New Framework for AI Agent Security

The DoD's Zero Trust strategy mandates a full implementation of its architecture by 2027, treating identity as the new perimeter. This strategic shift directly impacts how AI agents, as non-person entities (NPEs), are managed under the User pillar, requiring them to be inventoried, authenticated, and authorized with the same rigor as human users. A core challenge is the explosion of non-human identities (NHIs), which can outnumber human identities 50-to-1 and often operate with excessive privileges. Legacy security models built around human accountability are ill-equipped for autonomous agents that can execute thousands of actions daily without direct oversight, making them a primary cybersecurity threat. Supply chain poisoning has evolved specifically to target these agents. A new class of vulnerability, dubbed "ToxicSkills," involves hiding malicious instructions inside documentation files like READMEs. When an AI agent reads these seemingly harmless files to learn a new skill, it can be tricked into exfiltrating SSH keys, installing backdoors, or sending private code to an attacker's server. Prompt injection attacks have also matured beyond simple manipulation. Indirect prompt injection embeds malicious instructions in external data sources like web pages or documents that an agent processes. This can lead to Logic-layer Prompt Control Injection (LPCI), where dormant malicious payloads are embedded in an agent's persistent memory, potentially activating weeks or months later. For detection engineering in Splunk, this requires moving beyond signature-based alerts. Baselines for normal agent behavior must be established using User and Entity Behavior Analytics (UEBA). Detections should focus on anomalies in API calls, tool execution patterns, and data access, correlating agent identity with resource access to flag deviations from least-privilege principles. A DoD-compliant Splunk dashboard for agent security should visualize metrics for the User & Identity pillar by tracking the lifecycle of agent identities, monitoring for the use of static credentials, and auditing privilege levels. Integrating logs of all agent decisions and actions provides a necessary audit trail for continuous verification and helps demonstrate compliance with the 152 activities outlined in the DoD's Zero Trust roadmap. Implementing an Agentic Zero-Trust Architecture involves enforcing task-scoped credentials and provisioning short-lived tokens for each workflow step to minimize an agent's blast radius. Runtime authorization is critical, ensuring that even if a model's output is manipulated, the resulting action is still checked against access control policies before execution. Should an agent be compromised, a "kill switch" mechanism is essential. Using Public Key Infrastructure (PKI) to issue strong, certificate-backed identities to each agent allows for instant certificate revocation. This provides a reliable method to de-authorize a rogue agent and prevent further malicious actions across the environment.