Zero Trust, Zero Citations
Anthropic's new Agentic AI security paper gets the engineering right and the history embarrassingly wrong without a single source to back any of it up.
A white paper with no authors and no sources isn't a white paper. It's a commercial. Anthropic just published a glossy one.
Anthropic released a white paper recently called Zero Trust for AI Agents (See Sources below). I’m interested because, Zero Trust as a first principle cybersecurity strategy, is something I have been thinking and writing about for over a decade. It features prominently in my book.
But with all the Fear, Uncertainty, and Doubt (FUD) floating around the AI and cybersecurity communities about how AI Agents represent an existential threat to “Life, the Universe, and Everything” (with a nod to you Hitchhiker’s Guide to the Galaxy fans), I wanted to see what one of the most successful AI companies in the world (Anthropic) says about that strategy.
What does the U.S. Government’s Zero Trust Architect Think?
Sean Connelly is the self-proclaimed Architect of the U.S. Government’s Zero Trust Initiative. He co-authored NIST SP 800-207 (Zero Trust Architecture) and the CISA Zero Trust Maturity Model; so, if anybody’s the architect, Sean is. He said in a recent LinkedIn essay that Agentic AI is the next emerging problem for a Zero Trust strategy to tackle.
I agree with him. If Zero Trust is indeed an essential cybersecurity strategy derived from first principles, then we don’t need a different strategy just because a new technology emerges. According to Sean, the basic Zero Trust tactics still apply: verify every identity and credential, confirm each action is legitimate, and never, ever assume trust. In the Zero Trust biz, we call all of that “Least Privilege:”
Least Privilege: Give each network entity (people, devices, and software) only the permissions it needs to do its job, and not a smidge more.
But Connelly recommended the Anthropic paper because it supports an emerging idea called “Least Agency;” a concept that OWASP (the Open Worldwide Application Security Project) has been promoting of late. OWASP recommends enhancing the “Least Privilege” concept.
Least Agency: Once an AI agent gets in, constrain what it can do and how closely a human watches it.
It’s a logical progression of two Zero Trust tactics:
Privileged Identity Management (PIM)
Privileged Access Management (PAM)
We have used PIM and PAM traditionally to handle system administrator tasks. AI Agents are new. They sit somewhere on the user spectrum between sometimes performing normal everyday employee tasks and sometimes performing administrator tasks. It makes sense that, as a community, we unify PIM and PAM into something with more capability. Least Agency might be the front runner.
Connelly flags one more important idea from the paper. It’s a design test for the deployment of Zero Trust tactics:
“Does this make the attack impossible, or just tedious?”
Stopping an attack outright is one thing. Slowing it down is another. Before Agentic AI, adding friction might have been enough to deter a serious adversary from manually finding a way around the friction. Connelly is saying that a software robot like Agentic AI has all the time in the world to get around friction. If the Zero Trust tactic doesn’t stop the adversary, then your tactic isn’t that good.
I’m not sure if that’s totally true. As we are all learning, token spend is not free. As I play around with my own Claude Code experiments, I routinely run into token limits and then Anthropic asks for more money to continue. My point is that even bad guy AI Agents don’t have unlimited budgets for token spend. But for now, in these early days, it’s probably true enough.
The Anthropic white paper is a mix of competence and AI slop.
I've always been skeptical of vendor white papers (long before AI), especially the ones with no named authors and no references. Strip those away and it's not a white paper; it's a commercial. This paper is a case in point: the security content is competent, but the historical and compliance framing is sloppy and wrong.
Example: The first line in the Paper is wrong:
“Perimeter-based cybersecurity defenses can’t keep up with modern threats, and the threats themselves are accelerating.”
We haven’t had perimeter defense as the primary enterprise security strategy for over 15 years; since cloud computing became acceptable in the late 2000s and early 2010s. Some organizations still rely on legacy perimeter-like controls, but security leaders gradually demoted perimeter defense’s importance in favor of more modern strategies like Threat-Led Defense (Intrusion Kill Chain Prevention), Zero Trust, and Resilience.
Example: The Authors attribute “Zero Trust” to the Wrong Person and Completely Ignore the Heritage Timeline.
The authors say “Zero Trust has roots stretching back to 1994, when Stephen Paul Marsh first formalized the concept in his doctoral thesis at the University of Stirling. And then it says that the next Zero Trust milestone was the publication of NIST’s SP 800-207 in 2020 with nothing in between. That’s just wrong.
Marsh maybe belongs in a footnote about computational trust, but not in the origin story of Zero Trust architecture. Zero Trust started 20 years before that when Jerome Saltzer and Michael Schroeder formalized Least Privilege in 1975 in “The Protection of Information in Computer Systems,” as one of their eight foundational design principles.
But, the modern Zero Trust doctrine grew out of the early-2000s de-perimeterization movement, especially the Jericho Forum’s argument that enterprise security could no longer depend on a perimeter defense. John Kindervag then coined and popularized the Zero Trust model when he was at Forrester. In 2010, he published “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.” That same year, after a successful Chinese government cyber attack (Operation Aurora), Google redesigned their own global network along the lines of the Zero Trust strategy. Somewhere around 2015, every vendor on the planet said they could offer Zero Trust services because it was the fad of the day. Finally, in 2020, NIST published NIST SP 800-207 to formalize these ideas into a vendor-neutral reference architecture for the U.S. Government.
That’s the timeline. That’s the heritage.
Example: The Authors Conflate and Overstate U.S. Government Zero Trust Mandates
The paper claims that the U.S. Government requires all federal agencies to adopt Zero Trust by 2027. That is an oversimplification. For civilian agencies, the Office of Management and Budget (OMB) mandated some initial objectives to be met by 2024 (Memorandum M-22-09), but even OMB says those objectives were a starting point, not a mature Zero Trust deployment. The military’s mandate is similar in spirit but more demanding. The Department of Defense (DoD) requires its components to implement 91 specific Zero Trust activities by 2027 (2022 DoD Zero Trust Strategy , Appendix B), and more robust objectives by 2032. Neither mandate amounts to a mature Zero Trust deployment. Both define initial or baseline objectives, with full maturity still years off. There was never a single 2027 all-agency deadline.
Example: “Part IV: Agent implementation workflow” is a Regurgitation of Zero Trust Ideas with no Citations
By Part IV, my eyes had glazed over. The “Agent implementation workflow” marches through one well-established security practice after another (unique identities, least agency, just-in-time access, ABAC, input sanitization, credential isolation) without a single citation to the people and standards that actually developed them. Each gets a “Pro-tip: Claude Code…” note bolted on, which is at least honest about where the product fits. But the underlying practices are handed to the reader as if they had no provenance at all. For a document calling itself a white paper, restating decades of other people’s work with no attribution isn’t analysis. It’s filler with a sales pitch attached.
Recommended Practices
Remember when I said that a vendor paper without authors and sources is just a commercial? Well, here is what Anthropic claims it can do to support the Zero Trust strategy:
Provides MCP-server-allow-lists for source control review and rollback that enforce organization-wide policies that individual employees can’t override.
Allows administrators to enforce centralized security policies organization-wide.
Allows contributors to host MCP servers locally before production on an immutable platform. Once satisfied with the code, the contributor can cryptographically sign it and introduce it into the production system.
Assigns a unique session.id to each session, with user.account_uuid and organization.id attribution.
Supports granular access control which can be configured with global and project-level settings, and environment variables
Limit agent access by breaking complicated tasks into smaller agents with dedicated tasks that need less permission; similar to the Unix Daemon system.
Supports explicit tool based permission control at the agent level which can be configured with global and project-level settings, and environment variables.
Supports agent side parameter validation before they are sent to other network entities.
Supports inserting human approval requirements and pre- and post-tool calling actions.
Supports OAuth 2.0 authentication with automatic token refresh for MCP server connections and stores API credentials in the OS credential store rather than configuration files.
Supports Just in Time (JIT) access
Supports Attribute Based Access Control (ABAC).
Enforces session isolation by default.
So, this is a feature list with not help provided to the reader about how to actually utilize them. That would have been useful.
Takeaways
Zero Trust didn't need a rewrite for Agentic AI. A strategy built from first principles absorbs new technology; it doesn't get replaced by it. The one genuinely new wrinkle, Least Agency, isn't a break from Zero Trust at all. It's Least Privilege extended into a world where the thing holding the permissions can act on its own.
The paper is really two documents stapled together. The security content (the threat taxonomy and the tiered controls) is competent and reflects real work. The history and compliance framing wrapped around it is sloppy and, in places, flatly wrong. In a paper that cites no sources, that matters more than it sounds: the errors you can catch are the only evidence you have about the quality of the parts you can’t.
Without named authors or a single reference, this reads less like a white paper than a commercial. The Claude Code material is a feature list, not guidance. It tells you what the product does, never how to deploy it. The most useful thing in the whole document is the "impossible, not tedious" design test, and that's a principle worth carrying forward. Most of the rest you've seen before, just without the citations.
Source
Staff, 2026. Zero Trust for AI Agents [Report]. Anthropic, URL: https://cdn.prod.website-files.com/6889473510b50328dbb70ae6/6a1611a04085d7cd3dadc924_Claude-eBook-Zero-Trust-for-AI-Agents-05182026.pdf
References
Douglas Adams, 1979. The Hitchhiker’s Guide to the Galaxy [Book]. Goodreads, URL: https://www.goodreads.com/book/show/11.The_Hitchhiker_s_Guide_to_the_Galaxy
Jerome H. Saltzer, Michael D. Schroeder, 1975. The Protection of Information in Computer Systems [Journal Article]. Proceedings of the IEEE, vol. 63, no. 9, pp. 1278–1308. URL: https://www.cs.virginia.edu/~evans/cs551/saltzer/
John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Forrester - Palo Alto Networks. URL https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdfOpenOpen
John Sherman, 2022. DoD Zero Trust Strategy [Startegy]. Department of Defense, Office of the Chief Information Officer, URL: https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf
John Sotiropoulos, Keren Katz, Ron F. Del Rosario, 2025. OWASP Top 10 For Agentic Applications 2026 [Report]. OWASP Gen AI Security Project, URL: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
Staff, 2025. OWASP AIBOM Generator [Tool] OWASP GenAI Security Project. URL: https://genai.owasp.org/resource/owasp-aibom-generator/
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. CyberCanon, URL: https://cybercanon.org/cybersecurity-first-principles-a-reboot-of-strategy-and-tactics/
Scott Rose, Oliver Borchert, Stu Mitchell, Sean Connelly, 2020. Zero Trust Architecture - NIST SP 800-207 [Final Report]. National Institute of Standards and Technology, URL: https://csrc.nist.gov/pubs/sp/800/207/final
Sean Connelly, 2026. Zero Trust for AI Agents [Analysis]. LinkedIn, URL: https://www.linkedin.com/posts/seanconnellydc_zero-trust-for-ai-agents-anthropic-just-share-7466525723877416960-LFll
Shalanda Young, 2022. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles [Memorandum]. Executive Office of the President, Office of Management and Budget, URL: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
Staff, 2026. Zero Trust for AI agents [Announcement Blog]. Claude, URL: https://claude.com/blog/zero-trust-for-ai-agents
Staff, 2026. Zero Trust for AI Agents: A security framework for deploying autonomous AI agents in the enterprise [Vendor White Paper]. Claude, URL https://cdn.prod.website-files.com/6889473510b50328dbb70ae6/6a1611a04085d7cd3dadc924_Claude-eBook-Zero-Trust-for-AI-Agents-05182026.pdf
Staff, 2023. Zero Trust Maturity Model v2.0 [Report]. Cybersecurity and Infrastructure Security Agency (CISA), URL: https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf