Zero Trust Fundamentals: Assume Compromise and Verify Everything

Module 5 of 20 · Agentic AI Security Curriculum · May 2026

How to use this module

Use it as self-paced study or as instructor-led training. YAML, commands, and policy excerpts are illustrative; map them to your cloud, mesh, identity provider, and agent runtime—substitute your own names, namespaces, and tools while preserving the control intent.

Estimated time: ~30 minutes reading; add time for linked standards and team discussion.

Learning objectives

By the end of this module, you should be able to:

State Zero Trust principles in the context of autonomous agents and external tools.
Contrast perimeter-only models with continuous verification and default deny.
Prioritize capability restriction over prompt-only defenses.

Prerequisites

Prior module: Principle of Least Privilege: Scoped Identities and Limiting Blast Radius

Suggested discussion / lab: Pick one diagram in your environment (build, deploy, runtime) and mark where this module’s controls apply; note gaps versus the checklist in the body.

With supply chain security, golden images, admission control, and least privilege in place, organizations typically shift to a full Zero Trust posture. This module introduces the core philosophy that underpins resilient architectures: never trust, always verify, and assume breach at all times.

Zero Trust Defined for Agentic Systems

Traditional perimeter security (firewalls, VPNs, “inside the cluster is safe”) fails in agentic MCP environments. Agents can call tools, process documents, and interact with external systems in unpredictable ways. Once any component is compromised, lateral movement can be rapid.

A Zero Trust model for agentic systems treats every request, every pod, every agent session, and every tool call as potentially malicious until proven otherwise.

The Three Governing Principles

This module is built on these explicit principles from the Defense-in-Depth guide:Secure the capabilities, not the language
Prompt injection and clever jailbreaks are inevitable. Instead of trying to filter natural language, effective platforms restrict what an agent can actually do through ATR-scoped MCP tools and Panguard enforcement. Every trust assumption is explicit and verified
No implicit trust in containers, model weights, sessions, secrets, or logs. Everything carries cryptographic provenance (Cosign signatures, Merkle roots, JWT ATR claims). Containment over prevention
Assume breach will happen. Design so that when it does, damage is limited, forensic evidence is preserved (WORM + Merkle), and recovery is fast.

Core Zero Trust controls to implement

Continuous verification: Every MCP tool call validates JWT ATR claims, every image is verified at admission, every model weight is checked before inference. Least privilege by default: Covered in Module 4 — narrow RBAC, scoped ServiceAccounts, and per-task tool authorization. Micro-segmentation: Istio mTLS + AuthorizationPolicy (Module 7) ensures pods can only talk to explicitly allowed services. Default-deny posture: NetworkPolicy, egress allowlists, and Kyverno policies reject anything not explicitly permitted. Assume breach mindset: Kata Containers for MCP workloads, automated quarantine with Talon, tamper-evident WORM logs.

Shift from Prevention to Containment

Traditional security focuses heavily on blocking attacks. Well-designed platforms invest equally in containment and recovery:If a pod is compromised → Kata isolation + Talon auto-quarantine. If an agent goes rogue → Panguard blocks the tool call and logs the full session. If logs are tampered → Merkle roots and WORM storage make it detectable.

This mindset changes how you design, deploy, and operate the platform.

Key Takeaways

Zero Trust is not a tool — it is an operating philosophy: assume compromise and verify everything, every time. In agentic systems, securing capabilities through ATR scoping and MCP proxy enforcement is far more effective than trying to secure natural language. Every layer (supply chain, admission, identity, network, runtime) must independently verify and contain. Prevention alone is insufficient; strong containment and forensic readiness are mandatory.

This module sets the stage for the advanced Zero Trust controls in the next module.

Next module: Advanced Zero Trust – Multi-Sig Vault, HSM, Tamper-Proof Logging, and Cryptographic Provenance.

Commercial training use

You may reuse this curriculum internally or in paid consulting / training engagements. Keep examples aligned to the customer’s actual stack; substitute your own runbooks, tool names, and compliance frameworks (SOC 2, ISO 27001, sector regulators) where cited examples use a reference architecture only.