At A Glance
Zero Trust for AI applies the “never trust, always verify” principle to artificial intelligence systems — AI agents, Model Context Protocol (MCP) servers, and the non-human identities they create. Rather than using AI to power traditional security tools, Zero Trust for AI treats every AI agent, every MCP connection, and every machine identity as untrusted by default, requiring continuous verification before any access is granted. This matters because AI agents now act autonomously, call APIs, and connect to external tools and data sources, often with more standing access than the humans who deployed them, and with none of the identity controls built for human users.
Every AI agent an enterprise deploys is a new identity on the network — one that can call APIs, read files, execute code, and connect to external tools without a human in the loop for every action. The problem? Most organizations are deploying these agents faster than they can secure them.
In mid-2025, security researchers at JFrog disclosed a critical vulnerability (CVSS 9.6) in mcp-remote, a widely used tool for connecting AI agents to remote MCP servers. A malicious MCP server could trigger full remote code execution on a connecting machine simply by returning a crafted URL during authentication — with no user interaction required beyond making the connection.
The tool had been downloaded hundreds of thousands of times before the flaw was found and patched. It’s one of several MCP-related vulnerabilities identified since the protocol’s release, and it illustrates a pattern security teams are only just beginning to catch up to: AI agents and MCP servers are new, high-privilege entities operating largely outside the identity and access frameworks built for human users.
Traditional network security wasn’t built to solve for this. Firewalls and VPNs authenticate at the network edge and then extend broad, implicit trust once a connection is established. That model breaks down when the requested connection is an autonomous agent that can be manipulated, impersonated, or attached to a malicious endpoint without a person ever noticing.
Zero Trust for AI is the response to this vulnerability.
What Is Zero Trust for AI?
Zero Trust for AI is the application of Zero Trust security principles (never trust, always verify) to AI systems. Instead of treating AI agents and MCP servers as extensions of the infrastructure they run on, Zero Trust for AI requires every AI agent, model endpoint, and MCP connection to have its own verifiable identity, be granted only the minimum access it needs, and be continuously authenticated for every request it makes, not just once at startup.
This is a meaningful shift from how most organizations think about AI security today. AI security has largely focused on the model itself: prompt injection, data leakage, output filtering. Zero Trust for AI addresses the connectivity layer. It governs how an AI agent reaches the tools, APIs, and data sources it needs, and ensures that an agent (or an attacker impersonating one) can’t reach anything beyond what it’s explicitly permitted to access.
Key Takeaway: Zero Trust for AI doesn’t ask, “is this AI model safe?” It asks, “can we verify exactly what this agent is, what it’s allowed to touch, and whether that’s still true right now?” It’s the same question Zero Trust asks of any human user or device, applied to a new class of non-human identity.
Why AI Agents and MCP Servers Break Traditional Security Models
Three characteristics of modern AI deployments make them poorly suited to perimeter-based or VPN-based security:
- Non-human identity at scale. A single enterprise AI deployment can spin up dozens or hundreds of agent instances, each needing its own access to APIs, databases, and tools. Traditional IAM systems were built to provision and monitor human users, not ephemeral machine identities created and destroyed on demand.
- Autonomous, machine-to-machine connections. AI agents don’t just receive access, they initiate it, often connecting to external MCP servers or tools without a human approving each connection. If that server is malicious or compromised (as in the mcp-remote case), the agent becomes the attack vector.
- MCP as a new, largely unsecured attack surface. MCP is still a young protocol, and security tooling for it is immature. Several disclosed vulnerabilities across different MCP implementations point to the same underlying issue: the protocol was designed for interoperability first, with security controls arriving after adoption, not before.
Firewalls can’t distinguish a legitimate AI agent from a compromised one; both look like ordinary traffic. VPNs grant network-level access that AI agents, once connected, can use to reach far more than they were intended to. Neither approach was designed to answer the question that matters most for AI security: is this specific agent, right now, still what it claims to be, and should it still have access to what it’s requesting?
Applying Zero Trust Principles to AI Agents
The same core principles that make Zero Trust effective for human users also apply to AI agents, with some important differences in how they’re implemented.
- Identity verification, extended to machines. Every AI agent and MCP server needs a cryptographically verifiable identity of its own, not a shared API key or a network-level trust relationship. Machine identity is already one of the Five Pillars of Zero Trust; AI agents simply make it non-negotiable rather than optional.
- Least privilege, scoped per agent. An AI agent should only be able to reach the specific APIs, tools, and data sources its task requires — nothing more. An agent built to summarize documents shouldn’t be able to reach a payment API, for example, even if they sit on the same network.
- Microsegmentation, applied to agent-to-tool connections. Just as microsegmentation isolates workloads from each other, it should also isolate AI agents from resources they don’t need, so a compromised or manipulated agent can’t move laterally to reach anything beyond its permitted scope.
- Continuous verification, not one-time authentication. An agent’s access should be re-evaluated for every request, not granted once when the agent is deployed and left standing indefinitely.
Applied together, these principles mean an AI agent or MCP server is never implicitly trusted just because it’s already connected. It has to keep proving what it is and what it’s allowed to do, every time it asks.
How NetFoundry Secures AI Agents and MCP Servers with Zero Trust
NetFoundry, built on the open-source OpenZiti framework, applies Identity-First Reachability™ to AI agents and MCP servers the same way it does to any other machine workload. It runs on the same overlay networking foundation that powers the rest of the platform: every agent and MCP connection is issued a cryptographically secured identity, and connections are initiated outward from the identity rather than exposed on an open inbound port. Unauthorized agents or malicious MCP servers simply cannot discover or reach the resource in the first place.
This directly addresses the failure mode behind vulnerabilities like the mcp-remote CVE: an attacker can’t exploit a connection to a resource that’s invisible to them. Because access is enforced at the application layer through NetFoundry’s SDKs, an AI agent’s permissions can be scoped precisely to the tools and data it’s authorized to use, with no reliance on network-level trust or firewall rules that a compromised agent could otherwise ride past.
Benefits of Zero Trust for AI
Applying Zero Trust principles to AI agents and MCP servers delivers concrete security and operational gains:
- Eliminated inbound attack surface. AI agents and MCP servers connect out, never in, so there’s no open port for an attacker or malicious server to target.
- Contained blast radius. Least privilege and microsegmentation mean a manipulated or compromised agent can only reach what it was explicitly scoped to touch.
- Scalable machine identity management. Enterprises can provision and monitor verifiable identities for hundreds of ephemeral agent instances without extending traditional human-focused IAM tools past their limits.
- Continuous assurance, not point-in-time trust. Every agent connection is verified in real time, closing the gap that one-time authentication leaves open.
Together, these benefits turn AI agent security from a reactive scramble into a property that’s built into how agents connect in the first place, rather than something bolted on after deployment.
Securing AI Starts With Rethinking Trust, Not Just Models
The mcp-remote vulnerability wasn’t a one-off; it’s a preview of what happens when AI agents and MCP servers are trusted by default in environments that were never built to verify them. As enterprises deploy more autonomous agents, the connectivity layer they run on has to hold up its end: verifiable identity, least privilege, and continuous authentication for every agent and every connection, not just the humans overseeing them.
NetFoundry applies Zero Trust to AI agents and MCP servers the same way it does to every other machine workload, with no open inbound ports, no VPNs, and no firewall changes required to get started.
Explore AI Security with NetFoundry | Talk to our Team
Frequently Asked Questions
What is Zero Trust for AI?
NetFoundry defines Zero Trust for AI as the application of Zero Trust security principles to AI systems themselves (AI agents, model endpoints, and MCP servers) rather than using AI as a tool within existing security systems. It requires every AI agent to have a verifiable identity, minimum necessary access, and continuous re-verification for every request it makes.
How do you secure AI agents and MCP servers with Zero Trust?
NetFoundry secures AI agents and MCP servers by issuing each one a cryptographically verified identity and enforcing access at the application layer, so connections are initiated outward from the identity rather than exposed on an open inbound port. This makes unauthorized agents and malicious MCP servers invisible and unreachable, while scoping each legitimate agent to only the specific tools and data it’s authorized to use.
Why are AI agents and MCP servers a security risk?
NetFoundry has observed that AI agents and MCP servers are a security risk because they operate as autonomous, non-human identities that often have more standing access than the humans who deployed them, without the identity controls built for human users. Disclosed vulnerabilities in MCP tooling, including a critical remote code execution flaw in mcp-remote (CVE-2025-6514), have shown that a malicious or compromised MCP server can compromise the machine connecting to it.
Is Zero Trust for AI different from AI-powered security?
Yes. NetFoundry distinguishes the two: AI-powered security uses artificial intelligence to strengthen existing tools, such as anomaly detection or automated threat response. Zero Trust for AI instead treats AI agents and MCP servers as the entities being secured, applying identity verification, least privilege, and continuous authentication directly to them.
Can Zero Trust for AI work alongside existing security tools?
Yes. NetFoundry’s approach to Zero Trust for AI operates at the connectivity layer, governing how AI agents reach the tools and data they use, and is designed to work alongside model-level protections like prompt injection defenses and output filtering rather than replace them.
About NetFoundry
NetFoundry is the creator of OpenZiti, the leading open-source Zero Trust networking framework, and the developer of the NetFoundry Platform — Identity-First Reachability™ as a service. NetFoundry enables organizations to connect machines, APIs, AI agents, and distributed workloads with Zero Trust security built in from the start: no VPNs, no open inbound ports, no firewall rule changes.
