Practical AI

As AI agents become more capable and autonomous, they also introduce new security challenges. In this 'Fully Connected' episode, Dan and Chris unpack Anthropic’s Zero Trust for AI Agents security framework and what it means for organizations deploying agentic systems. They examine the key security risks facing agentic systems and discuss how organizations can apply Zero Trust principles to deploy AI agents safely. Along the way, they break down practical security controls and discuss how traditional cybersecurity principles must evolve for the age of AI agents.

Featuring:
Links: 
Sponsors:
Upcoming Events: 

Creators and Guests

Host
Chris Benson
Cohost @ Practical AI Podcast • AI / Autonomy Research Engineer @ Lockheed Martin
Host
Daniel Whitenack
CEO @Prediction Guard & cohost @Practical AI podcast

What is Practical AI?

Making artificial intelligence practical, productive & accessible to everyone. Practical AI is a show in which technology professionals, business people, students, enthusiasts, and expert guests engage in lively discussions about Artificial Intelligence and related topics (Machine Learning, Deep Learning, Neural Networks, GANs, MLOps, AIOps, LLMs & more).

The focus is on productive implementations and real-world scenarios that are accessible to everyone. If you want to keep up with the latest advances in AI, while keeping one foot in the real world, then this is the show for you!

Narrator:

Welcome to the Practical AI Podcast, where we break down the real world applications of artificial intelligence and how it's shaping the way we live, work, and create. Our goal is to help make AI technology practical, productive, and accessible to everyone. Whether you're a developer, business leader, or just curious about the tech behind the buzz, you're in the right place. Be sure to connect with us on LinkedIn, X, or Blue Sky to stay up to date with episode drops, behind the scenes content, and AI insights. You can learn more at practicalai.fm.

Narrator:

Now onto the show.

Daniel:

Welcome to another Practical AI podcast episode. This time, it's just Chris and I, my cohost. In these episodes where it's just the two of us, we try to take something that's in the AI news or a topic for a deep dive, something that will help all of us level up our AI and machine learning game. I am Daniel Whitenack. I'm CEO at Prediction Guard, and I'm joined as always by my cohost, Chris Benson, who is a principal AI and autonomy research engineer.

Daniel:

How are doing, Chris?

Chris:

Hey. Doing great. Lots of cool stuff out there. Looking forward to today's conversation.

Daniel:

Yes. Yeah. For sure. There's there's no shortage of of things to talk about, but even in our I don't know if you remember this passing comment, Chris, but I think it was in our episode where we were talking about MCP on top of Kubernetes. The the guest, mentioned that, hey, when Anthropic kind of drops one of these white papers or research topics or blog posts, often that's a window into something that's that's significant and something to pay attention to and and review in detail.

Daniel:

And it just so happens that they, on May, I think, twenty seventh of this year, 2026, released this I guess it's a ebook, white paper, blog post, however you wanna frame it, framework around With zero trust. Yeah. Zero trust for AI agents. Say zero trust for AI agents, we share a security framework for deploying autonomous AI agents in the enterprise covering the new threat landscape, a tiered zero trust architecture, and defensive operations built for AI accelerated attacks. So that's all that's a lot of words.

Daniel:

Now I think first off, Chris, it's probably worth recognizing that Anthropic obviously has a has a horse in this race, especially with things like Claude Code or Claude Yeah. Coworker, all the Claude things. These are autonomous agents that can operate in your enterprise environment. So obviously, I think probably there are things that are happening and things where their customers or people using these tools are obviously thinking about the security implications of that. They also recently released Cloud Security, which is more on the AI for security side, not so much the security for AI side, which is mostly what we'll talk about today in relation to this to this article or or ebook.

Daniel:

But, yeah, I I think that's worth acknowledging, obviously, if people people have a secure way of deploying autonomous agents. I'm sure they are hoping that many of those are built on anthropic technologies.

Chris:

I'm sure they do. And and, you know, just to keep in the back of our mind, this is the same organization that has mythos out there and is working with I believe the latest number is a 150 organizations is the latest thing I saw published on their website, trying to go through and do security audits and such as that. And with the timing of this, I would guess, don't know, but just making a guess, that some of the leveling up that Mythos has enabled is probably driving some of their zero trust and and other security concerns going forward. So looking forward to this.

Daniel:

Yeah. Yeah. I guess that's a good place to start with the kind of premise of this. I think there's a few things to frame here maybe. One is there is probably a segment of the market and of our audience that is already using autonomous agents for something, even if that's just like Claude code or or something like that for development purposes where

Chris:

Yep.

Daniel:

By autonomous, I mean, it's making actions on on your behalf to do some things. And I think generally in terms of where we're seeing the market going on the positive side, organizations are going to need to more and more adopt these autonomous agents within their organization for value creation or new revenue or op, you know, saving on operational efficiency. So that's like thing, you know, premise one is that that's the way the market's going. I think the the other kind of background to this though is like you were saying, there's a bit of a forcing function here because AI or, how should I so attackers, so malicious parties, hackers, etcetera, have equal op you know, they have equal access to these agentic coding and development capabilities themselves. Right?

Daniel:

Meaning that the pace at which people are about to be or are already being attacked and exposed to threats in their infrastructure is just, like, expanding exponentially, which means you cannot keep up with the that level of attack using human only approaches, meaning that the forcing function that I'm talking about is you're necessarily going to have to adopt autonomous agents at least to help you manage the threats associated with with the offensive use of this AI technology. So I think there's the the positive side of this, obviously, which is we there there's a future where autonomous agents are doing very positive things, and you have this kind of digital workforce of agents within your organization, but the maybe part of the forcing function behind this discussion is that people actually need to adopt autonomous agents because of this offensive threat to their infrastructure.

Chris:

Yeah. I I agree, and I think that'll put that'll put quite a strain on a lot of the the humans involved in this because, you know, there there's a certain amount of leveling up from a human standpoint to understand what what different harnesses are and what the different capabilities that are now becoming available, understanding different vendors versus open source and such as that. So to actually get to the point where you can start implementing these is a bit of a lift, and I think that that's going to be something that we observe is that I think there'll be a spread across organizations where you'll have some, you know, the the you know, on one extreme end, you have the anthropics that are leading the way and producing these capabilities and stuff like that, but then there's a lot of of a mom and pop organizations, or maybe not that small, but you know, mid sized and stuff like that, that are gonna struggle to level up just a little bit. And so, I think we have some interesting I think the security landscape will be very interesting, a little bit Wild West in the days ahead, as people, even if tools are available, they have to get to where they can uptake those, and and get productive with them, so, it's Yeah.

Daniel:

Yeah, so I I agree, and I think the or, maybe a way to get into this discussion is that if we frame the background with an assumption, and I I'm sure there are arguments against against this assumption, but let's assume that your organization is and will adopt autonomous agents for, you know, positive things like I talked about operational efficiencies, new new revenue, whatever that is, and or, cybersecurity purposes. If we assume that, then you say, well, okay. Well, now we're gonna have these autonomous agents operating in our environment. They could cause all sorts of harm themselves. So it's like I could shoot myself in the foot trying to protect against the offensive malicious people by releasing a bunch of agents into my infrastructure and they themselves cause a lot of a lot of harm.

Daniel:

Like, how do I how do I manage those things? And Anthropic has so they they have not come up with this idea of zero trust. To be clear, this is a general concept we we can talk about the definition of, but they're essentially releasing with this framework a way to think about a zero trust approach or a zero trust framework for managing AI agents or autonomous agents within your organization. So maybe maybe it'd be good to just define that define that term first in the in the past, if we, if if we think about cybersecurity, there's been what's generally referred to as perimeter based cybersecurity. This is a more traditional model that would focus on that boundary of your organization and outside or internal and external and the the kind of core principle being that I'm gonna trust everything that's inside and distrust everything that's on the outside.

Daniel:

So there is a perimeter in which within that perimeter I trust things. A zero trust approach to cybersecurity on the other hand would actually assume that everything inside the network, that that threats are already inside your network, already inside your parameters. So it treats every user, device, request as a potential threat. So that that's why it's called Zero Threat. And like I say, this has been something that's been around from for a long time.

Daniel:

NIST has published about it, in Zero Trust Architecture back in 2020 and other government organizations and others have have talked about it as well. So that's that kind of that kind of difference. I don't know if if those if if that zero trust idea has crossed into your your perimeter of knowledge, Chris, I'm sure.

Chris:

Yes. Without going into any detail at all, working in defense and intelligence, that it it is pretty core. And, yeah, I mean I mean, the simple way of thinking about it is every single API request that you have has to have security credential, and that can be from a variety of of different mechanisms. But you don't trust anything, and everything is down to a granular level unless it is authenticated and authorized to do whatever it is trying to do. So in the world that I'm living, that's pretty standard.

Chris:

Though, I think as I think I think there's room for all of us, even those of us who've been doing it, to level up and get better at this. So I don't think that there's anybody who has has just nailed it. So it's Yeah. It's one of those one of those ongoing learning curves.

Daniel:

Yeah. And and we're we're about to dig into a lot of that as related to AI agents. However, to your point, there's a lot of organizations that are still trying to think about this concept even generally in their kind of general cybersecurity world. And, you know, one of my one of my hot takes here is is we'll talk about that that these kind of foundational things that Anthropic is suggesting. And, you know, probably 90% of plus of of organizations, enterprises that have AI deployments currently are not operating according to this model.

Daniel:

They are according to this framework, they would be completely exposed. And I think so just acknowledging much of this is probably aspirational for enterprises and they need to work towards it in a maybe a more rapid way just because of how things are advancing. And, you know, there's better tooling out there day by day, better products, etcetera. But, yeah, this is just just so if you're out there and you're thinking, have agents running and I have none of what we're about to talk about, that's probably the situation that most are in in in the enterprise world would be

Chris:

my today we can we can help people start on a on a path here to mitigate some of the risks.

Daniel:

Next week You have no excuse, but coming into this conversation, you you have an excuse. Yeah. Exactly. So I I think the I would encourage people to if you just search for Zero Trust for AI Agents, you know, Anthropic blog posts, we'll link it in the show notes as well so you can click through to that ebook and the framework itself. There's a lot that we won't be able to cover in detail, but I think the overall structure that they present are some some kind of initial background and considerations kinda definitions related to autonomous systems that that people need to consider.

Daniel:

And, then they talk about the current threats to those agentic or autonomous systems and then how to apply the zero trust to those threatened agentic systems. That's kind of the the flow of of of what they talk about. So the the first thing, and I think this is something we've talked about more on the show and have have already covered, but just to set the foundation, some of these considerations, kind of background information that that we may wanna give is that, you know, why why are we talking about like a new framework while agents are different in how they operate? We've talked about this on the show before. They use a distributed set of tools.

Daniel:

They interpret instructions, try to accomplish goals, they execute operations without human initiation, I think importantly. They might preserve context across sessions if they're trying to accomplish some goal, and then you kind of add multiple agents and they might communicate with one another. So you've got this multi agent communication. Now there's a couple terms here, Chris, that I think we've even mentioned, but they just define specifically, related to agent security as new terms that people might might be, unfamiliar with. One is blast radius, which, kind of, I think people could assume what that means, right?

Daniel:

It measures the potential damage if something goes wrong, if an agent does does go off the rails of that blast radius. And least agency, which I guess is a term coined by OWASP, and and that extends this kind of idea of least privilege to agentic applications. So you shouldn't be giving more agency to your agents than they need to do their agent things.

Chris:

And that's standard zero trust ideas. You you you give it just what it needs and absolutely no more.

Daniel:

Yep. And and so that's kind of the, I guess, the background in which in which we're operating. Then then the Anthropic paper, it goes into these current threats, which is some are ones we've talked about. Some are ones we've not talked about as much, Chris. Mhmm.

Daniel:

It's interesting that they talk they kind of frame everything within the agent world as agentic systems, which I very much like in our in our product. That's why I insist on using the idea of AI system as as a thing because you have these distributed set of things that are powering agents these days. And so they kind of break down then this, like, current threats to agentic systems. The first of those, which is probably not a surprise because it's the first on OWASP's list often as well, is prompt injection and instruction manipulation. We again, we've talked about this.

Daniel:

There's everything from the obvious direct, you know, human input into a chat interface, ignore your instructions and do this other thing, which you shouldn't be doing. But the one that they mentioned as the more, difficult or scary one would be the indirect prompt injection where that's coming in through maybe it's a file that's, you know, you have an agent connected to your email and, attachment comes through with hidden instructions in it. Anecdotally, I I helped another company do some interviews and I I wrote a technical exercise and put it in a PDF. And I knew everyone would use Cloud Code like they should, but just just because I wanted to be fun, I I had all the instructions in black text and then I had an extra, like, three fourths of a page. So I just filled up that page with, with instructions that would make Claude code do the opposite of what I was saying in the instructions, just to just to see if they would catch it.

Daniel:

So that that sort of thing.

Chris:

Very devious. Very devious. Was Did you make it white text in the PDF, so it wasn't obvious? Just like white face.

Daniel:

Which would get interpreted if you just uploaded it into Cloud Code or whatever.

Chris:

That's very sneaky, but actually quite common in terms of vector, I mean, because everyone just throws everything they can, you know, the way the way things have been operating, and so Yeah. Thus what we're doing today.

Daniel:

Yes. True. And I guess the other so that that that's threat number one, prompt injection, instruction manipulation. Threat number two that they talk about, which is related to agents using tools, particularly through MCP, which was a topic on a recent com or recent episode of this show, which you can look back at for for much more information on that.

Chris:

On MCP. Yep.

Daniel:

On MCP. Yeah. So they talk about agents that can manipulate tools maliciously or kind of do things that they shouldn't be doing because of privileges. I I think about Chris, like it it's kinda like you set up a server, maybe I set up a fast API API that, you know, my agent could use and I only tell it about instructions, you know, about a couple get get routes on the API in the instructions, but I don't shut down the other routes. Right?

Daniel:

And if the agent was smart in any sort of way, right, it could just look at the swagger documentation at the slash docs endpoint, and know about all the other routes that maybe it shouldn't use, and then, like, all of a sudden, I have problems. Right?

Chris:

That's right.

Daniel:

So, yeah. And just

Chris:

to clarify, Swagger's a protocol that defines what those routes are. And and, you know, you mentioned, you know, kind of going off the rails, but, you know, the the notion of malicious MCP server has now been documented, and there could be lots of various types of tooling that is coming into being now just to take advantage of these vulnerabilities. So, I think you'll we'll see a whole class of malicious software arising to to do these kinds of of tool and resource misuse.

Daniel:

Yeah. Yeah, exactly. And and a lot of times these tool descriptors or schemas or metadata is injected into the context for an LLM to actually generate the output. So if I'm a malicious party or maybe just an agent that doesn't know what it's doing and and like, it says drifted from its goals or something, there's nothing preventing that from doing this poisoning thing where I like find out about the descriptor schema and metadata, and I even modify that in the instructions to maybe get the MCP server to do different things. Right?

Daniel:

So this this tool and resource misuse is definitely, is a reason why it's kinda number number two there. The the next one, identity and privilege abuse. So yes. Yes. Exactly.

Daniel:

So, they talk about this. Agents often operate with elevated privileges or service accounts, and traditional identity systems designed for humans struggle to accommodate them. There's sometimes unscoped privilege inheritance, almost like I I kinda think about this, like, what was that that cybersecurity book from it's like the cuckoos.

Chris:

Oh, the yes. The Cuckoo's Nest or something. Yeah. Yeah.

Daniel:

Yeah. Can tell us in in the comments, but it's like you you kinda land one place in a network, and then you escalate privileges, right, and you can move laterally, and go in all of these directions, right?

Chris:

Really old cybersecurity books that came out before it was really a field. I read it many years ago, and yeah, definitely inspiring.

Daniel:

And The so cuckoo's egg. That's that's what it was. Yeah.

Chris:

And as you as you are looking at lots of different agents that have different levels of privilege and different capabilities, and as agents are formulating things, you know, right in a in in during run time, essentially, that that didn't exist as a preset static thing that you wanna do, and they're developing that. It's very easy for one agent to spin off another agent, and and it has more privilege than it needs, and then that can be taken advantage of. So there are lots of different variations of of how those kinds

Daniel:

Yeah. Yeah. For sure. So that's the privilege, and I should say, I I do really encourage people to take a read through the the e book. Obviously, we're highlighting some of these things, but there's much more detail there.

Daniel:

Also a great resource around this if you're trying to learn some of this is if you go to the OWASP Gen AI project. We've we've had reps on our show before and my team's involved in the AI Balm project and other things with OWASP. There's a lot of great people involved, but they have so many great resources online related to this sort of thing and, guides for MCP, guides for Agentsic security, etcetera. So take a look at those as well. You might be listening to this episode and thinking that, hey.

Daniel:

I am part of one of those organizations that's in the 90% of enterprises that are not ready security wise for autonomous agents operating in my environment. How am I gonna manage supply chain risks and have an AI build materials and define agent boundaries, cure tool access, and implement input validation and output controls. Well, this is one of the reasons why I think it's so important to have great platforms that don't require you to build your own AI agent governance platform. That's why outside of the Practical AI Podcast, I personally am leading an organization full of really smart people that are thinking about these problems and have brought Prediction Guard, into into existence. Prediction Guard is an AI control plane that's self hosted.

Daniel:

It lives in your own infrastructure where you're gonna deploy those autonomous agents, and it allows you to manage the supply chain risk and put in governance policies that are enforced and maintain observability over those agents. And I'm just really excited about the capabilities that are that are already in the product and are being released later this year. So I would encourage you, please check us out at predictionguard.com/practicalai. You can book a call with me and the team to discuss how you're going to manage security for your agents operating in your enterprise. That's predictionguard.com/practicalai.

Daniel:

Predictionguard.com/practicalai. The next one that Anthropic highlights is supply chain and dependency risks.

Chris:

Mhmm.

Daniel:

So, you you were just mentioning how sometimes agents compose things at runtime, Chris. This includes potentially loading external tools or installing packages or changing infrastructure. And so the that that supply chain can actually update in in real time or at runtime as agents are trying to accomplish a task, but also model and tool, supply chain. So models have their own supply chains related to the weights and how they were trained or fine tuned, how how easy it is to jailbreak them or prompt inject them. But then MCP servers are also software components.

Daniel:

Right? They have their own integrations. They their own software dependencies, etcetera, which have their own potential vulnerabilities. So all of this, it it's very much a multilayered thing that It is. Could evolve dynamically, which is kind of scary.

Chris:

That and one thing to call out while we're talking about supply chain and dependency risks is that all of the traditional zero risk vulnerabilities, all the things that we were talking about in the cybersecurity world before we started having AI agentic system conversations about this, those all still apply as well. And when we're talking when and I was prompted, no pun intended, to say that by you when you mentioned the multilayer. So you can still have, you know, BIOS and CMOS vulnerabilities that can take, that lend themselves to some of these vulnerability, you know, layers and packages that build up. So there's many different points in a stack where these attacks All can

Daniel:

the way down to, you know, networking and firewall, right? If you're, you have an agent operating in that environment, it could, you know, find and detect things that that it shouldn't, and so, that's, it's so, yeah, I guess multi layered, which, you know, many security things are, and I know OWASP always recommends this kind of layered approach. But, yeah, the the last two are are kind of related memory and context poisoning and rag poisoning, both obviously are this type of, of way that you can either in the memory or context to an LLM call or into rag data, retrieval augmented generation data, which often lives in a database, a vector database. You, if, if you have no control over what and how things are committed to that memory or to that vector database, there's nothing preventing agents or external parties from inserting things into that memory. So, you know, the I think the one, the example I used last year at the Midwest AI Summit, Chris, which as a reminder to our folks, Midwest AI Summit coming up October 15, gonna be another great great, experience.

Daniel:

You can can search the details Midwest AI Summit. But I think I used the example where it was a health care situation and someone at, you know, an agent or a prompt is like, in a first interchange, it says, hey, do this for patient a, and then you, in the follow-up, say like, well, in all the following, you know, consider patient A to be patient B. And then you keep, keep filtering in that information about patient A being patient B. And then all of a sudden, when, you know, later on you're you're wanting some information about patient A or patient B, all of a sudden you're getting data that you shouldn't shouldn't be getting. Right.

Daniel:

So it it can happen, and and has been shown to happen, so. Okay, Chris, that's all the scary things. I guess there's a That's lot right. Of

Chris:

Now we gotta go now we gotta figure out how to fix this, right?

Daniel:

Now now we gotta figure out how to fix this. And I do like the general structure that Anthropic provides here, recognizing again that many people are behind in this and that new tools and products will need to address many of these things gradually over time. They present three capability I think what they call capability tiers or three tiers of application basically saying, hey, in these different areas, you need to do something. There's like the minimal thing that you should do which they call foundation, the minimum viable thing and then there's an enterprise tier which means, hey, if you're if you're an actual enterprise and and needing to be robust and and resilient, you need to do these things. And then there's advanced, which would apply to kind of particularly high risk or stringent regulatory environments or maybe aspirationally for everyone else to try to get to that get to that level.

Daniel:

So foundation, enterprise, and advanced in each of these categories. And then for, they develop something in each of these categories for each of a number of, the threats that that we talked about or the areas in which you need to secure. The first one Okay.

Chris:

Kinda dimension it kinda breaks them down by diff by dimensions and then tiers them against those three tiers that you just described.

Daniel:

Yeah. It's kinda like, I need to I need to consider these however many things, I forget how many there were. I I need to at least be in the foundation level for all of these and then I can circle back and maybe upgrade particular ones to enterprise or like gradually work on it over time. So the the first of those is agent identity and authentication, which they kind of frame as the foundation for every other security capability because without this identity, you can't really enforce other other things throughout the throughout the framework. Now, as we go through here, they talk about, certain ways of doing identity and verification, and there are a couple terms in here that people may be unfamiliar with as well.

Daniel:

One of those being they talk about hardware bound credentials. Mhmm. Have you, I'm I'm sure this is also a part of of your life over time, Chris?

Chris:

Yes. Hardware bound credentials are where you have to present a fit, you know, you may be a USB or something, you know, there's a lot of different ways it can it can but you have to insert a piece of hardware or make act make accessible a piece of hardware which provides that authentication which an adversary would be unlikely to have in their possession, and that doesn't necessarily do it by itself. There's usually multiple tiers, but that's, that is one way of contributing significantly is if you don't have a physical piece of hardware in your hand, you're not gonna be able to gain access, even if you can break through other tiers, so.

Daniel:

Yeah, and this idea of it being bound to hardware, I think is key point that that you're referencing, where, otherwise they view kind of, hey, if you have API keys for example, and those are just floating around, you should probably consider those already compromised if we're going with this idea of zero trust versus if an agent has an identity and has an authentication to access this environment. It has authentication tied specifically to the hardware that it's operating on, you know, something like that. That hardware bound credential is is something that they talk about. And just to give some examples here in the agents agent identity and authentication piece, the foundational and we won't be able to go through all the tiers of all the categories. We just don't have time.

Daniel:

But just to give an example of of these, there is, the agent identity verification piece, the foundation level that they suggest there is to have unique cryptographic identifiers for each agent instance. So to assign persistent agent IDs backed by cryptographic material, not just labels, the track agent life cycle from creation to retirement, IDs appear in all logs and access requests. The enterprise level is certificate based authentication with full life cycle management, and the advanced is hardware backed identity with attestation. So that advanced, you know, you store agent credentials in hardware security modules or trusted platform modules

Chris:

Right.

Daniel:

With remote attestation, which there's a whole rabbit hole you could go down there with those with those terms, but that would fit into their into their advanced category. That's right. Yeah. So that that's an example of one of these categories, agent identity and authentication. The next, category that they that they talk about is access control and privilege management.

Daniel:

So assuming you have an identity for your agent, then you need to control access and privileges for that agent and, and that authorization layer should enforce this idea that we defined earlier of leased agency, which is ensuring agents receive only the access required for their specific function. And this can get very subtle like that API example that I gave. You could only tell an agent about these endpoints, but if you haven't physic like, if you haven't literally shut off the network for other endpoints or something, then there's nothing preventing that agent from, like, going off of the off of the rails in that case. That's right. Yeah.

Daniel:

Just to give another kinda set of examples here, access control, foundation level is role based access control or RBAC with deny by default. That's the the foundation in in that category.

Chris:

That's right. And and by the way, just as we're working through this, wanted to make one quick comment. These are all standard zero trust concepts. So those of you who in the you know, who may be watching, you may recognize a lot of these categories and stuff, and I think I think the key is kind of thinking about it within this agentic context, and, you know, as as as we're all onboarding agents and stuff, that that throws it out, but keep going. I just wanted to call that out for those that might recognize that.

Daniel:

Yeah. Yeah. For sure. I think we can't abandon our good security intuition and especially when you start treat treating these agents as having an identity and being, operating in this zero trust environment, some of these things kind of flow through if you if you work out those details, but, yeah. The the next category, behavioral monitoring and response, or, sorry, observability and auditing.

Daniel:

That was that was, so there there's actually these two are tied together. We could probably talk about them together. There's observability, which essentially captures what agents do. So it observes what agents are doing and you need visibility into that. So you need logging and audit trails.

Daniel:

Often in our implementations with customers in my day to day work, I often like to say, hey, we need to know that this human user using this API key triggered this agent, which has this identity to do this goal, which issued these prompts, which triggered this tool call, which had this input, which was blocked by this governance policy, etcetera. Like that's where we're, you know, and down the line. We need that kind of traceability and and logging. Otherwise, you you can't have visibility or build rules or monitor things. So that's the observability piece, but observability captures only what agents do.

Daniel:

The behave behavioral monitoring that they're talking about determines whether the actions that agents are doing should be allowed or are suspicious.

Chris:

Are they appropriate for what

Daniel:

you would expect? Are they appropriate? Yes.

Chris:

That's right.

Daniel:

Yes. Exactly. And and this is behavioral monitoring and response, Right? So in certain cases, like I say, when when when we enforce governance policies, we say, well, if we see this, then do this. Right?

Daniel:

So sometimes that's blocking certain things. Sometimes it's just logging. Sometimes it's, you know, alerting someone using a a particular platform. Okay. The the, second to the last one is input validation and output controls.

Daniel:

I think actually this one so what are we on? 1234. This is the fifth one. This is probably the one that most often comes to people's mind and I think is often maybe overemphasized, which is this idea that you would have point checks over, you know, harmful things that the agent could produce in its output or harmful things that could go into the agent's context or something. This is, very important, I would say, but it's kind of like table stakes.

Daniel:

The the example I usually give is, you know, is it bad for me to take my temperature if I want to be a healthy human? Well, that's not a bad thing. You know, you can take your temperature. It doesn't mean that you are plugged into a healthy lifestyle or being governed by, you know, health records and as part of a health care system and have a primary physician and have a care plan and a diet. And, it's just a very limited way to view, that kind of overall health.

Daniel:

And if we extend that here, this would be these sort of point checks of validating inputs and outputs, which are, yeah, again, I would say those are table stakes. And the last one is integrity and recovery. So, all of this prevention and detection assumes agents operate correctly, you know, when they don't, what what do you do?

Chris:

Yeah, and and I think that's actually a pretty big question in the agentic systems world, in that if you think about, you know, going back a couple of points to behavioral monitoring and trying to identify what's appropriate for agents to be doing within all the other security parameters that we've talked about along the way. But when when you when you have gotten outside the bounds of what is appropriate, trying to figure out how to roll agents back, especially if they're in critical functions, can be quite challenging because those critical functions still have to be addressed. And so if a critical function is compromised by an agent that is intentionally or unintentionally off the rails, then figuring out how do you take a critical system back and get it get it back to a safe place to proceed in whatever is appropriate for that function can be quite challenging. And so I've I've I've have spent some time in that space myself, and I think that there's a lot of imagination that has to go into it that maybe wasn't quite as necessary in pre Agentsic Zero Trust models, so I just wanted to call that out.

Daniel:

Yeah. Yeah, they talk about, to give some examples, Chris, for configuration integrity, they talk about on the foundational level, version controlled agent configurations, and the advanced level, immutable infrastructure with attestation. On the recovery capabilities, they talk about at the foundation level, documented rollback procedures, which to your point, having some, having an idea of what you might do is one thing, being able to actually do it is sometimes a challenging thing. At the advanced level, they talk about self healing systems with automatic remediation. So, yeah, definitely agree agree with your points there.

Daniel:

I know that we're getting to the close to the end here, Chris, and just to kinda wrap things or or get close to the end here, Anthropic does a good job at kind of saying, hey, here's all of this stuff and all of these tiers and levels and categories, etcetera, but then they do provide a kind of phased, a phased way that you can think about implementing agents, which I think is helpful. One, identifying requirements, two, managing supply chain risks, including they talk about AI bomb or AI build materials, defining agent boundaries, defending against prompt injection, securing tool access, protecting agent credentials, and then safeguarding agent memory. And they give some kind of specifications under each of those phases for for people to to think about.

Chris:

Yeah. I think, you know, as we're as we're winding up, as they address it, I know just to share kind of how I perceive the, you know, kind of establishing the workflow, is in the zero trust world that we've been in for a number of years, it's fairly static. Know, there's a lot of things, and you kind of have to tick them all off, and a lot of it's a very it's almost a regulatory approach to system development, and I think the thing that agentic implementations require is the is trying to anticipate an incredibly dynamic capability that can arise, you know, that can kind of an emergent quality that that people are doing, and I think what Anthropic has done for us is given us a way of taking what we already know in a zero trust context and and and pointed out, you know, that within Agentic Systems, these capabilities are are it definitely requires a level up to take the same ideas, but get them out of that static mindset and move into a anticipating dynamic capabilities from agents. And I know as we're in both in our own jobs and stuff, that certainly required us to kind of level up and reconsider.

Chris:

It's a it makes it for a very interesting problem set to address.

Daniel:

Yeah. Yeah. And there's major thought process changes or philosophical shifts, as you're mentioning, that as practitioners, we may have to make. They talk in the in the ebook, Anthropic does about this idea of AI vendoring that, Hey, there's these fragile open source projects out here that you might rely on. The thing to do might just be to have your agentic coding system just completely vendor or literally not not copy, but generate a new version of that project that's proprietary to you and under your control and just include it in your project rather than than bringing in a third party dependency.

Daniel:

So there's like philosophical shifts, like that. I do think there's some hard things that we'll still have to wrestle with around. I I think there's still some of this conclusion that humans are gonna have to make containment decisions around how to contain these things and whether it be threats in your environment or agents operating in your environment. And if things are moving so fast, I just think it's gonna be hard for humans to, you know, if if something is happening in your infrastructure and exploit timelines go from, you know, months to to hours to minutes to seconds. You can't just, like, rely on waking up the CISO in the middle of the night to approve, you know, shutting this thing down.

Daniel:

Right?

Chris:

I mean, this is I mean, this is a revolution in cybersecurity. Just to just to put, a dot, you know, as we're finishing up here. Every intelligence agency in the world, is is learning how to, both defend against and exploit these these, these potential vulnerabilities that we're talking about, as well as criminal organizations of of all sizes, shapes on a global scale. So this you know, we're I I think we're at the very beginning of this journey. I think this is a fantastic start to get us thinking.

Chris:

I think we're gonna see a lot more tooling and a lot more capabilities coming out in the days ahead. And it seems to be coming out very quickly because the threats have risen very quickly. And so I hope folks find this as useful as we did, in terms of kind of reframing this modern take on cyber, in our in this agentic world that we've been talking about nonstop, throughout this this last year.

Daniel:

And we'll, like I say, include the links in the show notes, so take a look at those. Excited to keep the conversation going. Thanks for this today, Chris.

Chris:

Yeah, thanks for taking us through it. Was a good exercise to do.

Narrator:

All right, that's our show for this week. If you haven't checked out our website, head to practicalai.fm and be sure to connect with us on LinkedIn, X, or Blue Sky. You'll see us posting insights related to the latest AI developments, and we would love for you to join the conversation. Thanks to our partner Prediction Guard for providing operational support for the show. Check them out at predictionguard.com.

Narrator:

Also, thanks to Breakmaster Cylinder for the beats and to you for listening. That's all for now, but you'll hear from us again next week.