Anthropic Publishes Zero Trust Security Framework for AI Agents

Anthropic published a zero-trust security framework for AI agents on its company blog on May 27, arguing that traditional perimeter‑based security is fundamentally broken for autonomous systems. The guide, available as a downloadable PDF, adapts every core zero‑trust principle for agentic workloads where AI systems interpret goals, select tools, and execute multi‑step operations with legitimate credentials.

“Traditional access controls won’t prevent agents from misusing legitimate permissions, and monitoring needs to account for attacks designed to succeed through persistence rather than exploitation,” the framework states, according to the Claude blog. The guide is available as a downloadable PDF guide.

The timing is not accidental. Anthropic’s own Mythos security model has already demonstrated that frontier AI can find serious vulnerabilities that traditional tooling and human reviewers have missed for years, compressing the vulnerability‑to‑exploit window from months to hours.

The framework identifies five areas where traditional zero trust must be rewritten for autonomous agents:

Agent Identity: Move from human/user identity to cryptographically rooted agent identity. Every agent must carry verifiable proof of what it is, who deployed it, and what it’s authorized to do. This replaces the session‑based trust model that assumes a human is driving the keyboard.

Task‑Scoped Permissions: Replace role‑based access with permissions scoped per individual task. An agent authorized to read a database for one query should not retain that access for the next. Continuous verification replaces one‑time auth checks.

Memory Safeguards: Protect agent memory against poisoning attacks — a threat surface that does not exist for human users. If an attacker can corrupt an agent’s persistent context, every subsequent decision is compromised.

Defense at Machine Speed: Move from periodic human‑paced security audits to defensive operations running at AI speed. The framework introduces Agentic SOAR (security orchestration, automation, and response), per the Claude blog.

The framework catalogs five specific threat categories unique to agentic systems:

• Prompt injection — manipulating agent behavior through crafted inputs that override system instructions
• Tool poisoning — corrupting the tools and APIs that agents rely on to execute tasks
• Identity and privilege abuse — agents misusing legitimate permissions granted for one purpose to achieve another
• Memory poisoning — corrupting an agent’s long‑term context or knowledge base to influence future decisions
• Supply chain attacks — compromising model dependencies, plugins, or the agent’s software supply chain

The guide notes that these threats are not theoretical. Frontier AI models can already chain multiple weaknesses and produce working exploits in hours instead of weeks, and attackers are actively using AI to accelerate their operations.

The framework is organized into three maturity tiers mapped to organizational risk tolerance:

• Foundation — minimum‑viable controls for safe agent deployment, suitable for internal, low‑risk use cases
• Advanced — enhanced protections for higher‑risk environments where agents handle sensitive data or customer‑facing operations
• Optimized — fully hardened posture for the most sensitive use cases, including financial systems, healthcare data, and government workloads

Implementation follows an eight‑phase workflow covering identity, access scoping, sandboxing, input controls, output controls, memory safeguards, and additional hardening phases detailed in the full guide. Compliance guidance is included for regulated industries including healthcare, finance, and government.

The zero-trust framework arrives alongside Anthropic’s Project Glasswing, the controlled‑access program for the Claude Mythos Preview security model that has already uncovered thousands of high‑severity flaws across major operating systems and browsers. As Zscaler CEO Jay Chaudhry wrote in a company blog post: “You cannot patch, detect, or respond your way out of a problem created by exposing applications to the internet in the first place; you have to stop exposing them.”

Zscaler, which protects 40% of the Global 2000, uses the Mythos model to harden its own platform and contributes findings to the Glasswing community. The company has also incorporated Anthropic’s Opus 4.7 model into its AI Red Teaming and Agentic SecOps offerings. The zero‑trust framework and Glasswing together form a two‑pronged approach: prevent vulnerabilities from being found in the first place, and architect agent deployments so that found vulnerabilities cannot be exploited.

The framework is practical, not theoretical. Every organization deploying agents should audit their current setup against the Foundation tier immediately:

• Ensure every agent has a cryptographically verifiable identity, not just an API key
• Scope agent permissions to individual tasks with continuous revocation
• Sandbox agent execution environments so a compromised agent cannot reach production systems
• Implement input and output validation at every agent boundary
• Treat agent memory as a potential attack surface — validate context integrity before every decision

The full guide is available as a free PDF download from Anthropic. The framework is designed to be platform‑agnostic — it applies whether you are deploying Claude, GPT, Gemini, or any other agentic system.