AI agents force a zero‑trust rethink for security

A normal chatbot can answer a question and stop. An artificial intelligence agent can read an email, open a connector to Salesforce, write code, call an application programming interface, and keep going without a human clicking each step. (owasp.org) That extra freedom is why security teams are starting to treat agents less like software features and more like junior employees with a badge, a laptop, and a very bad instinct for scams. Microsoft said on March 19, 2026 that it is adding a dedicated artificial intelligence pillar to its Zero Trust program because agent behavior changes the security model. (microsoft.com) Zero Trust is the idea that no user, device, app, or service gets trusted just because it is already inside the company network. The National Institute of Standards and Technology says access decisions should be made continuously for each resource, from any location, on any device. (nist.gov) That old model was built for people logging into apps and for malware landing on laptops. It was not built for a language model that can be tricked by a sentence hidden inside a spreadsheet and then use a tool to act on that sentence. (learn.microsoft.com) Security people call that prompt injection. The Open Worldwide Application Security Project lists prompt injection as a top large language model risk because the model reads instructions and data in the same stream and can be manipulated by hostile text. (owasp.org) Indirect prompt injection is the version that makes agents scary. Microsoft’s guidance says the malicious instruction can sit inside a web page, email, or document, and the model may treat that hidden text as a command when it processes outside content. (learn.microsoft.com) The danger jumps when the agent has tools. If the same agent can search mail, send messages, query customer records, or trigger workflows, one poisoned document can become a chain of real actions instead of one bad answer on a screen. (owasp.org) Memory makes the problem stickier. The Open Worldwide Application Security Project warns that agents can store context and state across tasks, which means a bad instruction can persist across workflows instead of dying at the end of one chat. (owasp.org) That is why companies are moving the security boundary away from the laptop and toward the action itself. Microsoft’s Zero Trust for artificial intelligence guidance focuses on agent identity, data access, model behavior, and runtime controls rather than only endpoint detection on employee devices. (microsoft.com) One fix is device-bound identity, which means the credential works only from an approved machine in an approved security state. Microsoft’s agent posture guidance says Conditional Access for Agent ID should account for the distinct identity and access patterns that agents introduce before teams roll them into production. (microsoft.github.io) Another fix is containerized execution, which is the software version of giving the agent a small locked room instead of the keys to the whole building. Microsoft’s Agent Governance Toolkit describes execution sandboxing and policy enforcement as core controls for autonomous agents. (github.com) The third fix is granular permissioning for connectors. The Open Worldwide Application Security Project says agents should get least-privilege tool access, scoped credentials, and approval gates for high-risk actions so one compromised workflow cannot roam across finance, human resources, and customer systems. (owasp.org) The shift here is simple: when software can decide, remember, and act, it stops looking like a search box and starts looking like an insider risk. Security teams are now building controls for agents the same way they built controls for humans, except the new employee can read 10,000 documents a minute and never sleeps. (owasp.org)