Principles Applied
Never trust, always verify. Least privilege by default. Explicit verification per request. Continuous monitoring. The NIST SP 800-207 zero-trust principles apply as cleanly to AI agents as they do to users and services. The 2026 distinction is that the agent itself is now a first-class identity boundary — a Salesforce Agentforce bot, a custom LangGraph orchestrator, a Microsoft Copilot agent, a CrewAI fleet — each with its own credentials, scopes, and audit trail. Treating agents as “part of the platform, so trusted” is the failure mode that fed the 2025 breach disclosures from at least three Fortune 500s.
Agent Identity
Every agent must have a verifiable identity, with per-agent credentials rather than shared service accounts. Mutual TLS between agent and tool services where the platform supports it (Salesforce Hyperforce private connect, AWS PrivateLink, Azure Private Endpoint). The 2026 best practice is short-lived JWT tokens scoped to the specific tool surface and the on-behalf-of user, refreshed every 5-15 minutes. The OAuth 2.1 device-code-style flow is deprecated for agent-to-service use; client credentials with workload identity federation (AWS IAM Roles Anywhere, Azure Workload Identity, Google Workload Identity Federation) is the current pattern.
Agent identity record
agent_id: agentforce-triage-emea
spiffe_id: spiffe://crm.example/agent/triage-emea
purpose: Tier 1 case triage, EMEA region
allowed_tools: case.read, case.update_status, kb.search
forbidden_tools: case.delete, account.merge, opportunity.*
on_behalf_of: invoking_user (intersected scope)
token_ttl: 10 minutes
audit_destination: splunk-prod, salesforce-event-mon
owner: ciso-teamContinuous Verification
Token refresh on a short cadence is the baseline. Behavior baselining — UEBA tools (Microsoft Sentinel UEBA, Splunk UBA) extended to agents in 2025 — flags anomalous patterns: a triage bot suddenly reading 3,000 records in five minutes, a knowledge agent invoking a refund tool it has never used. Conditional access policies should evaluate context: the agent operating outside normal hours, against an unusual data classification, or via a new tool surface triggers step-up auth or human approval. The Salesforce Trust Layer, Okta Adaptive MFA, and Microsoft Conditional Access all support agent-aware policies as of late 2025.
Operational Reality
Zero-trust for agents adds friction. Balance security with usability or the org routes around the controls. Customer-facing agents that touch payment data, refund authority, or PII earn more friction than internal knowledge-base agents. Risk-weight your posture: a Tier 1 read-only triage agent does not need the same controls as a refund-authorizing agent. Document the risk decision per agent in a register the CISO and the business owner both sign.
Common Failure Modes
The dominant failure is treating the LLM as a security boundary — the model is not a security boundary, it is a probabilistic text generator that will follow injected instructions if the policy enforcement point trusts it. Push enforcement downstream. Second failure: inheriting the invoking user’s full permissions instead of an intersected, minimum-necessary subset. Third: logging prompts but not retrieved context, which makes incident reconstruction impossible. Fourth: forgetting that the agent’s vector store and prompt cache are themselves sensitive — an exfiltrated embedding can be reversed enough to identify the source data.
What Changed in 2026
Three shifts have hardened practice: MCP standardization made every tool surface a first-class attackable interface; the OWASP LLM Top 10 v2 (2024) is now treated as the baseline checklist; and the EU AI Act conformity assessment regime requires documented technical measures for high-risk systems by August 2026. Map your CRM AI use cases to Annex III now to determine timeline.
Implementation Sequence
A defensible 90-day sequence: weeks 1-3, inventory every agent and credentials; weeks 4-6, replace shared accounts with per-agent JIT tokens; weeks 7-9, push policy to OPA or platform-native rules at the service layer; weeks 10-12, wire SIEM telemetry and run a tabletop. Most teams skip the inventory and never finish.
What to do this week
Pick one agent in production. Produce its full call graph: identities used, tools accessed, data classifications touched, audit destinations. If the diagram takes more than two days, that gap is the most important finding of the quarter.
