Agent security: zero‑trust designs arrive

An artificial intelligence agent stops being “just software” the moment it can log in, read your mail, or move money. At that point, the dangerous thing is not only the model’s answer, but where the password or access token is stored while the agent works. (venturebeat.com) The old pattern put the brain and the keys in the same room. If untrusted code, a malicious tool, or a prompt injection got into that room, it could often reach the same credentials the agent needed to act. (cheatsheetseries.owasp.org) Prompt injection is the simplest version of the problem. A hidden instruction inside a document, web page, code repository, or tool response can push a model to call the wrong tool or leak data through a perfectly normal-looking action. (developer.nvidia.com) That is why “zero trust” is showing up in agent design. Zero trust means the system assumes every component could be compromised and checks identity, permissions, and behavior at each step instead of granting blanket trust after one login. (cisco.com) One of the architectures in this week’s reporting uses the Model Context Protocol, which Anthropic introduced in November 2024 as a standard way for assistants to connect to outside tools and data. Think of it like a universal plug shape for agent tools, so the security rules can sit at the connection point instead of being reinvented for every app. (anthropic.com) (modelcontextprotocol.io) The key change is that the protocol’s remote authorization flow is built around OAuth 2.1, the same family of standards used for delegated access on the web. In that setup, the Model Context Protocol client gets an access token for a specific server on behalf of a user, instead of handing broad credentials directly to arbitrary tool code. (modelcontextprotocol.io) Security guidance around the protocol is getting blunt about the rule: use scoped, per-server credentials and never share tokens across servers. That shrinks the blast radius, because a compromised calendar tool should not quietly inherit the same access as a payments tool. (cheatsheetseries.owasp.org) The other side of this story is NVIDIA’s guardrail stack, which treats the agent more like a worker inside a monitored factory. NeMo Guardrails sits between the model and the outside world, intercepts inputs and outputs, and applies programmable checks before actions go through. (docs.nvidia.com 1) (docs.nvidia.com 2) NVIDIA’s own security guidance says the safest pattern is to limit autonomy, require human approval for sensitive commands, and isolate fully autonomous agents from sensitive tools or information. That is a different answer from protocol-level credential separation, but it aims at the same problem: keep one bad model decision from turning into a full account takeover. (developer.nvidia.com) You can see the industry converging on the same basic idea from different directions. Anthropic’s connector docs expose per-server authentication and tool allowlists, while OpenAI’s current Model Context Protocol docs push developers toward read-only search and fetch tools for data apps instead of broad write access. (platform.claude.com) (developers.openai.com) That changes what buyers will ask for. A marketplace that lets third-party agents act for users now has to prove where credentials live, what each tool can do, which actions are logged, and where a human can step in before an irreversible action happens. (venturebeat.com) (cloudsecurityalliance.org) In other words, agent security is moving from “we added a safety filter” to “show me the walls, the locks, and the audit trail.” Once agents can spend money, send messages, or touch customer records, the product with the smaller blast radius starts to look like the safer platform to build on. (venturebeat.com) (cisco.com)