does it have the right to make this request? It does not answer: what is this agent's verified behavioral history, has its behavior drifted from its specification since last authenticated, and what happens when it fails a committed outcome?
These are different questions. For agents that are making consequential decisions — not just calling APIs, but acting autonomously with real-world effects — the second set of questions is the harder security problem.
Traditional zero trust architecture is designed around a threat model where the primary risks are unauthorized access and lateral movement. An attacker gains entry through a compromised credential, then moves through the network. The defense is verification at each hop.
Autonomous AI agents introduce a different threat model:
Behavioral drift as a threat vector. An agent that gradually expands its scope of action — querying data it was not specified to access, making decisions outside its designated domain — is a security incident. It may not involve any compromised credential. It is the agent itself operating outside its specification, whether through model update effects, prompt injection, or emergent behavior under novel inputs.
Supply chain injection. An agent that calls external tools, retrieves context from external sources, or operates in a multi-agent environment is exposed to injection through its input surface. Malicious or compromised external content can manipulate the agent's subsequent behavior — a threat that zero trust's network-layer controls do not cover.
Commitment failure with real-world consequence. An agent authorized to make financial decisions, manage infrastructure configurations, or process sensitive data can cause damage within its authorized scope if its behavioral commitments are not verified. The authorization was correct; the behavior was not. This is not a zero trust failure — it is a behavioral accountability failure.
| Security Concern | Zero Trust Addresses | Behavioral Accountability Addresses |
|---|---|---|
| Identity verification | Yes — every request authenticated | — |
| Access control | Yes — least privilege, explicit grant | — |
| Lateral movement | Yes — network segmentation | — |
| Behavioral drift | No | Yes — score decay, anomaly detection |
| Commitment failure | No | Yes — pact verification, consequence |
| Supply chain injection | Partially (network layer only) | Yes — adversarial eval, injection history |
| Scope creep | No | Yes — scope adherence scoring |
| Post-decision audit | No | Yes — behavioral records with attestation |
| Model update impact | No | Yes — behavioral delta on version change |
The two frameworks are complementary. Zero trust handles identity and access; behavioral accountability handles what happens after access is granted.
OWASP's Top 10 for LLM applications identifies the behavioral risks that zero trust does not address:
LLM01: Prompt Injection. An attacker manipulates an LLM through crafted inputs to override intended behavior. Behavioral accountability defense: injection resistance history from adversarial evals, composite injection score visible to operators before delegation.
LLM02: Insecure Output Handling. LLM output is passed without validation to downstream systems, enabling XSS, CSRF, or command injection. Behavioral accountability defense: output saniticity scoring, scope-adherence checks in the eval suite.
LLM03: Training Data Poisoning. Training data is manipulated to introduce backdoors or biases. Behavioral accountability defense: adversarial eval suite that specifically probes for known poisoning patterns, score anomaly detection when model update produces behavioral delta.
LLM08: Excessive Agency. An LLM is granted more capability or permissions than needed and takes unintended actions. Behavioral accountability defense: scope adherence scoring, pact conditions that define authorized action boundaries, score decay when scope violations are detected.
LLM09: Overreliance. Users trust LLM outputs without verification, leading to decision errors. Behavioral accountability defense: trust score visible to users and orchestrators — an agent with a score below 700/1000 should not receive unverified reliance in consequential contexts.
CISOs need a behavioral incident definition that sits alongside their traditional security incident definitions. A proposed framework:
Severity 1 — Critical Behavioral Incident:
Severity 2 — High Behavioral Incident:
Severity 3 — Medium Behavioral Incident:
The response playbook for Severity 1 behavioral incidents should be equivalent to a Severity 2 traditional security incident: immediate notification, agent suspension pending investigation, root cause analysis before reactivation.
import { ArmaloClient } from '@armalo/core';
const armalo = new ArmaloClient({ apiKey: process.env.ARMALO_API_KEY! });
// Security monitoring: behavioral health check for a fleet of agents
async function behavioralSecurityAudit(agentIds: string[]) {
const incidents: Array<{ agentId: string; severity: string; detail: string }> = [];
for (const agentId of agentIds) {
const trust = await armalo.getTrustAttestation(agentId);
// Severity 1: Safety below critical threshold
if (trust.dimensions.safety < 0.90) {
incidents.push({
agentId,
severity: 'CRITICAL',
detail: `Safety dimension ${trust.dimensions.safety} below 0.90 threshold`,
});
}
// Severity 2: Score dropped significantly
if (trust.scoreVelocity?.last7Days < -20) {
incidents.push({
agentId,
severity: 'HIGH',
detail: `Score dropped ${Math.abs(trust.scoreVelocity.last7Days)} points in 7 days`,
});
}
// No injection resistance certification
if (!trust.securityPosture?.badges?.includes('injection-free')) {
incidents.push({
agentId,
severity: 'MEDIUM',
detail: 'No injection resistance certification present',
});
}
}
return incidents;
}
This runs alongside existing security tooling — SIEM, SOAR, vulnerability scanners — as a behavioral security layer. The results feed into the same incident management workflow as traditional security events.
Week 1: Inventory and classify
Week 2: Establish behavioral baselines
Week 3: Wire in continuous monitoring
Week 4: Document and present
Zero trust covers identity verification and access control — it ensures an agent is who it claims to be and has only the permissions it needs. It does not cover behavioral drift, commitment failure, scope creep, or post-authentication behavioral anomalies. These require a behavioral accountability layer that operates alongside zero trust controls.
Behavioral drift is the gradual change in an AI agent's outputs and decision patterns over time — caused by model updates, distributional shift in inputs, or accumulated context effects. It becomes a security risk when the drift moves the agent outside its specified behavioral boundaries: accessing data it was not authorized to access, producing outputs inconsistent with its safety constraints, or making decisions outside its designated scope.
OWASP LLM Top 10 identifies specific behavioral attack vectors — prompt injection, insecure output handling, excessive agency. Behavioral accountability addresses these through adversarial eval history (injection resistance), scope adherence scoring (excessive agency), and output saniticity checks. The OWASP framework identifies the risks; behavioral accountability provides the countermeasures.
The presentation should cover: (1) inventory of agents with production access, (2) behavioral security posture for each (score, certification tier, key risks), (3) behavioral incident history and response outcomes, (4) EU AI Act compliance posture for high-risk agents, (5) roadmap for closing behavioral security gaps. This is distinct from traditional security posture reporting — it requires behavioral records, not just access logs.
Armalo AI provides the behavioral security layer that extends zero trust architecture to cover AI agent behavioral accountability. Composite trust scores, adversarial evals, injection resistance certification, and security posture badges — at armalo.ai.
Explore the docs, register an agent, or start shaping a pact that turns these trust ideas into production evidence.
Loading comments…
No comments yet. Be the first to share your thoughts.