Federal zero trust faces challenges with AI agents

JTKPHOTOz/Getty Images

COMMENTARY | There is no realistic path where federal agencies opt out of agentic AI.

Since the establishment of executive order 14028, Federal agencies have spent four years rebuilding their security posture around zero trust to meet the deadlines set in OMB Memorandum M-22-09. By any reasonable measure, this has been one of the most consequential federal cybersecurity efforts in a decade.

It will not survive contact with AI agents.

The problem is not that zero trust principles are wrong. “Never trust, always verify” and least-privilege access remain exactly right. The problem is that zero trust architectures currently deployed across federal agencies was built around a specific assumption: that the entity behind a request is a human user — someone who logs in at human speed, clicks through interfaces in human ways, and holds permissions that change on human timescales. The development of Agentic AI invalidates every one of those assumptions at once.

Agencies’ existing identity stacks rely on protocols and credentials designed for a different problem. PIV cards — the chip-and-PIN credentials carried by millions of federal employees — bind identity to a physical token held by a specific human. SAML — the standard behind most federal single sign-on — assumes that human logs in once in the morning and stays logged in for hours. OAuth — the protocol behind “sign in with Google” and most modern app-level permissions — assumes a person is granting an application limited access to their data on the person’s behalf. None of it was designed for an entity that has no hand to carry a card, authenticates millions of times a day, and changes what it needs every few seconds.

That last point is not hyperbole. In a recent ATARC Identity Management Working Group analysis, Securing the Agentic State, our task group calculated that 1,000 agents operating at machine speed can generate roughly 7.4 million authentication events per day — about 148 times the volume an equivalent human population would produce. No agency’s existing identity stack was sized for that load, and more importantly, none of it carries the audit metadata needed to forensically investigate what an autonomous agent did, on whose behalf, under what authority.

The dangerous default — the one most agencies will drift toward without active leadership intervention — is to onboard agents as service accounts. It is the path of least resistance: existing tooling, familiar review boards, no new policy.

Unfortunately, service account operations and maintenance is already the place where federal zero trust commitments are most often honored in the breach. Static credentials sitting in vaults, broad standing privileges that are not periodically verified, infrequent rotation, minimal attribution of specific actions to specific causes — all of it sits in direct tension with “never trust, always verify.” Agencies have tolerated that gap because the service account population was a known, slow-growing quantity. Agents arrive into that gap in numbers that make the existing O&M model unmanageable. The real choice is not whether agents should be modeled as service accounts. It is whether to take the weakest link in the federal zero trust posture and scale it into potentially the largest non-human identity population the government has ever managed.

Agents need the opposite of what service accounts get: cryptographically verifiable identity that travels with them, narrow permissions scoped to a specific task, and credentials that expire on the order of minutes.

We recommend that three things should change in the next two budget cycles.

First, cryptographic identity should be a baseline requirement for any production agent. Decentralized identifiers and verifiable credentials let an agent prove what it is, what it’s authorized to do, and who deployed it, without phoning home to a central registry on every request. The standards are mature; the obstacle is procurement language, not technology. However, we acknowledge cryptographic operations will add latency and compute overhead. Agencies will need guidance on efficient implementations.

Second, delegation chains should be auditable end-to-end. When an agent delegates work to a sub-agent, the handoff should be cryptographically recorded, permissions should narrow at each hop, and revocation should cascade in seconds. Without that, an incident response team facing a compromised agent has no way to bound the blast radius.

Third, the federal zero trust mandate should be formally extended to non-human autonomous identities, with OMB guidance and NIST profiles tailored to agents. The current Federal ICAM framework (and the foundations of runtime governance) treats non-person entities as service accounts and devices — a category never designed to absorb something that sets its own sub-goals.

Importantly, these three steps are doable inside 90 days: designate an executive sponsor for agent identity, stand up at least one low-risk pilot with cryptographic credentials from day one, and direct general counsel to begin work on records management for agent decisions — because agent “memory” will be a FOIA question whether agencies are ready or not.

There is no realistic path where federal agencies opt out of agentic AI. There is a path where they deploy it on identity infrastructure that was retired in concept the day the first general-purpose agent shipped. The cost gets paid in an incident none of us wants to be the postmortem subject of. The alternative is unglamorous: extend the zero trust work already underway, treat agents as their own identity class, and start the policy work before an incident starts it for you.

Jim St. Clair is an Advisor to C3HIE, one of the largest Health Information Exchanges (HIE) in Texas, and the lead author of Securing the Agentic State and leader of the Agentic IAM Task Group within the ATARC Identity Management Working Group. He has more than two decades of experience in federal health IT and identity standards across the federal government and industry.

Adam McBride is the ICAM/IdAM Program Manager for the Department of Health and Human Services (HHS) and co-chair of the ATARC Identity Management Working Group. He has over fifteen years of experience in government and a retired Master Sargeant, US Army.