Zero Trust Revisited: Applying NIST SP 800-207 to AI Systems

Introduction

Zero Trust has become the dominant security paradigm for modern systems. Defined by NIST SP 800-207, it replaces implicit trust with continuous verification and enforces access decisions based on identity, context, and policy.

In enterprise environments, this shift has been transformative. Network perimeters have dissolved, identities have become the new control plane, and least-privilege access has become the standard.

However, a new class of systems is emerging — AI systems, particularly those driven by large language models (LLMs) and autonomous agents — that fundamentally challenge the assumptions behind Zero Trust.

Zero Trust was built for users and services. It now must evolve to secure autonomous decision-making systems.

The Original Promise of Zero Trust

Zero Trust introduced a simple but powerful model:

• Never trust, always verify
• Assume breach
• Enforce least privilege continuously

Instead of granting access based on network location or static roles, systems evaluate who is making the request, what resource is being accessed, and under what context.

This model works well for human users, service-to-service communication, and API-driven architectures — because in these systems, identity is well-defined, requests are deterministic, and boundaries are clear.

AI systems break all three.

Where Zero Trust Breaks in AI Systems

Identity Is No Longer Singular

In AI-driven environments, actions are no longer performed directly by users. A user initiates a request, an AI agent interprets it, and the agent executes multiple actions across systems. This raises a fundamental question:

Who is the true actor — the user who initiated the request, the agent making decisions, or the system orchestrating execution?

Traditional identity models do not account for this layered delegation.

Requests Become Non-Deterministic

In traditional systems, a request maps predictably to an action. In AI systems, a single prompt can result in multiple possible execution paths. Two identical inputs may trigger different tool usage, access different data sources, and produce different outputs. This makes static access control insufficient.

System Boundaries Collapse

AI agents operate dynamically across APIs, databases, and external services — composing workflows without predefined paths. There is no longer a fixed boundary to defend.

A New Threat Model for AI

AI systems introduce attack surfaces that Zero Trust does not explicitly address.

Prompt Injection

Attackers manipulate inputs to alter system behavior, bypassing intended controls entirely.

Data Exfiltration

Sensitive data may leak through prompts, context windows, or generated outputs — channels that traditional DLP tools do not monitor.

Tool Abuse

Agents may call unintended APIs, execute privileged operations, or chain actions in unsafe ways without any human awareness.

Autonomous Execution Risk

Agents can execute multi-step workflows without human review, amplifying the impact of a single failure or compromise.

Extending Zero Trust: Toward Agent-Centric Security

To secure AI systems, Zero Trust must evolve from identity-based access control to action-based, context-aware enforcement.

1. Agents Must Have First-Class Identity

Agents are not extensions of users — they are autonomous actors. Each agent must have a unique identity, scoped permissions, and fully traceable actions.

2. Every Action Must Be Evaluated in Context

Access decisions must consider who initiated the request, which agent is executing, what action is being performed, what data is involved, and what the current risk context is.

3. Policy Must Be Enforced at Runtime

Static access control is insufficient. Policies must evaluate inputs, intermediate steps, outputs, and tool usage — in real time, on every invocation.

4. Data Must Be Treated as a First-Class Security Boundary

In healthcare and regulated systems, data sensitivity — particularly PHI — must actively drive enforcement decisions. Controls must include data minimization, masking, and contextual access restrictions.

5. Observability Is Non-Negotiable

Every AI action must be logged, explainable, and auditable. This is not just a security requirement — it is a regulatory necessity under HIPAA, SOC 2, and emerging AI frameworks like ISO 42001.

Reference Architecture: Zero Trust for AI Agents

A practical architecture for securing AI systems in regulated environments includes five layers:

• Identity Layer — user identity, agent identity, service identity
• Policy Layer — central policy engine (e.g., Open Policy Agent), context-aware decisioning
• Execution Layer — controlled agent runtime, tool access gating
• Data Layer — secure access to sensitive data, PHI-aware controls
• Audit Layer — full trace of every decision and action, append-only

Why This Matters for Healthcare

Healthcare systems operate under strict regulatory constraints. PHI must be protected at all times, access must be auditable, and systems must demonstrate compliance to regulators and auditors.

AI introduces powerful capabilities — but also unacceptable risks if not properly controlled. Zero Trust alone is not enough. It must be extended with policy enforcement and AI-specific governance to meet the bar that healthcare demands.

Closing Thoughts

Zero Trust remains the correct foundation for modern security. But in the era of autonomous AI agents:

Security must evolve from identity-based access control to policy-driven, context-aware control of autonomous actions.

This is the direction we are building toward at Endear AI — through systems such as the Aether Secure Agent Hub, which enforces OPA policies on every agent tool call, logs every decision to an immutable audit trail, and escalates high-risk actions to human reviewers before they execute.

If you are deploying AI agents in a regulated environment and want to understand how to apply these principles in practice, we would love to talk.