AI with Zero Trust Security
Adopt a Zero Trust approach that lets you verify every access request — human, machine, or AI — before it reaches your most critical resources. As AI agents, semantic search, and automation accelerate how work gets done, you can reduce risk by explicitly validating identity, enforcing least-privilege access, and assuming breach across every step of your environment. Apply layered, continuous protection across identities, endpoints, networks, data, AI resources, applications, and infrastructure so attackers can’t exploit any weak links. Michael Madrigal, Security Product Manager, shares how you can protect productivity and keep pace with an evolving threat landscape, by continuously assessing risk, securing resources at runtime, and adapting policies as conditions change. Govern AI agents like identities. Apply visibility, scoped access, and controls to limit blast radius. Take a look at Zero Trust for AI. Connect only trusted endpoints. Block non-compliant devices and VMs from accessing resources by enforcing endpoint health and policy checks. Get started with Zero Trust for AI. Build security that adapts by design. Continuously assess risk and automate response across identities, endpoints, apps, data, and infrastructure. Get started with Zero Trust for AI. QUICK LINKS: 00:00 — Zero Trust for AI 01:41 — Overview of Zero Trust 02:43 — Identities 04:38 — Endpoints 04:50 — How Zero Trust applies to your network 06:51 — How Zero Trust applies to your data 07:31 — How Zero Trust applies to AI resources 08:24 — App Layer 08:31 — Infrastructure 09:49 — Security 10:23 — Wrap up Link References Check out https://aka.ms/GoZeroTrust Watch our series at https://aka.ms/ZTMechanics Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -Zero Trust security is all about one simple idea. Never assume trust, always verify. Whether it’s a person, an AI agent, or an app trying to access your resources, nothing is trusted by default. Equally, protections should be designed to work seamlessly behind the scenes, keeping your business operations secure without impacting productivity. By design, it follows three core principles to guard entry to your network and protect critical assets, you need to first verify explicitly, which means always confirm who, in terms of a person or a device, or what in the case of AI or other processes, is requesting access to your environment. Second, enforce least privilege access means granting only the permissions needed to specific resources to get work done, and then only for as long as necessary. And third, assume breach is where you assume that your environment has already been compromised, so that you have proactive defenses in place to protect your most critical assets. -In fact, whether you’ve already adopted Zero Trust or are just starting to consider it, with AI now working alongside of us, the need for this approach has never been greater. For example, if data isn’t properly classified and protected, AI which uses powerful semantic search can quickly surface information that was once hard to find and potentially share it with the wrong people. -Additionally ungoverned AI agents can often have extensive permissions across systems, enabling agents to move through your organization at unparalleled speed to complete tasks. But if compromised, they can cause significant damage before anyone even notices. And as AI reshapes both work and the risk landscape, this series will show how Microsoft helps you to implement Zero Trust seamlessly. Today, I’ll start with an overview of the Zero Trust architecture. We’ll look at the vulnerabilities that can arise and the core defenses, both new and existing, that you can deploy to mitigate them. Think of your IT environment as a flow. -From the identities, including system processes, and endpoints trying to gain access, all the way across your network, to the sensitive data, AI resources, applications and infrastructure they need to reach. Along that path, every step introduces risk, and attackers don’t need to compromise everything. They only need to exploit one weak link. That’s why protection must be layered across identities, endpoints, your entire network layer, data, AI resources, your apps, and infrastructure, because each introduce unique risks and act as a potential entry point. At every layer, real-time policy enforcement and protections are essential to ensure that any entity requesting access is thoroughly assessed and verified before gaining access to requested resources. -Let’s go deeper, starting with identities across human users, agents, and your workloads. Human identities are a prime target for phishing, impersonation, and credential theft. So you need to start by limiting access to what each person needs then adding phishing-resistant authentication to confirm users are who they say they are and only reach what they’re authorized for. -That’s where, for example, Conditional Access in Microsoft Entra comes in, verifying every request using passkeys and other strong methods. Microsoft Purview’s Data Security Posture Management additionally helps you track how users interact with data and AI, so you can spot risks early and strengthen your posture. Integration with Defender for Cloud Apps mean you can block risky apps from being used, and with Global Secure Access in Entra, you can also enforce identity-integrated network controls to keep unsafe requestors out. Non-human identities like agents, on the other hand, don’t fall for phishing, but they’re still vulnerable. They can be hijacked through user or agent interactions, and if they have broad access, a single misconfiguration or excess permissions can open the door to major breaches. -Here, the new Entra Agent ID gives each AI agent its own unique, manageable identity, letting you apply the same visibility, governance, and Zero Trust controls you use for human users, but now for non-human actors too. For example, Conditional Access can evaluate agent risk in real time for each authorization request to resources and defined access packages using ID governance with human agent sponsor approval, can scope agents for just enough access to what they need to carry out authorized tasks. -Then, similar to human identities, Insider Risk Management in Purview will also automatically assign risk levels to agents in your environment based on their data activities so you can prioritize investigations and apply targeted controls. This way, every identity is verified with real-time access controls and strict policies under Zero Trust. Of course, identities are only part of the picture. Device endpoints, whether corporate or personally owned, can also pose serious risks if compromised or are non-compliant due to missing updates or policies. That’s because they can act as vectors for lateral movement or data exfiltration. -Additionally, AI means that endpoint considerations now also extend to computer-using agents, where this type of agent can interact using endpoints like full virtual machines to temporarily access resources within your network or from your cloud service providers. Regardless of the person or entity interacting with the endpoint as access requests move inward, as part of conditional access, they also pass through control layers to evaluate context and behavior. In real time, the policy engine can detect anomalies and enforce policy boundaries based on detected real-time risks and other conditions. -And endpoint management controls using Microsoft Intune can ensure that any connecting device or VM passes compliance checks before it can access your resources. As a rule, all endpoints should be continually assessed for health and configuration compliance, with non-compliant, stale, or unused devices automatically revoked from access. Here, native controls in Microsoft Defender for Threat Protection and continuous assessment use threat intelligence and forensics to expose patterns, automatically respond and raise defenses against trending attacks. We’ll dive deeper on what you can do to protect identities and endpoints in a another episode of this series. -For now, let’s switch gears for an overview of the resources that can be targeted by compromised identities and endpoints and how Zero Trust applies. In other words, your network, sensitive data, AI resources, internal and cloud applications, as well as infrastructure components, which are often the ultimate objective for attackers. Your network importantly serves as a bridge between malicious actors and your most valuable resources. Here, your first layer of defense uses network and device-based firewalls to filter traffic and help prevent unwanted connections. Network segmentation then adds protections in case of breach to limit lateral movement to other internal resources. These can be combined and are stronger when tied directly with identity controls in Entra using Global Secure Access for strengthened security. -Next, the ultimate target of any security breach is your data, which can fall risk to theft, manipulation, or leakage. Here, Microsoft Purview delivers a unified Zero Trust control set. For unstructured data in Microsoft 365 and beyond, it identifies sensitive data and applies sensitivity labels that act as protection guidance, driving consistent enforcement such as encryption access controls and DLP across collaboration and AI experiences. And for structured data across Fabric and other clouds, the same sensitivity labels extend protection intent to data stores, enabling consistent access controls and policy enforcement so sensitive data is protected wherever it’s used, including AI workloads. Equally, AI resources, models, agents, APIs, data pipelines, and compute, are critical components of your Zero Trust architecture. If compromised, they can leak sensitive data, generate malicious outputs, or enable lateral movement across systems. Protection means securing the resources themselves, not just access, by assessing prompts and outputs with Microsoft Foundry’s Prompt Shields and runtime protections. Securing compute environments like GPU-enabled virtual machines used for AI with isolation and compliance controls using Microsoft Defender for Cloud. And continuously monitoring agent behavior for anomalies and assigning risk scores with Agent 365 for centralized governance. -Together, capabilities like these and more create a layered defense so your AI resources remain secure across the lifecycle. From here in our architecture, the app layer is where AI meets data. That’s because this layer is increasingly powered by AI and semantic search. It enables users to retrieve information with more efficiency. These capabilities are now common in productivity tools, including collaboration platforms and business systems. While these experiences enhance user productivity, they also amplify attacker capabilities if access is compromised, whether through a stolen credential or a risky insider. -This is where Microsoft Defender for Cloud Apps plays a critical role. With visibility into all apps in use, risk-based controls to govern app behavior, and data protection policies to prevent misuse and data exfiltration. And at the foundation of everything in the Zero Trust architecture is infrastructure, spanning cloud environments, servers, containers, and orchestration systems. The consequences of compromised infrastructure can be severe, with service outages, ransomware, instability, and more. Microsoft Defender for Cloud delivers comprehensive workload protection across Azure, AWS, and GCP, including vulnerability scanning and advanced threat detection for your infrastructure. And you can leverage Azure Confidential Computing infrastructure for your most sensitive workloads, which encrypts data while in use in memory using hardware-based trusted execution environments and processes that only after requests are explicitly verified. -And of course, as we go across each layer, security configurations should not be set and forgotten. Continuous validation with constant monitoring and adaptive policies is a critical part of maintaining Zero Trust. Across all layers in the Zero Trust architecture, SecOps needs to be continuously assessed, monitored and optimized with controls to minimize and detect risks. Here, Microsoft Defender with Sentinel as its integrated SIEM extends detection and response across endpoints, identities, SaaS apps, email and collaboration tools, and more. -Please stayed tuned to Microsoft Mechanics to watch the rest of our series with hands-on guidance for implementing Zero Trust across identities and endpoints, data, AI resources, and apps, and your network and infrastructure, at aka.ms/ZTMechanics. And for additional resources, check out aka.ms/GoZeroTrust with free workshops and more. Subscribe to our channel if you haven’t already, and thanks for watching.
