“I had my agents working overnight and they finished this build for me by morning.”
“I left my agents running while I have come out to watch a movie. I expect the work to be completed by the time I get back home.”
“I have a skill configured to reply to text messages on WhatsApp.”
These are snippets of conversations I have had with friends, colleagues and others over the past few months.
As agents start taking over tasks that would otherwise take days or even weeks to accomplish, the overwhelming sentiment seems to be one of: “If you can think it, AI can do it.”
And honestly, that is great.
At least if you are an individual, doing your own thing, with your exposure to risk controlled by your own experiences and appetite. Not so much if you are a CXO of an enterprise with little visibility into where these AI agents are running, what they are doing, what data they have access to, or even why they are doing what they are doing.
We are entering uncomfortable territory.
In a Zero Trust world, boundaries and authentication are still largely designed around humans and credentials. A user logs in. A device is validated. Policies are enforced. Even machine identities today are fairly deterministic. A service account, an API token, a certificate. Something predictable. Something that behaves within known boundaries.
But what happens when there are no humans directly involved? Or perhaps more accurately, when there are humans involved, but indirectly — through agents acting on their behalf? This is where things start to get interesting. Because the fundamental unit of identity begins to shift.
Historically, identity has been tied to a person. Mithun is requesting access to an application. Mithun is downloading data. Mithun is authenticating from a trusted device. But in the world of agents, that model starts to break. Was it you performing the action. Or was it an agent acting on your behalf? And if it was an agent, which one? Under what instructions? Using what context? With what permissions? Was it behaving within expected bounds?
The question is no longer just “Who are you?” It becomes: “Who are you, what is acting on your behalf, what are you trying to accomplish, and does the behavior make sense in context?” That is a very different identity problem than the one most enterprises are designed to solve today.
Authentication mechanisms have to evolve in response to the era of agents. It cannot just be about a username, password, certificate or token anymore. Identity likely becomes a combination of human identity + machine identity + intent + context. The human may have initiated the task. The machine may be executing it. But context becomes the deciding factor in whether access should continue to be granted. And context becomes king.
Anyone who has spent even a little bit of time with AI systems knows that context is everything. Prompting without context usually gives mediocre outcomes. The richer the context, the more useful the result. I suspect security will evolve in much the same way. Zero Trust systems of the future will not just evaluate who is requesting access, but why, under what circumstances, and whether that behavior makes sense in context.
An AI agent accessing documentation repositories during work hours may be perfectly normal. The same agent trying to enumerate systems, move large volumes of data or access sensitive applications at odd hours? Perhaps not.
Many companies have still not made the transition to Zero Trust. So where do they go from here?
The good news is that they may not need to make the transition to a “pre-AI” Zero Trust model first. There is an opportunity to skip a generation and move directly toward a Zero Trust architecture designed for the realities of the agentic AI era. Because whether we like it or not, AI is not just helping defenders. It is helping attackers too. Malicious actors can find loopholes, discover vulnerabilities and test attack paths faster than ever before. Somewhere in every enterprise, there will be an exposed service, an overlooked configuration, an unpatched vulnerability or an open port waiting to be exploited.
That is just the reality of operating systems at scale. Which means the only sane way to manage risk may be to behave like you are being breached every second, every minute.
Be Prepared.
Mithun's Musings 