Back to Blog

Zero Trust for AI Agents

A capability map for Anthropic’s framework — and where Stratium delivers each piece in production today.

May 30, 2026

TL;DR

  • Anthropic’s Zero Trust for AI Agents is the most prescriptive framework any frontier-model vendor has published for securing autonomous agents in the enterprise. It defines three capability tiers — Foundation, Enterprise, Advanced — and names the controls each tier requires.
  • The framework explicitly prescribes cryptographic agent identity, short-lived tokens, RBAC graduating to ABAC, continuous authorization, JIT/JEA privilege scoping, identity-based isolation, immutable decision logs, behavioral baselines, and policy-as-code. Read the list twice; it’s Stratium’s product page in capability form.
  • This post walks the framework section by section and shows, for each capability Anthropic names, what Stratium delivers and which tier the implementation targets. The takeaway: Anthropic’s framework is not a forecast. It’s a buyer’s checklist, and the architecture that meets it already exists.

Why This Document Matters

On May 18, 2026, Anthropic published Zero Trust for AI Agents: A security framework for deploying autonomous AI agents in the enterprise. Most vendor security guidance for agentic systems to date has been principled but soft — layered recommendations, design heuristics, things to consider. This document is different. It names specific capabilities, assigns them to tiers, and applies what the authors call the “impossible vs. tedious” test to every control:

“Does this make the attack impossible, or just tedious? Mitigations whose value comes from friction rather than a hard barrier… degrade significantly against an adversary that can grind through tedious steps at scale.”

That test runs through every recommendation in the framework, and it’s the right test. Agentic adversaries have unlimited patience and near-zero per-attempt cost. Rate limits, pivot hops, and SMS-based MFA stop being controls and become inconveniences.

What survives the test, per the document, are hardware-bound credentials, expiring tokens, cryptographic identity, and network paths that don’t exist rather than paths that are merely inconvenient. Stratium has been building the policy decision layer that sits on top of exactly that substrate. The rest of this post is the side-by-side: Anthropic’s named capability, what Stratium delivers, which tier it targets.

1. Agent Identity and Authentication

The framework opens its implementation guidance with identity, and it’s explicit about why: “Without verifiable identity, you cannot enforce access controls, maintain audit trails, or attribute actions to specific agents.” Anthropic raises the Foundation floor — unique IDs are not enough; the identifiers must be cryptographically rooted. Enterprise adds X.509 lifecycle management. Advanced adds hardware-backed identity with attestation.

Anthropic’s Prescription

Every agent gets a unique, cryptographically rooted identity that persists across actions and appears in every log line. Service authentication moves to short-lived, identity-provider-issued tokens (OAuth 2.0 baseline), with mTLS + cert pinning at Enterprise and hardware-bound credentials at Advanced.

What Stratium Delivers

Every agent is a first-class Non-Person Entity (NPE) with its own cryptographic identity record — owner, purpose, allowed tools, allowed data classes, expiration. The identity is the foundation Stratium policy decisions read on every call. Short-lived, action-scoped tokens minted just-in-time replace standing service-account credentials.

2. Access Control and Privilege Management

This is the section that maps most directly onto Stratium’s core architecture. Anthropic’s tier table for permission models is unusually explicit:

Foundation

RBAC with deny-by-default — “treat this as a starting posture, not a destination.”

Enterprise

Attribute-based access control (ABAC) with context-aware policies. Time, location, data sensitivity, and risk score all flow into the decision.

Advanced

Continuous authorization with real-time policy evaluation — “Evaluate authorization at each action rather than session start.”

Anthropic names ABAC and continuous authorization explicitly as Enterprise and Advanced tier baselines. The privilege-scoping section reinforces this with Just-In-Time (JIT) and Just-Enough-Administration (JEA) at the Advanced tier — permissions granted at moment of need, scoped to specific resources, automatically revoked on completion.

Where Stratium fits: the Stratium policy decision engine is the Enterprise-and-Advanced implementation of this section. Every agent action passes through an externalized decision point that reads subject attributes (which agent, owner, purpose), resource attributes (production vs. sandbox, regulated class, sensitivity), action context (current task, recent activity, source surface), and returns allow, deny, or require_approval per call. Authorization is evaluated at each action, not at session start. That’s Anthropic’s Advanced tier, in production today.

3. Resource Boundaries and Identity-Based Isolation

The framework makes a sharp call here: identity-based isolation is the primary control, not network segmentation. Anthropic’s exact words: “Every workload carries its own cryptographic identity, and each service accepts connections only from the specific callers its policy names.”

Network segmentation is described as a backstop. Sandboxing is treated as table stakes for any agent that processes untrusted input. Hardware isolation (AMD SEV, Intel TDX, confidential computing) is the Advanced ceiling.

Anthropic’s Prescription

Cryptographic identity per workload. Services accept connections only from policy-named callers. Network segmentation as backstop. Sandboxed execution mandatory for agents processing untrusted input.

What Stratium Delivers

The Stratium decision plane is what services consult to determine whether a specific calling NPE is authorized for a specific action against a specific resource — the operational implementation of “accept connections only from policy-named callers,” applied at every API, MCP server, tool handler, and sub-agent boundary.

4. Observability, Auditing, and Traceability

Anthropic prescribes three tiers of action logging: comprehensive logs at Foundation, immutable cryptographically-verifiable trails at Enterprise, real-time SIEM streaming with correlation at Advanced. For traceability: request IDs at Foundation, distributed tracing at Enterprise, full provenance chains at Advanced.

The document also names two metrics worth measuring before anything else: dwell time (anomaly to human awareness) and coverage (fraction of alerts investigated).

Anthropic’s Prescription

Every tool invocation, data access, and external communication logged with agent identity and request context. Immutable, append-only storage at Enterprise. Real-time SIEM correlation at Advanced. Full provenance chains supporting algorithmic explainability for regulated industries.

What Stratium Delivers

Stratium emits a decision stream: every allow, deny, and require_approval as a structured event with subject identity, action, resource, attributes consulted, rule ID, and outcome. The stream is the agent behavioral audit and the incident reconstruction surface, streamed into your existing SIEM. Why was this allowed? becomes a single-query answer.

5. Behavioral Monitoring and Anomaly Detection

The framework moves from logging to behavior: establishing baselines (manual at Foundation, statistical learning at Enterprise, continuous drift detection at Advanced), then detecting anomalies (thresholds at Foundation, statistical methods at Enterprise, ML-based contextual analysis at Advanced).

Anthropic makes a pointed observation worth quoting:

“Knowing what ‘normal’ looks like for an agent… gives you a behavioral attribute for ABAC-based access control, letting you flag or restrict requests that fall outside established patterns.”

That sentence is the bridge: baselines become attributes the policy engine reads. Behavioral monitoring isn’t a separate system; it’s an input to the authorization decision.

Anthropic’s Prescription

Establish behavioral baselines, detect deviation, feed both into authorization decisions. Automated response that contains damage at machine speed for high-confidence threats.

What Stratium Delivers

Behavioral signals become first-class attributes in Stratium policy. An agent operating outside its established baseline is a subject attribute the decision engine reads on the next call — automatic deny or step-up gate, depending on policy. The same engine that authorizes routine actions detects and contains anomalous ones, without a separate system.

6. Input Validation and Output Controls

Anthropic’s tier table for input sanitization moves from basic schema validation through pattern matching to constitutional classifiers and spotlighting at Advanced. Output controls graduate from pattern-based PII filtering to semantic analysis to human-in-the-loop approval for high-risk actions.

The HITL recommendation deserves attention because it’s where authorization, behavioral signals, and resource classification converge: require human review before executing actions with significant consequences.

Anthropic’s Prescription

Multi-layer input validation, constitutional classifiers and spotlighting at the Advanced tier. Output filtering by pattern and semantic analysis. Human-in-the-loop approval as a control on high-risk actions.

What Stratium Delivers

HITL is encoded as a decision outcome (require_approval) returned by the policy engine when resource class, action severity, and current context trigger it. One encoding, every orchestrator reads it, the approval is satisfied by an event the agent cannot self-generate. This is the operational form of Anthropic’s Advanced-tier output control.

7. Configuration Integrity and Recovery

Anthropic ends the technical capability tour with configuration integrity (version control at Foundation, signed configs at Enterprise, immutable infrastructure with attestation at Advanced) and recovery (documented rollback, automated rollback with health checks, self-healing). The key claim: “If you cannot reliably roll back to a known-good state, no amount of automation will save you.”

Anthropic’s Prescription

Treat agent configurations with the same rigor as application code — version-controlled, signed, attested. Rollback procedures automated and tested.

What Stratium Delivers

Stratium policies are versioned artifacts — reviewed, simulated against production traces, deployed through the same pipeline as application code. The rule the engine evaluated on May 30 is a specific, retrievable, signed policy version. Rollback to any prior policy is a single operation.

8. AI Governance Policies

The framework closes its capability tour with governance: documented acceptable-use and incident-response policies at Foundation, formal governance frameworks with cross-functional oversight at Enterprise, continuous policy enforcement with automated compliance checking at Advanced.

The Advanced-tier description is the most direct echo of Stratium’s positioning anywhere in the document: “Integrate policy checks into deployment pipelines. Implement automated detection of policy violations. Maintain audit trails of governance decisions.”

Anthropic’s Prescription

Move policy enforcement from periodic reviews into automated checks embedded directly in deployment pipelines. Maintain governance audit trails. Address Shadow AI before it bypasses every control in the framework.

What Stratium Delivers

Policy lives in code, gates merges, runs in CI against production agent traces, and produces a continuous compliance signal the governance committee can read in real time. Authorization coverage becomes a reportable metric: X% of consequential agent actions evaluated by externalized policy.

The “Impossible vs. Tedious” Test, Applied

Anthropic’s strongest contribution is the design test it runs through every recommendation: does this make the attack impossible, or just tedious? Stratium passes this test by construction in three specific ways:

Default Deny on Irreversible Actions

Policy refuses the destructive call by default. The attacker doesn’t grind through tedium — the path doesn’t exist. Reversibility cost is a first-class resource attribute the engine reads on every call.

Externalized Decisions the Model Can’t Reach

The policy engine sits outside the model and outside individual handlers. The model can’t reason its way past a control that doesn’t live in its context window, and a handler can’t skip a check that’s evaluated upstream of it.

Approval as an Event, Not a Request

HITL is satisfied by an event the agent has no path to generate. The approval is a fact in the system, not a string the model can produce. That’s impossible, not tedious.

Where the Framework Lands

Anthropic’s closing sentence is worth quoting in full:

“The organizations best positioned for this shift will not necessarily be the ones with the most advanced AI. They will be the ones whose fundamentals are strong enough that AI-assisted scanning finds fewer bugs in the first place, and whose agent deployments were architected for breach from day one.”

That’s the buying conversation. The framework reframes the question from which model is most capable? to which agent platform was architected for breach from day one? And the architectural answer the document spells out — cryptographic identity, externalized attribute-based decisions, continuous authorization, short-lived credentials, default-deny on irreversible actions, signed and versioned policy artifacts, decision streams as the audit substrate — is exactly what Stratium ships.

Anthropic’s framework is principled, prescriptive, and tier-explicit. Stratium is the runtime that implements it. If your team is reading Zero Trust for AI Agents and treating it as a roadmap, we’d like to be on the call where you walk through which tier your current stack meets — and which capabilities are still on paper.

Further Reading

Read the framework. Then see the runtime that implements it.