Netskope details how zero trust controls handle AI agent traffic
Netskope says enterprise zero trust controls are not built for AI agents, which authenticate once and then operate through non-human sessions that can change behavior mid-flight, including via prompt injection. The update matters because agent workflows are expanding and create data and control paths current inspection models may not cover.
Research Overview
The blog frames most zero trust implementations around human-driven access requests, where identity, device posture, and context are evaluated at the time of access. It argues that this starting assumption does not match how AI agents operate once they begin an authorized session.
It cites projections from IDC on AI spending and describes agentic workflows as a large portion of that spend. It also cites IBM Research on the rate and time to bypass AI safety guardrails during jailbreak attempts.
Key Findings
The blog describes a shift in threat mechanics for AI agents: adversary activity may be embedded in content the agent reads during an active session rather than arriving at the initial authentication event. It presents prompt injection as an example, where malicious instructions are placed into documents, email, or web pages processed by the agent.
The blog states that, in such cases, credentials can remain valid and the session can remain authorized while no policy is triggered to block the subsequent actions. It also cites IBM Research findings that jailbreak attempts succeed roughly 20% of the time, with attackers needing as few as 42 seconds and five interactions.
Technical Breakdown
The blog explains that Model Context Protocol (MCP) is used to connect AI agents to external tools and data sources, acting as an integration layer that enables agents to reach systems without custom integrations. It argues that MCP traffic does not resemble the user-to-application flows that existing inline inspection tools are built to analyze.
It adds that a secure web gateway that focuses on HTTP from browser sessions may provide limited visibility into agent-to-tool communications, leaving gaps for DLP enforcement, threat detection, and access control on data movement. The blog also describes tool poisoning, including registering a malicious MCP server or manipulating an agent’s tool list or processed instructions, as a way to change where agents connect.
Operational Impact
The blog states that existing architectures may not detect MCP-based attacks without visibility into MCP conversations. It cites Netskope’s Cloud and Threat Report 2026, which says 33% of organizations run AI workloads using Azure OpenAI services, 27% use Amazon Bedrock, and 10% use Google Vertex AI.
For internal application traffic that calls LLMs directly, the blog describes app-to-LLM API paths as bypassing cloud inspection points used by many security stacks. It says this results in limited or no content inspection, limited logging of model outputs, and limited enforcement of data handling policies on that traffic path as deployments scale.
Product Update
The blog presents Netskope One AI Security as addressing these gaps by adding an access and visibility layer for non-human identities. It states that Netskope One Agentic Broker decodes MCP traffic in real time to provide visibility into which MCP servers agents connect to, which tools and prompts are used, and whether data policy violations occur.
It further says the approach integrates with Netskope One DLP for policy enforcement on agentic workflows and uses the Netskope Cloud Confidence Index to assess the risk profile of MCP servers before agents connect. For private infrastructure app-to-LLM traffic, it describes Netskope One AI Gateway as a software inspection point within AWS VPCs and VMware ESXi environments, providing centralized authentication, searchable logs, and integration with Netskope One AI Guardrails and DLP without routing through cloud-based control points.
Overall, the blog argues that zero trust models focused on human access requests do not cover agent-driven behaviors exposed through MCP and app-to-LLM API traffic, and it outlines Netskope’s controls aimed at those traffic types. This “Blog Signals brief” is a fact-based summary of the vendor blog.