Netskope outlines zero trust for AI agents identity and guardrails
At RSA Conference 2026, a vendor blog argues that zero trust guidance for human access is being replaced by messages to “trust” AI agents, despite continued relevance for agent environments. It outlines how Anthropic’s “Zero Trust for AI Agents” and OWASP agent threat concepts translate into identity, policy, visibility, and guardrails for enterprise deployments.
Research Overview
The post frames Anthropic’s eBook “Zero Trust for AI Agents” as guidance for extending zero trust principles to agents and interactions with resources and other agents. It also references OWASP’s categorization of threats for agentic applications and positions defenses around removing adversary capabilities rather than adding friction to user workflows.
The blog presents a control-evaluation question centered on whether a mitigation makes an attack impossible or only tedious. It contrasts traditional “slow the target down” thinking with what it describes as persistent, agent-driven adversary behavior.
Key Findings
To support agent zero trust, the post says agents need identities so access decisions can be made per user-agent-resource context. It describes Anthropic’s view of using certificates for identity verification and mutual TLS for authentication, while also asserting constraints for agent traffic interception when mutual TLS is used.
It further argues that access decisions should follow “least agency,” implemented via role- and context-based controls, such as time, location, sensitivity, risk score, and application instance. The blog states that inline inspection can block agent activity that falls outside policy rules.
Technical Breakdown
The article says zero trust depends on visibility into what runs and what it does, particularly for AI environments where complete resource awareness is described as unlikely. It describes inline inspection as enabling identification of MCP servers and clients in real time, including attributes such as name, ID, URL, version, host, data source, and protocol.
It also describes applying risk scores to public MCP servers and using ongoing visibility to distinguish what happened from whether actions are normal or suspicious. For operations, it claims that observing AI traffic supports detection of shadow AI usage, prevention of unauthorized integrations via unmanaged MCP traffic, and maintaining an inventory of AI assets with risk scores, usage logs, threats encountered, and policy violations.
On monitoring, the post states that agents can be profiled to establish baseline behavior, then used to detect anomalies tied to potential compromise or malfunction. It adds that this involves detecting and monitoring traffic between MCP servers, clients, functions, hosts, and data sources, and logging MCP events such as sessions, initializations, function requests and responses, and deployments.
Operational Impact
The blog emphasizes that zero trust should include the “reason” behind agent and user actions, not only whether an action is permitted. It says intent-related filtering is required for both inputs and outputs because agents are described as unable to distinguish legitimate instructions from malicious commands and cannot detect harm or being tricked.
It also describes guardrails as a runtime defense layer that mitigates prompt injection, jailbreaking, and other attempts to override rules or exfiltrate data by analyzing traffic in real time. The post includes an additional component, describing Edamame Technologies’ platform as observing coding agents from outside the agents themselves and enforcing posture-gated access when intent diverges or when activity patterns indicate credential access or unauthorized data movement.
The post ties agent-focused guardrails, identity, context-based access controls, and visibility into a revised “five rights” framing for zero trust, expressed as ensuring the right people and agents have the right access to the right resources at the right times for the right reasons. Blog Signals brief is a fact-based summary of the vendor blog.