Most zero trust deployments were designed with a consistent starting assumption: every access request originates from a human, a user authenticates, a device is checked for posture, a policy evaluates context and grants or denies access. That model has held up well across a decade+ of cloud adoption and remote work. The problem we face right now is that it is increasingly not the model enterprises are actually running.
AI agents operate outside that framework by design. They authenticate once, run autonomously: calling APIs, reading data, invoking tools, and communicating with other agents or systems, all without a human in the loop at each step. The credentials they use are valid and sessions they open are authorized. But the activity that follows can be anything from routine automation to full on data exfiltration, triggered by a manipulated prompt that no policy was built to catch.
The scale of this problem is growing fast. According to IDC, enterprise AI spending reached $241.8 billion in 2025 and is projected to surpass $867 billion by 2029. Most of that investment is generating agentic workflows. Security teams need to extend their zero trust controls accordingly.
1. Credential-based trust doesn’t hold for agents
Traditional zero trust evaluates identity, device attributes, and context at the moment of access. For human users, that’s a meaningful control point. For AI agents, it isn’t, because the threat doesn’t arrive at authentication. It arrives mid-session, embedded in data the agent processes.
Prompt injection is a clear example. An attacker places malicious instructions in a document, email, or web page that the agent reads as part of its workflow. The agent then interprets those instructions as legitimate goals and works towards them. This could include tasks like exfiltrating data, calling unauthorized endpoints, or modifying records. Note that the session was authorized, the credentials were valid, but no policy blocking such behavior was triggered..
IBM Research found that jailbreak attempts succeed roughly 20% of the time, with attackers needing as few as 42 seconds and five interactions to bypass safety guardrails. When agents are making hundreds of calls per minute, that success rate is not a theoretical concern.
2. MCP creates a traffic type your existing stack can’t handle
Model Context Protocol (MCP) is the emerging standard for connecting AI agents to external tools and data sources. Think of it as the API layer for agentic AI: An agent with MCP access can reach databases, code repositories, communication platforms, and other agents without the need for custom integrations. With access and architecture being so straightforward, unsurprisingly, MCP adoption is accelerating rapidly.
The security problem that needs to be resolved is quite straightforward: MCP traffic looks nothing like the user-to-application flows that existing inline tools were built to inspect.
A secure web gateway that handles HTTP traffic from a browser session very likely has little visibility into an MCP conversation between an agent and a data store. That translates to no DLP enforcement, no threat detection, and no access control on a growing category of data movement (one that enterprises are increasingly aware they need to monitor and control.)
Tool poisoning makes this worse. An attacker can register a malicious MCP server and manipulate an agent into connecting to it, either by poisoning the agent’s tool list or by embedding instructions within the content that the agent processes.
Without visibility into MCP traffic, security teams have no way to detect when this happens. Netskope’s Cloud and Threat Report 2026 found that 33% of organizations are already running AI workloads via Azure OpenAI services, 27% via Amazon Bedrock, and 10% on Google Vertex AI. Each of those deployments is a potential MCP attack surface that demands attention..
3. App-to-LLM API calls bypass your perimeter entirely
Even before the advent of MCP as the standard of choice among the AI-forward, organizations building AI-powered applications faced a gap that most security architectures weren’t ready for: App-to-LLM API traffic. When an internal application queries an LLM to process data or drive a workflow, that traffic flows directly between private infrastructure and an AI model, bypassing cloud-based inspection points that most security stacks depend on.
This translates to no content inspection on the data being sent to the model, no logging of what the model returns, and importantly, no enforcement of data handling policies on a traffic path that is increasingly carrying sensitive information. As organizations scale from AI experimentation to production deployments, the volume of uninspected app-to-LLM traffic grows with it.
Extending zero trust to cover non-human identities
Netskope One AI Security addresses each of these gaps through a purpose-built access and visibility layer for non-human identities. Netskope One Agentic Broker decodes MCP traffic in real time, providing full visibility into agent-to-tool communications:
- Which MCP servers agents are connecting to,
- What tools and prompts are in use, and
- Whether any data policy violations are occurring.
It integrates directly with industry leading Netskope One DLP to enforce data inspection policies on agentic workflows, and uses Netskope’s Cloud Confidence Index to assess the risk profile of MCP servers before agents connect to them.
For app-to-LLM API traffic running on private infrastructure, Netskope One AI Gateway provides a software-layer inspection point that works within AWS VPCs and VMware ESXi environments. It centralizes authentication for agents and applications accessing LLMs, maintains searchable logs of all API interactions, and integrates Netskope One AI Guardrails and DLP for content inspection, all without routing traffic through cloud-based control points.
Zero trust was built on the principle that no identity should be trusted by default. Applying that principle to AI agents requires visibility into traffic types and authentication patterns that most current architectures weren’t designed to handle. These tools close that gap, allowing you to accelerate your adoption of AI tooling within your organization.
Explore Netskope One AI Security to see how Netskope extends zero trust to your entire AI ecosystem.
Sources
IDC, Worldwide Artificial Intelligence IT Spending Forecast, 2025-2029, August 2025 (IDC #US53688725)
IBM Research, “AI Jailbreak,” 2024, ibm.com/think/insights/ai-jailbreak
Netskope Cloud and Threat Report 2026, Netskope Threat Labs
