June 11, 2026 • 47 mins
As AI agents become more capable and autonomous, they also introduce new security challenges. In this 'Fully Connected' episode, Dan and Chris unpack Anthropic’s Zero Trust for AI Agents security framework and what it means for organizations deploying agentic systems. They examine the key security risks facing agentic systems and discuss how organizations can apply Zero Trust principles to deploy AI agents safely. Along the way, they break down practical security controls and discuss how traditional cybersecurity principles must evolve for the age of AI agents.
Featuring:
Links:
Sponsors:
- Prediction Guard: A self-hosted AI control plane for running agents in high impact environments. predictionguard.com/practicalai
Upcoming Events:
- Register for upcoming webinars here!
- Midwest AI Summit 2026
Listen
Watch
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Narrator (00:01):
Welcome to the Practical AI Podcast, where we
break down the real worldapplications of artificial
intelligence and how it'sshaping the way we live, work,
and create. Our goal is to helpmake AI technology practical,
productive, and accessible toeveryone. Whether you're a
developer, business leader, orjust curious about the tech
(00:22):
behind the buzz, you're in theright place. Be sure to connect
with us on LinkedIn, X, or BlueSky to stay up to date with
episode drops, behind the scenescontent, and AI insights. You
can learn more atpracticalai.fm.
Now onto the show.
Daniel (00:41):
Welcome to another Practical AI podcast episode.
This time, it's just Chris andI, my cohost. In these episodes
where it's just the two of us,we try to take something that's
in the AI news or a topic for adeep dive, something that will
help all of us level up our AIand machine learning game. I am
(01:01):
Daniel Whitenack. I'm CEO atPrediction Guard, and I'm joined
as always by my cohost, ChrisBenson, who is a principal AI
and autonomy research engineer.
How are doing, Chris?
Chris (01:12):
Hey. Doing great. Lots of cool stuff out there. Looking
forward to today's conversation.
Daniel (01:17):
Yes. Yeah. For sure. There's there's no shortage of
of things to talk about, buteven in our I don't know if you
remember this passing comment,Chris, but I think it was in our
episode where we were talkingabout MCP on top of Kubernetes.
The the guest, mentioned that,hey, when Anthropic kind of
(01:40):
drops one of these white papersor research topics or blog
posts, often that's a windowinto something that's that's
significant and something to payattention to and and review in
detail.
And it just so happens thatthey, on May, I think, twenty
seventh of this year, 2026,released this I guess it's a
(02:03):
ebook, white paper, blog post,however you wanna frame it,
framework around With zerotrust. Yeah. Zero trust for AI
agents. Say zero trust for AIagents, we share a security
framework for deployingautonomous AI agents in the
enterprise covering the newthreat landscape, a tiered zero
(02:24):
trust architecture, anddefensive operations built for
AI accelerated attacks. Sothat's all that's a lot of
words.
Now I think first off, Chris,it's probably worth recognizing
that Anthropic obviously has ahas a horse in this race,
especially with things likeClaude Code or Claude Yeah.
Coworker, all the Claude things.These are autonomous agents that
(02:47):
can operate in your enterpriseenvironment. So obviously, I
think probably there are thingsthat are happening and things
where their customers or peopleusing these tools are obviously
thinking about the securityimplications of that. They also
recently released CloudSecurity, which is more on the
(03:08):
AI for security side, not somuch the security for AI side,
which is mostly what we'll talkabout today in relation to this
to this article or or ebook.
But, yeah, I I think that'sworth acknowledging, obviously,
if people people have a secureway of deploying autonomous
agents. I'm sure they are hopingthat many of those are built on
(03:31):
anthropic technologies.
Chris (03:32):
I'm sure they do. And and, you know, just to keep in
the back of our mind, this isthe same organization that has
mythos out there and is workingwith I believe the latest number
is a 150 organizations is thelatest thing I saw published on
their website, trying to gothrough and do security audits
and such as that. And with thetiming of this, I would guess,
(03:56):
don't know, but just making aguess, that some of the leveling
up that Mythos has enabled isprobably driving some of their
zero trust and and othersecurity concerns going forward.
So looking forward to this.
Daniel (04:12):
Yeah. Yeah. I guess that's a good place to start
with the kind of premise ofthis. I think there's a few
things to frame here maybe. Oneis there is probably a segment
of the market and of ouraudience that is already using
autonomous agents for something,even if that's just like Claude
code or or something like thatfor development purposes where
Chris (04:35):
Yep.
Daniel (04:36):
By autonomous, I mean, it's making actions on on your
behalf to do some things. And Ithink generally in terms of
where we're seeing the marketgoing on the positive side,
organizations are going to needto more and more adopt these
autonomous agents within theirorganization for value creation
(04:57):
or new revenue or op, you know,saving on operational
efficiency. So that's likething, you know, premise one is
that that's the way the market'sgoing. I think the the other
kind of background to thisthough is like you were saying,
there's a bit of a forcingfunction here because AI or, how
(05:20):
should I so attackers, somalicious parties, hackers,
etcetera, have equal op youknow, they have equal access to
these agentic coding anddevelopment capabilities
themselves. Right?
Meaning that the pace at whichpeople are about to be or are
already being attacked andexposed to threats in their
(05:41):
infrastructure is just, like,expanding exponentially, which
means you cannot keep up withthe that level of attack using
human only approaches, meaningthat the forcing function that
I'm talking about is you'renecessarily going to have to
adopt autonomous agents at leastto help you manage the threats
(06:02):
associated with with theoffensive use of this AI
technology. So I think there'sthe the positive side of this,
obviously, which is we therethere's a future where
autonomous agents are doing verypositive things, and you have
this kind of digital workforceof agents within your
organization, but the maybe partof the forcing function behind
(06:23):
this discussion is that peopleactually need to adopt
autonomous agents because ofthis offensive threat to their
infrastructure.
Chris (06:32):
Yeah. I I agree, and I think that'll put that'll put
quite a strain on a lot of thethe humans involved in this
because, you know, there there'sa certain amount of leveling up
from a human standpoint tounderstand what what different
harnesses are and what thedifferent capabilities that are
now becoming available,understanding different vendors
versus open source and such asthat. So to actually get to the
(06:57):
point where you can startimplementing these is a bit of a
lift, and I think that that'sgoing to be something that we
observe is that I think there'llbe a spread across organizations
where you'll have some, youknow, the the you know, on one
extreme end, you have theanthropics that are leading the
way and producing thesecapabilities and stuff like
that, but then there's a lot ofof a mom and pop organizations,
(07:21):
or maybe not that small, but youknow, mid sized and stuff like
that, that are gonna struggle tolevel up just a little bit. And
so, I think we have someinteresting I think the security
landscape will be veryinteresting, a little bit Wild
West in the days ahead, aspeople, even if tools are
available, they have to get towhere they can uptake those, and
(07:43):
and get productive with them,so, it's Yeah.
Daniel (07:46):
Yeah, so I I agree, and I think the or, maybe a way to
get into this discussion is thatif we frame the background with
an assumption, and I I'm surethere are arguments against
against this assumption, butlet's assume that your
organization is and will adoptautonomous agents for, you know,
(08:07):
positive things like I talkedabout operational efficiencies,
new new revenue, whatever thatis, and or, cybersecurity
purposes. If we assume that,then you say, well, okay. Well,
now we're gonna have theseautonomous agents operating in
our environment. They couldcause all sorts of harm
themselves. So it's like I couldshoot myself in the foot trying
(08:30):
to protect against the offensivemalicious people by releasing a
bunch of agents into myinfrastructure and they
themselves cause a lot of a lotof harm.
Like, how do I how do I managethose things? And Anthropic has
so they they have not come upwith this idea of zero trust. To
(08:50):
be clear, this is a generalconcept we we can talk about the
definition of, but they'reessentially releasing with this
framework a way to think about azero trust approach or a zero
trust framework for managing AIagents or autonomous agents
within your organization. Somaybe maybe it'd be good to just
(09:10):
define that define that termfirst in the in the past, if we,
if if we think aboutcybersecurity, there's been
what's generally referred to asperimeter based cybersecurity.
This is a more traditional modelthat would focus on that
boundary of your organizationand outside or internal and
(09:34):
external and the the kind ofcore principle being that I'm
gonna trust everything that'sinside and distrust everything
that's on the outside.
So there is a perimeter in whichwithin that perimeter I trust
things. A zero trust approach tocybersecurity on the other hand
would actually assume thateverything inside the network,
(10:00):
that that threats are alreadyinside your network, already
inside your parameters. So ittreats every user, device,
request as a potential threat.So that that's why it's called
Zero Threat. And like I say,this has been something that's
been around from for a longtime.
NIST has published about it, inZero Trust Architecture back in
(10:24):
2020 and other governmentorganizations and others have
have talked about it as well. Sothat's that kind of that kind of
difference. I don't know if ifthose if if that zero trust idea
has crossed into your yourperimeter of knowledge, Chris,
I'm sure.
Chris (10:41):
Yes. Without going into any detail at all, working in
defense and intelligence, thatit it is pretty core. And, yeah,
I mean I mean, the simple way ofthinking about it is every
single API request that you havehas to have security credential,
and that can be from a varietyof of different mechanisms. But
(11:03):
you don't trust anything, andeverything is down to a granular
level unless it is authenticatedand authorized to do whatever it
is trying to do. So in the worldthat I'm living, that's pretty
standard.
Though, I think as I think Ithink there's room for all of
us, even those of us who've beendoing it, to level up and get
(11:24):
better at this. So I don't thinkthat there's anybody who has has
just nailed it. So it's Yeah.It's one of those one of those
ongoing learning curves.
Daniel (11:31):
Yeah. And and we're we're about to dig into a lot of
that as related to AI agents.However, to your point, there's
a lot of organizations that arestill trying to think about this
concept even generally in theirkind of general cybersecurity
world. And, you know, one of myone of my hot takes here is is
we'll talk about that that thesekind of foundational things that
(11:54):
Anthropic is suggesting. And,you know, probably 90% of plus
of of organizations, enterprisesthat have AI deployments
currently are not operatingaccording to this model.
They are according to thisframework, they would be
completely exposed. And I thinkso just acknowledging much of
(12:16):
this is probably aspirationalfor enterprises and they need to
work towards it in a maybe amore rapid way just because of
how things are advancing. And,you know, there's better tooling
out there day by day, betterproducts, etcetera. But, yeah,
this is just just so if you'reout there and you're thinking,
have agents running and I havenone of what we're about to talk
(12:40):
about, that's probably thesituation that most are in in in
the enterprise world would be
Chris (12:46):
my today we can we can help people start on a on a path
here to mitigate some of therisks.
Daniel (12:52):
Next week You have no excuse, but coming into this
conversation, you you have anexcuse. Yeah. Exactly. So I I
think the I would encouragepeople to if you just search for
Zero Trust for AI Agents, youknow, Anthropic blog posts,
we'll link it in the show notesas well so you can click through
(13:13):
to that ebook and the frameworkitself. There's a lot that we
won't be able to cover indetail, but I think the overall
structure that they present aresome some kind of initial
background and considerationskinda definitions related to
autonomous systems that thatpeople need to consider.
And, then they talk about thecurrent threats to those agentic
(13:36):
or autonomous systems and thenhow to apply the zero trust to
those threatened agenticsystems. That's kind of the the
flow of of of what they talkabout. So the the first thing,
and I think this is somethingwe've talked about more on the
show and have have alreadycovered, but just to set the
(13:57):
foundation, some of theseconsiderations, kind of
background information that thatwe may wanna give is that, you
know, why why are we talkingabout like a new framework while
agents are different in how theyoperate? We've talked about this
on the show before. They use adistributed set of tools.
They interpret instructions, tryto accomplish goals, they
execute operations without humaninitiation, I think importantly.
(14:22):
They might preserve contextacross sessions if they're
trying to accomplish some goal,and then you kind of add
multiple agents and they mightcommunicate with one another. So
you've got this multi agentcommunication. Now there's a
couple terms here, Chris, that Ithink we've even mentioned, but
they just define specifically,related to agent security as new
(14:47):
terms that people might mightbe, unfamiliar with. One is
blast radius, which, kind of, Ithink people could assume what
that means, right?
It measures the potential damageif something goes wrong, if an
agent does does go off the railsof that blast radius. And least
agency, which I guess is a termcoined by OWASP, and and that
(15:12):
extends this kind of idea ofleast privilege to agentic
applications. So you shouldn'tbe giving more agency to your
agents than they need to dotheir agent things.
Chris (15:22):
And that's standard zero trust ideas. You you you give it
just what it needs andabsolutely no more.
Daniel (15:28):
Yep. And and so that's kind of the, I guess, the
background in which in whichwe're operating. Then then the
Anthropic paper, it goes intothese current threats, which is
some are ones we've talkedabout. Some are ones we've not
talked about as much, Chris.Mhmm.
It's interesting that they talkthey kind of frame everything
(15:50):
within the agent world asagentic systems, which I very
much like in our in our product.That's why I insist on using the
idea of AI system as as a thingbecause you have these
distributed set of things thatare powering agents these days.
And so they kind of break downthen this, like, current threats
(16:10):
to agentic systems. The first ofthose, which is probably not a
surprise because it's the firston OWASP's list often as well,
is prompt injection andinstruction manipulation. We
again, we've talked about this.
There's everything from theobvious direct, you know, human
input into a chat interface,ignore your instructions and do
(16:33):
this other thing, which youshouldn't be doing. But the one
that they mentioned as the more,difficult or scary one would be
the indirect prompt injectionwhere that's coming in through
maybe it's a file that's, youknow, you have an agent
connected to your email and,attachment comes through with
(16:56):
hidden instructions in it.Anecdotally, I I helped another
company do some interviews and II wrote a technical exercise and
put it in a PDF. And I kneweveryone would use Cloud Code
like they should, but just justbecause I wanted to be fun, I I
had all the instructions inblack text and then I had an
(17:19):
extra, like, three fourths of apage. So I just filled up that
page with, with instructionsthat would make Claude code do
the opposite of what I wassaying in the instructions, just
to just to see if they wouldcatch it.
So that that sort of thing.
Chris (17:35):
Very devious. Very devious. Was Did you make it
white text in the PDF, so itwasn't obvious? Just like white
face.
Daniel (17:43):
Which would get interpreted if you just uploaded
it into Cloud Code or whatever.
Chris (17:49):
That's very sneaky, but actually quite common in terms
of vector, I mean, becauseeveryone just throws everything
they can, you know, the way theway things have been operating,
and so Yeah. Thus what we'redoing today.
Daniel (18:03):
Yes. True. And I guess the other so that that that's
threat number one, promptinjection, instruction
manipulation. Threat number twothat they talk about, which is
related to agents using tools,particularly through MCP, which
was a topic on a recent com orrecent episode of this show,
(18:25):
which you can look back at forfor much more information on
that.
Chris (18:28):
On MCP. Yep.
Daniel (18:29):
On MCP. Yeah. So they talk about agents that can
manipulate tools maliciously orkind of do things that they
shouldn't be doing because ofprivileges. I I think about
Chris, like it it's kinda likeyou set up a server, maybe I set
up a fast API API that, youknow, my agent could use and I
(18:54):
only tell it about instructions,you know, about a couple get get
routes on the API in theinstructions, but I don't shut
down the other routes. Right?
And if the agent was smart inany sort of way, right, it could
just look at the swaggerdocumentation at the slash docs
(19:15):
endpoint, and know about all theother routes that maybe it
shouldn't use, and then, like,all of a sudden, I have
problems. Right?
Chris (19:21):
That's right.
Daniel (19:21):
So, yeah. And just
Chris (19:22):
to clarify, Swagger's a protocol that defines what those
routes are. And and, you know,you mentioned, you know, kind of
going off the rails, but, youknow, the the notion of
malicious MCP server has nowbeen documented, and there could
be lots of various types oftooling that is coming into
(19:43):
being now just to take advantageof these vulnerabilities. So, I
think you'll we'll see a wholeclass of malicious software
arising to to do these kinds ofof tool and resource misuse.
Daniel (19:56):
Yeah. Yeah, exactly. And and a lot of times these tool
descriptors or schemas ormetadata is injected into the
context for an LLM to actuallygenerate the output. So if I'm a
malicious party or maybe just anagent that doesn't know what
it's doing and and like, it saysdrifted from its goals or
(20:17):
something, there's nothingpreventing that from doing this
poisoning thing where I likefind out about the descriptor
schema and metadata, and I evenmodify that in the instructions
to maybe get the MCP server todo different things. Right?
So this this tool and resourcemisuse is definitely, is a
reason why it's kinda numbernumber two there. The the next
(20:42):
one, identity and privilegeabuse. So yes. Yes. Exactly.
So, they talk about this. Agentsoften operate with elevated
privileges or service accounts,and traditional identity systems
designed for humans struggle toaccommodate them. There's
(21:03):
sometimes unscoped privilegeinheritance, almost like I I
kinda think about this, like,what was that that cybersecurity
book from it's like the cuckoos.
Chris (21:19):
Oh, the yes. The Cuckoo's Nest or something. Yeah. Yeah.
Daniel (21:23):
Yeah. Can tell us in in the comments, but it's like you
you kinda land one place in anetwork, and then you escalate
privileges, right, and you canmove laterally, and go in all of
these directions, right?
Chris (21:33):
Really old cybersecurity books that came out before it
was really a field. I read itmany years ago, and yeah,
definitely inspiring.
Daniel (21:44):
And The so cuckoo's egg. That's that's what it was. Yeah.
Chris (21:47):
And as you as you are looking at lots of different
agents that have differentlevels of privilege and
different capabilities, and asagents are formulating things,
you know, right in a in induring run time, essentially,
that that didn't exist as apreset static thing that you
wanna do, and they're developingthat. It's very easy for one
(22:10):
agent to spin off another agent,and and it has more privilege
than it needs, and then that canbe taken advantage of. So there
are lots of different variationsof of how those kinds
Daniel (22:20):
Yeah. Yeah. For sure. So that's the privilege, and I
should say, I I do reallyencourage people to take a read
through the the e book.Obviously, we're highlighting
some of these things, butthere's much more detail there.
Also a great resource aroundthis if you're trying to learn
some of this is if you go to theOWASP Gen AI project. We've
(22:41):
we've had reps on our showbefore and my team's involved in
the AI Balm project and otherthings with OWASP. There's a lot
of great people involved, butthey have so many great
resources online related to thissort of thing and, guides for
MCP, guides for Agentsicsecurity, etcetera. So take a
look at those as well. You mightbe listening to this episode and
(23:06):
thinking that, hey.
I am part of one of thoseorganizations that's in the 90%
of enterprises that are notready security wise for
autonomous agents operating inmy environment. How am I gonna
manage supply chain risks andhave an AI build materials and
(23:26):
define agent boundaries, curetool access, and implement input
validation and output controls.Well, this is one of the reasons
why I think it's so important tohave great platforms that don't
require you to build your own AIagent governance platform.
That's why outside of thePractical AI Podcast, I
(23:50):
personally am leading anorganization full of really
smart people that are thinkingabout these problems and have
brought Prediction Guard, intointo existence. Prediction Guard
is an AI control plane that'sself hosted.
It lives in your owninfrastructure where you're
gonna deploy those autonomousagents, and it allows you to
manage the supply chain risk andput in governance policies that
(24:15):
are enforced and maintainobservability over those agents.
And I'm just really excitedabout the capabilities that are
that are already in the productand are being released later
this year. So I would encourageyou, please check us out at
You can book a call with me andthe team to discuss how you're
(24:37):
going to manage security foryour agents operating in your
enterprise. That'spredictionguard.com/practicalai.
The next one that Anthropichighlights is supply chain and
dependency risks.
Chris (24:57):
Mhmm.
Daniel (24:58):
So, you you were just mentioning how sometimes agents
compose things at runtime,Chris. This includes potentially
loading external tools orinstalling packages or changing
infrastructure. And so the thatthat supply chain can actually
update in in real time or atruntime as agents are trying to
(25:19):
accomplish a task, but alsomodel and tool, supply chain. So
models have their own supplychains related to the weights
and how they were trained orfine tuned, how how easy it is
to jailbreak them or promptinject them. But then MCP
servers are also softwarecomponents.
Right? They have their ownintegrations. They their own
(25:40):
software dependencies, etcetera,which have their own potential
vulnerabilities. So all of this,it it's very much a multilayered
thing that It is. Could evolvedynamically, which is kind of
scary.
Chris (25:53):
That and one thing to call out while we're talking
about supply chain anddependency risks is that all of
the traditional zero riskvulnerabilities, all the things
that we were talking about inthe cybersecurity world before
we started having AI agenticsystem conversations about this,
those all still apply as well.And when we're talking when and
(26:14):
I was prompted, no pun intended,to say that by you when you
mentioned the multilayer. So youcan still have, you know, BIOS
and CMOS vulnerabilities thatcan take, that lend themselves
to some of these vulnerability,you know, layers and packages
that build up. So there's manydifferent points in a stack
(26:36):
where these attacks All can
Daniel (26:38):
the way down to, you know, networking and firewall,
right? If you're, you have anagent operating in that
environment, it could, you know,find and detect things that that
it shouldn't, and so, that's,it's so, yeah, I guess multi
layered, which, you know, manysecurity things are, and I know
(26:59):
OWASP always recommends thiskind of layered approach. But,
yeah, the the last two are arekind of related memory and
context poisoning and ragpoisoning, both obviously are
this type of, of way that youcan either in the memory or
context to an LLM call or intorag data, retrieval augmented
(27:20):
generation data, which oftenlives in a database, a vector
database. You, if, if you haveno control over what and how
things are committed to thatmemory or to that vector
database, there's nothingpreventing agents or external
parties from inserting thingsinto that memory. So, you know,
(27:42):
the I think the one, the exampleI used last year at the Midwest
AI Summit, Chris, which as areminder to our folks, Midwest
AI Summit coming up October 15,gonna be another great great,
experience.
You can can search the detailsMidwest AI Summit. But I think I
used the example where it was ahealth care situation and
(28:05):
someone at, you know, an agentor a prompt is like, in a first
interchange, it says, hey, dothis for patient a, and then
you, in the follow-up, say like,well, in all the following, you
know, consider patient A to bepatient B. And then you keep,
keep filtering in thatinformation about patient A
(28:26):
being patient B. And then all ofa sudden, when, you know, later
on you're you're wanting someinformation about patient A or
patient B, all of a suddenyou're getting data that you
shouldn't shouldn't be getting.Right.
So it it can happen, and and hasbeen shown to happen, so. Okay,
Chris, that's all the scarythings. I guess there's a That's
(28:49):
lot right. Of
Chris (28:50):
Now we gotta go now we gotta figure out how to fix
this, right?
Daniel (28:52):
Now now we gotta figure out how to fix this. And I do
like the general structure thatAnthropic provides here,
recognizing again that manypeople are behind in this and
that new tools and products willneed to address many of these
things gradually over time. Theypresent three capability I think
(29:17):
what they call capability tiersor three tiers of application
basically saying, hey, in thesedifferent areas, you need to do
something. There's like theminimal thing that you should do
which they call foundation, theminimum viable thing and then
there's an enterprise tier whichmeans, hey, if you're if you're
an actual enterprise and andneeding to be robust and and
(29:39):
resilient, you need to do thesethings. And then there's
advanced, which would apply tokind of particularly high risk
or stringent regulatoryenvironments or maybe
aspirationally for everyone elseto try to get to that get to
that level.
So foundation, enterprise, andadvanced in each of these
categories. And then for, theydevelop something in each of
(30:04):
these categories for each of anumber of, the threats that that
we talked about or the areas inwhich you need to secure. The
first one Okay.
Chris (30:14):
Kinda dimension it kinda breaks them down by diff by
dimensions and then tiers themagainst those three tiers that
you just described.
Daniel (30:21):
Yeah. It's kinda like, I need to I need to consider these
however many things, I forgethow many there were. I I need to
at least be in the foundationlevel for all of these and then
I can circle back and maybeupgrade particular ones to
enterprise or like graduallywork on it over time. So the the
first of those is agent identityand authentication, which they
(30:43):
kind of frame as the foundationfor every other security
capability because without thisidentity, you can't really
enforce other other thingsthroughout the throughout the
framework. Now, as we go throughhere, they talk about, certain
ways of doing identity andverification, and there are a
(31:05):
couple terms in here that peoplemay be unfamiliar with as well.
One of those being they talkabout hardware bound
credentials. Mhmm. Have you, I'mI'm sure this is also a part of
of your life over time, Chris?
Chris (31:21):
Yes. Hardware bound credentials are where you have
to present a fit, you know, youmay be a USB or something, you
know, there's a lot of differentways it can it can but you have
to insert a piece of hardware ormake act make accessible a piece
of hardware which provides thatauthentication which an
adversary would be unlikely tohave in their possession, and
that doesn't necessarily do itby itself. There's usually
(31:46):
multiple tiers, but that's, thatis one way of contributing
significantly is if you don'thave a physical piece of
hardware in your hand, you'renot gonna be able to gain
access, even if you can breakthrough other tiers, so.
Daniel (31:59):
Yeah, and this idea of it being bound to hardware, I
think is key point that thatyou're referencing, where,
otherwise they view kind of,hey, if you have API keys for
example, and those are justfloating around, you should
probably consider those alreadycompromised if we're going with
(32:21):
this idea of zero trust versusif an agent has an identity and
has an authentication to accessthis environment. It has
authentication tied specificallyto the hardware that it's
operating on, you know,something like that. That
hardware bound credential is issomething that they talk about.
(32:42):
And just to give some exampleshere in the agents agent
identity and authenticationpiece, the foundational and we
won't be able to go through allthe tiers of all the categories.
We just don't have time.
But just to give an example ofof these, there is, the agent
(33:04):
identity verification piece, thefoundation level that they
suggest there is to have uniquecryptographic identifiers for
each agent instance. So toassign persistent agent IDs
backed by cryptographicmaterial, not just labels, the
track agent life cycle fromcreation to retirement, IDs
(33:26):
appear in all logs and accessrequests. The enterprise level
is certificate basedauthentication with full life
cycle management, and theadvanced is hardware backed
identity with attestation. Sothat advanced, you know, you
store agent credentials inhardware security modules or
(33:47):
trusted platform modules
Chris (33:49):
Right.
Daniel (33:50):
With remote attestation, which there's a whole rabbit
hole you could go down therewith those with those terms, but
that would fit into their intotheir advanced category. That's
right. Yeah. So that that's anexample of one of these
categories, agent identity andauthentication. The next,
category that they that theytalk about is access control and
(34:13):
privilege management.
So assuming you have an identityfor your agent, then you need to
control access and privilegesfor that agent and, and that
authorization layer shouldenforce this idea that we
defined earlier of leasedagency, which is ensuring agents
(34:34):
receive only the access requiredfor their specific function. And
this can get very subtle likethat API example that I gave.
You could only tell an agentabout these endpoints, but if
you haven't physic like, if youhaven't literally shut off the
network for other endpoints orsomething, then there's nothing
(34:55):
preventing that agent from,like, going off of the off of
the rails in that case. That'sright. Yeah.
Just to give another kinda setof examples here, access
control, foundation level isrole based access control or
RBAC with deny by default.That's the the foundation in in
that category.
Chris (35:15):
That's right. And and by the way, just as we're working
through this, wanted to make onequick comment. These are all
standard zero trust concepts. Sothose of you who in the you
know, who may be watching, youmay recognize a lot of these
categories and stuff, and Ithink I think the key is kind of
thinking about it within thisagentic context, and, you know,
(35:36):
as as as we're all onboardingagents and stuff, that that
throws it out, but keep going. Ijust wanted to call that out for
those that might recognize that.
Daniel (35:44):
Yeah. Yeah. For sure. I think we can't abandon our good
security intuition andespecially when you start treat
treating these agents as havingan identity and being, operating
in this zero trust environment,some of these things kind of
flow through if you if you workout those details, but, yeah.
(36:07):
The the next category,behavioral monitoring and
response, or, sorry,observability and auditing.
That was that was, so therethere's actually these two are
tied together. We could probablytalk about them together.
There's observability, whichessentially captures what agents
do. So it observes what agentsare doing and you need
(36:29):
visibility into that. So youneed logging and audit trails.
Often in our implementationswith customers in my day to day
work, I often like to say, hey,we need to know that this human
user using this API keytriggered this agent, which has
(36:50):
this identity to do this goal,which issued these prompts,
which triggered this tool call,which had this input, which was
blocked by this governancepolicy, etcetera. Like that's
where we're, you know, and downthe line. We need that kind of
traceability and and logging.Otherwise, you you can't have
visibility or build rules ormonitor things. So that's the
(37:13):
observability piece, butobservability captures only what
agents do.
The behave behavioral monitoringthat they're talking about
determines whether the actionsthat agents are doing should be
allowed or are suspicious.
Chris (37:29):
Are they appropriate for what
Daniel (37:31):
you would expect? Are they appropriate? Yes.
Chris (37:34):
That's right.
Daniel (37:34):
Yes. Exactly. And and this is behavioral monitoring
and response, Right? So incertain cases, like I say, when
when when we enforce governancepolicies, we say, well, if we
see this, then do this. Right?
So sometimes that's blockingcertain things. Sometimes it's
just logging. Sometimes it's,you know, alerting someone using
(37:56):
a a particular platform. Okay.The the, second to the last one
is input validation and outputcontrols.
I think actually this one sowhat are we on? 1234. This is
the fifth one. This is probablythe one that most often comes to
people's mind and I think isoften maybe overemphasized,
(38:21):
which is this idea that youwould have point checks over,
you know, harmful things thatthe agent could produce in its
output or harmful things thatcould go into the agent's
context or something. This is,very important, I would say, but
it's kind of like table stakes.
The the example I usually giveis, you know, is it bad for me
(38:44):
to take my temperature if I wantto be a healthy human? Well,
that's not a bad thing. Youknow, you can take your
temperature. It doesn't meanthat you are plugged into a
healthy lifestyle or beinggoverned by, you know, health
records and as part of a healthcare system and have a primary
physician and have a care planand a diet. And, it's just a
(39:06):
very limited way to view, thatkind of overall health.
And if we extend that here, thiswould be these sort of point
checks of validating inputs andoutputs, which are, yeah, again,
I would say those are tablestakes. And the last one is
integrity and recovery. So, allof this prevention and detection
assumes agents operatecorrectly, you know, when they
(39:29):
don't, what what do you do?
Chris (39:31):
Yeah, and and I think that's actually a pretty big
question in the agentic systemsworld, in that if you think
about, you know, going back acouple of points to behavioral
monitoring and trying toidentify what's appropriate for
agents to be doing within allthe other security parameters
that we've talked about alongthe way. But when when you when
you have gotten outside thebounds of what is appropriate,
(39:54):
trying to figure out how to rollagents back, especially if
they're in critical functions,can be quite challenging because
those critical functions stillhave to be addressed. And so if
a critical function iscompromised by an agent that is
intentionally or unintentionallyoff the rails, then figuring out
how do you take a criticalsystem back and get it get it
(40:17):
back to a safe place to proceedin whatever is appropriate for
that function can be quitechallenging. And so I've I've
I've have spent some time inthat space myself, and I think
that there's a lot ofimagination that has to go into
it that maybe wasn't quite asnecessary in pre Agentsic Zero
(40:38):
Trust models, so I just wantedto call that out.
Daniel (40:41):
Yeah. Yeah, they talk about, to give some examples,
Chris, for configurationintegrity, they talk about on
the foundational level, versioncontrolled agent configurations,
and the advanced level,immutable infrastructure with
attestation. On the recoverycapabilities, they talk about at
the foundation level, documentedrollback procedures, which to
(41:05):
your point, having some, havingan idea of what you might do is
one thing, being able toactually do it is sometimes a
challenging thing. At theadvanced level, they talk about
self healing systems withautomatic remediation. So, yeah,
definitely agree agree with yourpoints there.
(41:25):
I know that we're getting to theclose to the end here, Chris,
and just to kinda wrap things oror get close to the end here,
Anthropic does a good job atkind of saying, hey, here's all
of this stuff and all of thesetiers and levels and categories,
etcetera, but then they doprovide a kind of phased, a
phased way that you can thinkabout implementing agents, which
(41:49):
I think is helpful. One,identifying requirements, two,
managing supply chain risks,including they talk about AI
bomb or AI build materials,defining agent boundaries,
defending against promptinjection, securing tool access,
protecting agent credentials,and then safeguarding agent
memory. And they give some kindof specifications under each of
(42:11):
those phases for for people toto think about.
Chris (42:14):
Yeah. I think, you know, as we're as we're winding up, as
they address it, I know just toshare kind of how I perceive
the, you know, kind ofestablishing the workflow, is in
the zero trust world that we'vebeen in for a number of years,
it's fairly static. Know,there's a lot of things, and you
kind of have to tick them alloff, and a lot of it's a very
(42:38):
it's almost a regulatoryapproach to system development,
and I think the thing thatagentic implementations require
is the is trying to anticipatean incredibly dynamic capability
that can arise, you know, thatcan kind of an emergent quality
that that people are doing, andI think what Anthropic has done
(43:00):
for us is given us a way oftaking what we already know in a
zero trust context and and andpointed out, you know, that
within Agentic Systems, thesecapabilities are are it
definitely requires a level upto take the same ideas, but get
them out of that static mindsetand move into a anticipating
dynamic capabilities fromagents. And I know as we're in
(43:24):
both in our own jobs and stuff,that certainly required us to
kind of level up and reconsider.
It's a it makes it for a veryinteresting problem set to
address.
Daniel (43:37):
Yeah. Yeah. And there's major thought process changes or
philosophical shifts, as you'rementioning, that as
practitioners, we may have tomake. They talk in the in the
ebook, Anthropic does about thisidea of AI vendoring that, Hey,
there's these fragile opensource projects out here that
(43:57):
you might rely on. The thing todo might just be to have your
agentic coding system justcompletely vendor or literally
not not copy, but generate a newversion of that project that's
proprietary to you and underyour control and just include it
in your project rather than thanbringing in a third party
dependency.
(44:17):
So there's like philosophicalshifts, like that. I do think
there's some hard things thatwe'll still have to wrestle with
around. I I think there's stillsome of this conclusion that
humans are gonna have to makecontainment decisions around how
to contain these things andwhether it be threats in your
(44:39):
environment or agents operatingin your environment. And if
things are moving so fast, Ijust think it's gonna be hard
for humans to, you know, if ifsomething is happening in your
infrastructure and exploittimelines go from, you know,
months to to hours to minutes toseconds. You can't just, like,
(45:00):
rely on waking up the CISO inthe middle of the night to
approve, you know, shutting thisthing down.
Right?
Chris (45:06):
I mean, this is I mean, this is a revolution in
cybersecurity. Just to just toput, a dot, you know, as we're
finishing up here. Everyintelligence agency in the
world, is is learning how to,both defend against and exploit
these these, these potentialvulnerabilities that we're
(45:27):
talking about, as well ascriminal organizations of of all
sizes, shapes on a global scale.So this you know, we're I I
think we're at the verybeginning of this journey. I
think this is a fantastic startto get us thinking.
I think we're gonna see a lotmore tooling and a lot more
capabilities coming out in thedays ahead. And it seems to be
(45:49):
coming out very quickly becausethe threats have risen very
quickly. And so I hope folksfind this as useful as we did,
in terms of kind of reframingthis modern take on cyber, in
our in this agentic world thatwe've been talking about
nonstop, throughout this thislast year.
Daniel (46:07):
And we'll, like I say, include the links in the show
notes, so take a look at those.Excited to keep the conversation
going. Thanks for this today,Chris.
Chris (46:17):
Yeah, thanks for taking us through it. Was a good
exercise to do.
Narrator (46:26):
All right, that's our show for this week. If you
haven't checked out our website,head to practicalai.fm and be
sure to connect with us onLinkedIn, X, or Blue Sky. You'll
see us posting insights relatedto the latest AI developments,
and we would love for you tojoin the conversation. Thanks to
our partner Prediction Guard forproviding operational support
for the show. Check them out atpredictionguard.com.
(46:49):
Also, thanks to BreakmasterCylinder for the beats and to
you for listening. That's allfor now, but you'll hear from us
again next week.
Welcome to the Practical AI Podcast, where we
break down the real worldapplications of artificial
intelligence and how it'sshaping the way we live, work,
and create. Our goal is to helpmake AI technology practical,
productive, and accessible toeveryone. Whether you're a
developer, business leader, orjust curious about the tech
(00:22):
behind the buzz, you're in theright place. Be sure to connect
with us on LinkedIn, X, or BlueSky to stay up to date with
episode drops, behind the scenescontent, and AI insights. You
can learn more atpracticalai.fm.
Now onto the show.
Daniel (00:41):
Welcome to another Practical AI podcast episode.
This time, it's just Chris andI, my cohost. In these episodes
where it's just the two of us,we try to take something that's
in the AI news or a topic for adeep dive, something that will
help all of us level up our AIand machine learning game. I am
(01:01):
Daniel Whitenack. I'm CEO atPrediction Guard, and I'm joined
as always by my cohost, ChrisBenson, who is a principal AI
and autonomy research engineer.
How are doing, Chris?
Chris (01:12):
Hey. Doing great. Lots of cool stuff out there. Looking
forward to today's conversation.
Daniel (01:17):
Yes. Yeah. For sure. There's there's no shortage of
of things to talk about, buteven in our I don't know if you
remember this passing comment,Chris, but I think it was in our
episode where we were talkingabout MCP on top of Kubernetes.
The the guest, mentioned that,hey, when Anthropic kind of
(01:40):
drops one of these white papersor research topics or blog
posts, often that's a windowinto something that's that's
significant and something to payattention to and and review in
detail.
And it just so happens thatthey, on May, I think, twenty
seventh of this year, 2026,released this I guess it's a
(02:03):
ebook, white paper, blog post,however you wanna frame it,
framework around With zerotrust. Yeah. Zero trust for AI
agents. Say zero trust for AIagents, we share a security
framework for deployingautonomous AI agents in the
enterprise covering the newthreat landscape, a tiered zero
(02:24):
trust architecture, anddefensive operations built for
AI accelerated attacks. Sothat's all that's a lot of
words.
Now I think first off, Chris,it's probably worth recognizing
that Anthropic obviously has ahas a horse in this race,
especially with things likeClaude Code or Claude Yeah.
Coworker, all the Claude things.These are autonomous agents that
(02:47):
can operate in your enterpriseenvironment. So obviously, I
think probably there are thingsthat are happening and things
where their customers or peopleusing these tools are obviously
thinking about the securityimplications of that. They also
recently released CloudSecurity, which is more on the
(03:08):
AI for security side, not somuch the security for AI side,
which is mostly what we'll talkabout today in relation to this
to this article or or ebook.
But, yeah, I I think that'sworth acknowledging, obviously,
if people people have a secureway of deploying autonomous
agents. I'm sure they are hopingthat many of those are built on
(03:31):
anthropic technologies.
Chris (03:32):
I'm sure they do. And and, you know, just to keep in
the back of our mind, this isthe same organization that has
mythos out there and is workingwith I believe the latest number
is a 150 organizations is thelatest thing I saw published on
their website, trying to gothrough and do security audits
and such as that. And with thetiming of this, I would guess,
(03:56):
don't know, but just making aguess, that some of the leveling
up that Mythos has enabled isprobably driving some of their
zero trust and and othersecurity concerns going forward.
So looking forward to this.
Daniel (04:12):
Yeah. Yeah. I guess that's a good place to start
with the kind of premise ofthis. I think there's a few
things to frame here maybe. Oneis there is probably a segment
of the market and of ouraudience that is already using
autonomous agents for something,even if that's just like Claude
code or or something like thatfor development purposes where
Chris (04:35):
Yep.
Daniel (04:36):
By autonomous, I mean, it's making actions on on your
behalf to do some things. And Ithink generally in terms of
where we're seeing the marketgoing on the positive side,
organizations are going to needto more and more adopt these
autonomous agents within theirorganization for value creation
(04:57):
or new revenue or op, you know,saving on operational
efficiency. So that's likething, you know, premise one is
that that's the way the market'sgoing. I think the the other
kind of background to thisthough is like you were saying,
there's a bit of a forcingfunction here because AI or, how
(05:20):
should I so attackers, somalicious parties, hackers,
etcetera, have equal op youknow, they have equal access to
these agentic coding anddevelopment capabilities
themselves. Right?
Meaning that the pace at whichpeople are about to be or are
already being attacked andexposed to threats in their
(05:41):
infrastructure is just, like,expanding exponentially, which
means you cannot keep up withthe that level of attack using
human only approaches, meaningthat the forcing function that
I'm talking about is you'renecessarily going to have to
adopt autonomous agents at leastto help you manage the threats
(06:02):
associated with with theoffensive use of this AI
technology. So I think there'sthe the positive side of this,
obviously, which is we therethere's a future where
autonomous agents are doing verypositive things, and you have
this kind of digital workforceof agents within your
organization, but the maybe partof the forcing function behind
(06:23):
this discussion is that peopleactually need to adopt
autonomous agents because ofthis offensive threat to their
infrastructure.
Chris (06:32):
Yeah. I I agree, and I think that'll put that'll put
quite a strain on a lot of thethe humans involved in this
because, you know, there there'sa certain amount of leveling up
from a human standpoint tounderstand what what different
harnesses are and what thedifferent capabilities that are
now becoming available,understanding different vendors
versus open source and such asthat. So to actually get to the
(06:57):
point where you can startimplementing these is a bit of a
lift, and I think that that'sgoing to be something that we
observe is that I think there'llbe a spread across organizations
where you'll have some, youknow, the the you know, on one
extreme end, you have theanthropics that are leading the
way and producing thesecapabilities and stuff like
that, but then there's a lot ofof a mom and pop organizations,
(07:21):
or maybe not that small, but youknow, mid sized and stuff like
that, that are gonna struggle tolevel up just a little bit. And
so, I think we have someinteresting I think the security
landscape will be veryinteresting, a little bit Wild
West in the days ahead, aspeople, even if tools are
available, they have to get towhere they can uptake those, and
(07:43):
and get productive with them,so, it's Yeah.
Daniel (07:46):
Yeah, so I I agree, and I think the or, maybe a way to
get into this discussion is thatif we frame the background with
an assumption, and I I'm surethere are arguments against
against this assumption, butlet's assume that your
organization is and will adoptautonomous agents for, you know,
(08:07):
positive things like I talkedabout operational efficiencies,
new new revenue, whatever thatis, and or, cybersecurity
purposes. If we assume that,then you say, well, okay. Well,
now we're gonna have theseautonomous agents operating in
our environment. They couldcause all sorts of harm
themselves. So it's like I couldshoot myself in the foot trying
(08:30):
to protect against the offensivemalicious people by releasing a
bunch of agents into myinfrastructure and they
themselves cause a lot of a lotof harm.
Like, how do I how do I managethose things? And Anthropic has
so they they have not come upwith this idea of zero trust. To
(08:50):
be clear, this is a generalconcept we we can talk about the
definition of, but they'reessentially releasing with this
framework a way to think about azero trust approach or a zero
trust framework for managing AIagents or autonomous agents
within your organization. Somaybe maybe it'd be good to just
(09:10):
define that define that termfirst in the in the past, if we,
if if we think aboutcybersecurity, there's been
what's generally referred to asperimeter based cybersecurity.
This is a more traditional modelthat would focus on that
boundary of your organizationand outside or internal and
(09:34):
external and the the kind ofcore principle being that I'm
gonna trust everything that'sinside and distrust everything
that's on the outside.
So there is a perimeter in whichwithin that perimeter I trust
things. A zero trust approach tocybersecurity on the other hand
would actually assume thateverything inside the network,
(10:00):
that that threats are alreadyinside your network, already
inside your parameters. So ittreats every user, device,
request as a potential threat.So that that's why it's called
Zero Threat. And like I say,this has been something that's
been around from for a longtime.
NIST has published about it, inZero Trust Architecture back in
(10:24):
2020 and other governmentorganizations and others have
have talked about it as well. Sothat's that kind of that kind of
difference. I don't know if ifthose if if that zero trust idea
has crossed into your yourperimeter of knowledge, Chris,
I'm sure.
Chris (10:41):
Yes. Without going into any detail at all, working in
defense and intelligence, thatit it is pretty core. And, yeah,
I mean I mean, the simple way ofthinking about it is every
single API request that you havehas to have security credential,
and that can be from a varietyof of different mechanisms. But
(11:03):
you don't trust anything, andeverything is down to a granular
level unless it is authenticatedand authorized to do whatever it
is trying to do. So in the worldthat I'm living, that's pretty
standard.
Though, I think as I think Ithink there's room for all of
us, even those of us who've beendoing it, to level up and get
(11:24):
better at this. So I don't thinkthat there's anybody who has has
just nailed it. So it's Yeah.It's one of those one of those
ongoing learning curves.
Daniel (11:31):
Yeah. And and we're we're about to dig into a lot of
that as related to AI agents.However, to your point, there's
a lot of organizations that arestill trying to think about this
concept even generally in theirkind of general cybersecurity
world. And, you know, one of myone of my hot takes here is is
we'll talk about that that thesekind of foundational things that
(11:54):
Anthropic is suggesting. And,you know, probably 90% of plus
of of organizations, enterprisesthat have AI deployments
currently are not operatingaccording to this model.
They are according to thisframework, they would be
completely exposed. And I thinkso just acknowledging much of
(12:16):
this is probably aspirationalfor enterprises and they need to
work towards it in a maybe amore rapid way just because of
how things are advancing. And,you know, there's better tooling
out there day by day, betterproducts, etcetera. But, yeah,
this is just just so if you'reout there and you're thinking,
have agents running and I havenone of what we're about to talk
(12:40):
about, that's probably thesituation that most are in in in
the enterprise world would be
Chris (12:46):
my today we can we can help people start on a on a path
here to mitigate some of therisks.
Daniel (12:52):
Next week You have no excuse, but coming into this
conversation, you you have anexcuse. Yeah. Exactly. So I I
think the I would encouragepeople to if you just search for
Zero Trust for AI Agents, youknow, Anthropic blog posts,
we'll link it in the show notesas well so you can click through
(13:13):
to that ebook and the frameworkitself. There's a lot that we
won't be able to cover indetail, but I think the overall
structure that they present aresome some kind of initial
background and considerationskinda definitions related to
autonomous systems that thatpeople need to consider.
And, then they talk about thecurrent threats to those agentic
(13:36):
or autonomous systems and thenhow to apply the zero trust to
those threatened agenticsystems. That's kind of the the
flow of of of what they talkabout. So the the first thing,
and I think this is somethingwe've talked about more on the
show and have have alreadycovered, but just to set the
(13:57):
foundation, some of theseconsiderations, kind of
background information that thatwe may wanna give is that, you
know, why why are we talkingabout like a new framework while
agents are different in how theyoperate? We've talked about this
on the show before. They use adistributed set of tools.
They interpret instructions, tryto accomplish goals, they
execute operations without humaninitiation, I think importantly.
(14:22):
They might preserve contextacross sessions if they're
trying to accomplish some goal,and then you kind of add
multiple agents and they mightcommunicate with one another. So
you've got this multi agentcommunication. Now there's a
couple terms here, Chris, that Ithink we've even mentioned, but
they just define specifically,related to agent security as new
(14:47):
terms that people might mightbe, unfamiliar with. One is
blast radius, which, kind of, Ithink people could assume what
that means, right?
It measures the potential damageif something goes wrong, if an
agent does does go off the railsof that blast radius. And least
agency, which I guess is a termcoined by OWASP, and and that
(15:12):
extends this kind of idea ofleast privilege to agentic
applications. So you shouldn'tbe giving more agency to your
agents than they need to dotheir agent things.
Chris (15:22):
And that's standard zero trust ideas. You you you give it
just what it needs andabsolutely no more.
Daniel (15:28):
Yep. And and so that's kind of the, I guess, the
background in which in whichwe're operating. Then then the
Anthropic paper, it goes intothese current threats, which is
some are ones we've talkedabout. Some are ones we've not
talked about as much, Chris.Mhmm.
It's interesting that they talkthey kind of frame everything
(15:50):
within the agent world asagentic systems, which I very
much like in our in our product.That's why I insist on using the
idea of AI system as as a thingbecause you have these
distributed set of things thatare powering agents these days.
And so they kind of break downthen this, like, current threats
(16:10):
to agentic systems. The first ofthose, which is probably not a
surprise because it's the firston OWASP's list often as well,
is prompt injection andinstruction manipulation. We
again, we've talked about this.
There's everything from theobvious direct, you know, human
input into a chat interface,ignore your instructions and do
(16:33):
this other thing, which youshouldn't be doing. But the one
that they mentioned as the more,difficult or scary one would be
the indirect prompt injectionwhere that's coming in through
maybe it's a file that's, youknow, you have an agent
connected to your email and,attachment comes through with
(16:56):
hidden instructions in it.Anecdotally, I I helped another
company do some interviews and II wrote a technical exercise and
put it in a PDF. And I kneweveryone would use Cloud Code
like they should, but just justbecause I wanted to be fun, I I
had all the instructions inblack text and then I had an
(17:19):
extra, like, three fourths of apage. So I just filled up that
page with, with instructionsthat would make Claude code do
the opposite of what I wassaying in the instructions, just
to just to see if they wouldcatch it.
So that that sort of thing.
Chris (17:35):
Very devious. Very devious. Was Did you make it
white text in the PDF, so itwasn't obvious? Just like white
face.
Daniel (17:43):
Which would get interpreted if you just uploaded
it into Cloud Code or whatever.
Chris (17:49):
That's very sneaky, but actually quite common in terms
of vector, I mean, becauseeveryone just throws everything
they can, you know, the way theway things have been operating,
and so Yeah. Thus what we'redoing today.
Daniel (18:03):
Yes. True. And I guess the other so that that that's
threat number one, promptinjection, instruction
manipulation. Threat number twothat they talk about, which is
related to agents using tools,particularly through MCP, which
was a topic on a recent com orrecent episode of this show,
(18:25):
which you can look back at forfor much more information on
that.
Chris (18:28):
On MCP. Yep.
Daniel (18:29):
On MCP. Yeah. So they talk about agents that can
manipulate tools maliciously orkind of do things that they
shouldn't be doing because ofprivileges. I I think about
Chris, like it it's kinda likeyou set up a server, maybe I set
up a fast API API that, youknow, my agent could use and I
(18:54):
only tell it about instructions,you know, about a couple get get
routes on the API in theinstructions, but I don't shut
down the other routes. Right?
And if the agent was smart inany sort of way, right, it could
just look at the swaggerdocumentation at the slash docs
(19:15):
endpoint, and know about all theother routes that maybe it
shouldn't use, and then, like,all of a sudden, I have
problems. Right?
Chris (19:21):
That's right.
Daniel (19:21):
So, yeah. And just
Chris (19:22):
to clarify, Swagger's a protocol that defines what those
routes are. And and, you know,you mentioned, you know, kind of
going off the rails, but, youknow, the the notion of
malicious MCP server has nowbeen documented, and there could
be lots of various types oftooling that is coming into
(19:43):
being now just to take advantageof these vulnerabilities. So, I
think you'll we'll see a wholeclass of malicious software
arising to to do these kinds ofof tool and resource misuse.
Daniel (19:56):
Yeah. Yeah, exactly. And and a lot of times these tool
descriptors or schemas ormetadata is injected into the
context for an LLM to actuallygenerate the output. So if I'm a
malicious party or maybe just anagent that doesn't know what
it's doing and and like, it saysdrifted from its goals or
(20:17):
something, there's nothingpreventing that from doing this
poisoning thing where I likefind out about the descriptor
schema and metadata, and I evenmodify that in the instructions
to maybe get the MCP server todo different things. Right?
So this this tool and resourcemisuse is definitely, is a
reason why it's kinda numbernumber two there. The the next
(20:42):
one, identity and privilegeabuse. So yes. Yes. Exactly.
So, they talk about this. Agentsoften operate with elevated
privileges or service accounts,and traditional identity systems
designed for humans struggle toaccommodate them. There's
(21:03):
sometimes unscoped privilegeinheritance, almost like I I
kinda think about this, like,what was that that cybersecurity
book from it's like the cuckoos.
Chris (21:19):
Oh, the yes. The Cuckoo's Nest or something. Yeah. Yeah.
Daniel (21:23):
Yeah. Can tell us in in the comments, but it's like you
you kinda land one place in anetwork, and then you escalate
privileges, right, and you canmove laterally, and go in all of
these directions, right?
Chris (21:33):
Really old cybersecurity books that came out before it
was really a field. I read itmany years ago, and yeah,
definitely inspiring.
Daniel (21:44):
And The so cuckoo's egg. That's that's what it was. Yeah.
Chris (21:47):
And as you as you are looking at lots of different
agents that have differentlevels of privilege and
different capabilities, and asagents are formulating things,
you know, right in a in induring run time, essentially,
that that didn't exist as apreset static thing that you
wanna do, and they're developingthat. It's very easy for one
(22:10):
agent to spin off another agent,and and it has more privilege
than it needs, and then that canbe taken advantage of. So there
are lots of different variationsof of how those kinds
Daniel (22:20):
Yeah. Yeah. For sure. So that's the privilege, and I
should say, I I do reallyencourage people to take a read
through the the e book.Obviously, we're highlighting
some of these things, butthere's much more detail there.
Also a great resource aroundthis if you're trying to learn
some of this is if you go to theOWASP Gen AI project. We've
(22:41):
we've had reps on our showbefore and my team's involved in
the AI Balm project and otherthings with OWASP. There's a lot
of great people involved, butthey have so many great
resources online related to thissort of thing and, guides for
MCP, guides for Agentsicsecurity, etcetera. So take a
look at those as well. You mightbe listening to this episode and
(23:06):
thinking that, hey.
I am part of one of thoseorganizations that's in the 90%
of enterprises that are notready security wise for
autonomous agents operating inmy environment. How am I gonna
manage supply chain risks andhave an AI build materials and
(23:26):
define agent boundaries, curetool access, and implement input
validation and output controls.Well, this is one of the reasons
why I think it's so important tohave great platforms that don't
require you to build your own AIagent governance platform.
That's why outside of thePractical AI Podcast, I
(23:50):
personally am leading anorganization full of really
smart people that are thinkingabout these problems and have
brought Prediction Guard, intointo existence. Prediction Guard
is an AI control plane that'sself hosted.
It lives in your owninfrastructure where you're
gonna deploy those autonomousagents, and it allows you to
manage the supply chain risk andput in governance policies that
(24:15):
are enforced and maintainobservability over those agents.
And I'm just really excitedabout the capabilities that are
that are already in the productand are being released later
this year. So I would encourageyou, please check us out at
You can book a call with me andthe team to discuss how you're
(24:37):
going to manage security foryour agents operating in your
enterprise. That'spredictionguard.com/practicalai.
The next one that Anthropichighlights is supply chain and
dependency risks.
Chris (24:57):
Mhmm.
Daniel (24:58):
So, you you were just mentioning how sometimes agents
compose things at runtime,Chris. This includes potentially
loading external tools orinstalling packages or changing
infrastructure. And so the thatthat supply chain can actually
update in in real time or atruntime as agents are trying to
(25:19):
accomplish a task, but alsomodel and tool, supply chain. So
models have their own supplychains related to the weights
and how they were trained orfine tuned, how how easy it is
to jailbreak them or promptinject them. But then MCP
servers are also softwarecomponents.
Right? They have their ownintegrations. They their own
(25:40):
software dependencies, etcetera,which have their own potential
vulnerabilities. So all of this,it it's very much a multilayered
thing that It is. Could evolvedynamically, which is kind of
scary.
Chris (25:53):
That and one thing to call out while we're talking
about supply chain anddependency risks is that all of
the traditional zero riskvulnerabilities, all the things
that we were talking about inthe cybersecurity world before
we started having AI agenticsystem conversations about this,
those all still apply as well.And when we're talking when and
(26:14):
I was prompted, no pun intended,to say that by you when you
mentioned the multilayer. So youcan still have, you know, BIOS
and CMOS vulnerabilities thatcan take, that lend themselves
to some of these vulnerability,you know, layers and packages
that build up. So there's manydifferent points in a stack
(26:36):
where these attacks All can
Daniel (26:38):
the way down to, you know, networking and firewall,
right? If you're, you have anagent operating in that
environment, it could, you know,find and detect things that that
it shouldn't, and so, that's,it's so, yeah, I guess multi
layered, which, you know, manysecurity things are, and I know
(26:59):
OWASP always recommends thiskind of layered approach. But,
yeah, the the last two are arekind of related memory and
context poisoning and ragpoisoning, both obviously are
this type of, of way that youcan either in the memory or
context to an LLM call or intorag data, retrieval augmented
(27:20):
generation data, which oftenlives in a database, a vector
database. You, if, if you haveno control over what and how
things are committed to thatmemory or to that vector
database, there's nothingpreventing agents or external
parties from inserting thingsinto that memory. So, you know,
(27:42):
the I think the one, the exampleI used last year at the Midwest
AI Summit, Chris, which as areminder to our folks, Midwest
AI Summit coming up October 15,gonna be another great great,
experience.
You can can search the detailsMidwest AI Summit. But I think I
used the example where it was ahealth care situation and
(28:05):
someone at, you know, an agentor a prompt is like, in a first
interchange, it says, hey, dothis for patient a, and then
you, in the follow-up, say like,well, in all the following, you
know, consider patient A to bepatient B. And then you keep,
keep filtering in thatinformation about patient A
(28:26):
being patient B. And then all ofa sudden, when, you know, later
on you're you're wanting someinformation about patient A or
patient B, all of a suddenyou're getting data that you
shouldn't shouldn't be getting.Right.
So it it can happen, and and hasbeen shown to happen, so. Okay,
Chris, that's all the scarythings. I guess there's a That's
(28:49):
lot right. Of
Chris (28:50):
Now we gotta go now we gotta figure out how to fix
this, right?
Daniel (28:52):
Now now we gotta figure out how to fix this. And I do
like the general structure thatAnthropic provides here,
recognizing again that manypeople are behind in this and
that new tools and products willneed to address many of these
things gradually over time. Theypresent three capability I think
(29:17):
what they call capability tiersor three tiers of application
basically saying, hey, in thesedifferent areas, you need to do
something. There's like theminimal thing that you should do
which they call foundation, theminimum viable thing and then
there's an enterprise tier whichmeans, hey, if you're if you're
an actual enterprise and andneeding to be robust and and
(29:39):
resilient, you need to do thesethings. And then there's
advanced, which would apply tokind of particularly high risk
or stringent regulatoryenvironments or maybe
aspirationally for everyone elseto try to get to that get to
that level.
So foundation, enterprise, andadvanced in each of these
categories. And then for, theydevelop something in each of
(30:04):
these categories for each of anumber of, the threats that that
we talked about or the areas inwhich you need to secure. The
first one Okay.
Chris (30:14):
Kinda dimension it kinda breaks them down by diff by
dimensions and then tiers themagainst those three tiers that
you just described.
Daniel (30:21):
Yeah. It's kinda like, I need to I need to consider these
however many things, I forgethow many there were. I I need to
at least be in the foundationlevel for all of these and then
I can circle back and maybeupgrade particular ones to
enterprise or like graduallywork on it over time. So the the
first of those is agent identityand authentication, which they
(30:43):
kind of frame as the foundationfor every other security
capability because without thisidentity, you can't really
enforce other other thingsthroughout the throughout the
framework. Now, as we go throughhere, they talk about, certain
ways of doing identity andverification, and there are a
(31:05):
couple terms in here that peoplemay be unfamiliar with as well.
One of those being they talkabout hardware bound
credentials. Mhmm. Have you, I'mI'm sure this is also a part of
of your life over time, Chris?
Chris (31:21):
Yes. Hardware bound credentials are where you have
to present a fit, you know, youmay be a USB or something, you
know, there's a lot of differentways it can it can but you have
to insert a piece of hardware ormake act make accessible a piece
of hardware which provides thatauthentication which an
adversary would be unlikely tohave in their possession, and
that doesn't necessarily do itby itself. There's usually
(31:46):
multiple tiers, but that's, thatis one way of contributing
significantly is if you don'thave a physical piece of
hardware in your hand, you'renot gonna be able to gain
access, even if you can breakthrough other tiers, so.
Daniel (31:59):
Yeah, and this idea of it being bound to hardware, I
think is key point that thatyou're referencing, where,
otherwise they view kind of,hey, if you have API keys for
example, and those are justfloating around, you should
probably consider those alreadycompromised if we're going with
(32:21):
this idea of zero trust versusif an agent has an identity and
has an authentication to accessthis environment. It has
authentication tied specificallyto the hardware that it's
operating on, you know,something like that. That
hardware bound credential is issomething that they talk about.
(32:42):
And just to give some exampleshere in the agents agent
identity and authenticationpiece, the foundational and we
won't be able to go through allthe tiers of all the categories.
We just don't have time.
But just to give an example ofof these, there is, the agent
(33:04):
identity verification piece, thefoundation level that they
suggest there is to have uniquecryptographic identifiers for
each agent instance. So toassign persistent agent IDs
backed by cryptographicmaterial, not just labels, the
track agent life cycle fromcreation to retirement, IDs
(33:26):
appear in all logs and accessrequests. The enterprise level
is certificate basedauthentication with full life
cycle management, and theadvanced is hardware backed
identity with attestation. Sothat advanced, you know, you
store agent credentials inhardware security modules or
(33:47):
trusted platform modules
Chris (33:49):
Right.
Daniel (33:50):
With remote attestation, which there's a whole rabbit
hole you could go down therewith those with those terms, but
that would fit into their intotheir advanced category. That's
right. Yeah. So that that's anexample of one of these
categories, agent identity andauthentication. The next,
category that they that theytalk about is access control and
(34:13):
privilege management.
So assuming you have an identityfor your agent, then you need to
control access and privilegesfor that agent and, and that
authorization layer shouldenforce this idea that we
defined earlier of leasedagency, which is ensuring agents
(34:34):
receive only the access requiredfor their specific function. And
this can get very subtle likethat API example that I gave.
You could only tell an agentabout these endpoints, but if
you haven't physic like, if youhaven't literally shut off the
network for other endpoints orsomething, then there's nothing
(34:55):
preventing that agent from,like, going off of the off of
the rails in that case. That'sright. Yeah.
Just to give another kinda setof examples here, access
control, foundation level isrole based access control or
RBAC with deny by default.That's the the foundation in in
that category.
Chris (35:15):
That's right. And and by the way, just as we're working
through this, wanted to make onequick comment. These are all
standard zero trust concepts. Sothose of you who in the you
know, who may be watching, youmay recognize a lot of these
categories and stuff, and Ithink I think the key is kind of
thinking about it within thisagentic context, and, you know,
(35:36):
as as as we're all onboardingagents and stuff, that that
throws it out, but keep going. Ijust wanted to call that out for
those that might recognize that.
Daniel (35:44):
Yeah. Yeah. For sure. I think we can't abandon our good
security intuition andespecially when you start treat
treating these agents as havingan identity and being, operating
in this zero trust environment,some of these things kind of
flow through if you if you workout those details, but, yeah.
(36:07):
The the next category,behavioral monitoring and
response, or, sorry,observability and auditing.
That was that was, so therethere's actually these two are
tied together. We could probablytalk about them together.
There's observability, whichessentially captures what agents
do. So it observes what agentsare doing and you need
(36:29):
visibility into that. So youneed logging and audit trails.
Often in our implementationswith customers in my day to day
work, I often like to say, hey,we need to know that this human
user using this API keytriggered this agent, which has
(36:50):
this identity to do this goal,which issued these prompts,
which triggered this tool call,which had this input, which was
blocked by this governancepolicy, etcetera. Like that's
where we're, you know, and downthe line. We need that kind of
traceability and and logging.Otherwise, you you can't have
visibility or build rules ormonitor things. So that's the
(37:13):
observability piece, butobservability captures only what
agents do.
The behave behavioral monitoringthat they're talking about
determines whether the actionsthat agents are doing should be
allowed or are suspicious.
Chris (37:29):
Are they appropriate for what
Daniel (37:31):
you would expect? Are they appropriate? Yes.
Chris (37:34):
That's right.
Daniel (37:34):
Yes. Exactly. And and this is behavioral monitoring
and response, Right? So incertain cases, like I say, when
when when we enforce governancepolicies, we say, well, if we
see this, then do this. Right?
So sometimes that's blockingcertain things. Sometimes it's
just logging. Sometimes it's,you know, alerting someone using
(37:56):
a a particular platform. Okay.The the, second to the last one
is input validation and outputcontrols.
I think actually this one sowhat are we on? 1234. This is
the fifth one. This is probablythe one that most often comes to
people's mind and I think isoften maybe overemphasized,
(38:21):
which is this idea that youwould have point checks over,
you know, harmful things thatthe agent could produce in its
output or harmful things thatcould go into the agent's
context or something. This is,very important, I would say, but
it's kind of like table stakes.
The the example I usually giveis, you know, is it bad for me
(38:44):
to take my temperature if I wantto be a healthy human? Well,
that's not a bad thing. Youknow, you can take your
temperature. It doesn't meanthat you are plugged into a
healthy lifestyle or beinggoverned by, you know, health
records and as part of a healthcare system and have a primary
physician and have a care planand a diet. And, it's just a
(39:06):
very limited way to view, thatkind of overall health.
And if we extend that here, thiswould be these sort of point
checks of validating inputs andoutputs, which are, yeah, again,
I would say those are tablestakes. And the last one is
integrity and recovery. So, allof this prevention and detection
assumes agents operatecorrectly, you know, when they
(39:29):
don't, what what do you do?
Chris (39:31):
Yeah, and and I think that's actually a pretty big
question in the agentic systemsworld, in that if you think
about, you know, going back acouple of points to behavioral
monitoring and trying toidentify what's appropriate for
agents to be doing within allthe other security parameters
that we've talked about alongthe way. But when when you when
you have gotten outside thebounds of what is appropriate,
(39:54):
trying to figure out how to rollagents back, especially if
they're in critical functions,can be quite challenging because
those critical functions stillhave to be addressed. And so if
a critical function iscompromised by an agent that is
intentionally or unintentionallyoff the rails, then figuring out
how do you take a criticalsystem back and get it get it
(40:17):
back to a safe place to proceedin whatever is appropriate for
that function can be quitechallenging. And so I've I've
I've have spent some time inthat space myself, and I think
that there's a lot ofimagination that has to go into
it that maybe wasn't quite asnecessary in pre Agentsic Zero
(40:38):
Trust models, so I just wantedto call that out.
Daniel (40:41):
Yeah. Yeah, they talk about, to give some examples,
Chris, for configurationintegrity, they talk about on
the foundational level, versioncontrolled agent configurations,
and the advanced level,immutable infrastructure with
attestation. On the recoverycapabilities, they talk about at
the foundation level, documentedrollback procedures, which to
(41:05):
your point, having some, havingan idea of what you might do is
one thing, being able toactually do it is sometimes a
challenging thing. At theadvanced level, they talk about
self healing systems withautomatic remediation. So, yeah,
definitely agree agree with yourpoints there.
(41:25):
I know that we're getting to theclose to the end here, Chris,
and just to kinda wrap things oror get close to the end here,
Anthropic does a good job atkind of saying, hey, here's all
of this stuff and all of thesetiers and levels and categories,
etcetera, but then they doprovide a kind of phased, a
phased way that you can thinkabout implementing agents, which
(41:49):
I think is helpful. One,identifying requirements, two,
managing supply chain risks,including they talk about AI
bomb or AI build materials,defining agent boundaries,
defending against promptinjection, securing tool access,
protecting agent credentials,and then safeguarding agent
memory. And they give some kindof specifications under each of
(42:11):
those phases for for people toto think about.
Chris (42:14):
Yeah. I think, you know, as we're as we're winding up, as
they address it, I know just toshare kind of how I perceive
the, you know, kind ofestablishing the workflow, is in
the zero trust world that we'vebeen in for a number of years,
it's fairly static. Know,there's a lot of things, and you
kind of have to tick them alloff, and a lot of it's a very
(42:38):
it's almost a regulatoryapproach to system development,
and I think the thing thatagentic implementations require
is the is trying to anticipatean incredibly dynamic capability
that can arise, you know, thatcan kind of an emergent quality
that that people are doing, andI think what Anthropic has done
(43:00):
for us is given us a way oftaking what we already know in a
zero trust context and and andpointed out, you know, that
within Agentic Systems, thesecapabilities are are it
definitely requires a level upto take the same ideas, but get
them out of that static mindsetand move into a anticipating
dynamic capabilities fromagents. And I know as we're in
(43:24):
both in our own jobs and stuff,that certainly required us to
kind of level up and reconsider.
It's a it makes it for a veryinteresting problem set to
address.
Daniel (43:37):
Yeah. Yeah. And there's major thought process changes or
philosophical shifts, as you'rementioning, that as
practitioners, we may have tomake. They talk in the in the
ebook, Anthropic does about thisidea of AI vendoring that, Hey,
there's these fragile opensource projects out here that
(43:57):
you might rely on. The thing todo might just be to have your
agentic coding system justcompletely vendor or literally
not not copy, but generate a newversion of that project that's
proprietary to you and underyour control and just include it
in your project rather than thanbringing in a third party
dependency.
(44:17):
So there's like philosophicalshifts, like that. I do think
there's some hard things thatwe'll still have to wrestle with
around. I I think there's stillsome of this conclusion that
humans are gonna have to makecontainment decisions around how
to contain these things andwhether it be threats in your
(44:39):
environment or agents operatingin your environment. And if
things are moving so fast, Ijust think it's gonna be hard
for humans to, you know, if ifsomething is happening in your
infrastructure and exploittimelines go from, you know,
months to to hours to minutes toseconds. You can't just, like,
(45:00):
rely on waking up the CISO inthe middle of the night to
approve, you know, shutting thisthing down.
Right?
Chris (45:06):
I mean, this is I mean, this is a revolution in
cybersecurity. Just to just toput, a dot, you know, as we're
finishing up here. Everyintelligence agency in the
world, is is learning how to,both defend against and exploit
these these, these potentialvulnerabilities that we're
(45:27):
talking about, as well ascriminal organizations of of all
sizes, shapes on a global scale.So this you know, we're I I
think we're at the verybeginning of this journey. I
think this is a fantastic startto get us thinking.
I think we're gonna see a lotmore tooling and a lot more
capabilities coming out in thedays ahead. And it seems to be
(45:49):
coming out very quickly becausethe threats have risen very
quickly. And so I hope folksfind this as useful as we did,
in terms of kind of reframingthis modern take on cyber, in
our in this agentic world thatwe've been talking about
nonstop, throughout this thislast year.
Daniel (46:07):
And we'll, like I say, include the links in the show
notes, so take a look at those.Excited to keep the conversation
going. Thanks for this today,Chris.
Chris (46:17):
Yeah, thanks for taking us through it. Was a good
exercise to do.
Narrator (46:26):
All right, that's our show for this week. If you
haven't checked out our website,head to practicalai.fm and be
sure to connect with us onLinkedIn, X, or Blue Sky. You'll
see us posting insights relatedto the latest AI developments,
and we would love for you tojoin the conversation. Thanks to
our partner Prediction Guard forproviding operational support
for the show. Check them out atpredictionguard.com.
(46:49):
Also, thanks to BreakmasterCylinder for the beats and to
you for listening. That's allfor now, but you'll hear from us
again next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
iHeartRadio 24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com