Artificial intelligence has become cybersecurity's latest source of anxiety. Security leaders worry about autonomous agents, AI-powered attacks, model manipulation, data leakage, and a growing list of threats that seem to expand every week.
John Kindervag, creator of the Zero Trust Framework, sees things differently.
In fact, he believes organizations that have properly implemented Zero Trust already possess many of the controls needed to address the AI era.
"Zero Trust was made for AI," Kindervag said during a recent conversation at CYBR.HAK.CON.
Watch/listen to the full CYBR.HAK.CAST episode:
, and CYBR.SEC.Media
That may sound surprising given that Zero Trust was first introduced years before today's explosion of generative and agentic AI technologies. Yet Kindervag argues that the framework's core principles align remarkably well with the challenges organizations now face.
More on AI and Zero Trust:
Bill Brenner
AI Doesn't Change the Rules
Much of the current AI security conversation focuses on new tools, new products, and new detection capabilities.
Kindervag believes many organizations are looking in the wrong direction.
At its core, Zero Trust is not about products. It is about protecting assets through policy.
The framework starts from a simple premise: deny access by default and only grant specific permissions when a legitimate business need exists.
That philosophy remains effective whether the request comes from a human user, an IoT device, an application, or an AI agent.
In a properly implemented Zero Trust environment, unknown resources cannot simply introduce software, access protected systems, or move laterally across the environment.
The sophistication of the attack becomes less important because the policy itself limits what can occur.
For Kindervag, that principle is particularly relevant as organizations deploy increasingly autonomous AI systems.
Policy Matters More Than Technology
One of Kindervag's recurring themes is that cybersecurity has become overly focused on products.
Organizations purchase tools, deploy tools, and replace tools, often believing technology alone will solve security problems.
But even the best products can fail when policies are weak.
Kindervag argues that many major breaches stem not from technical shortcomings but from deliberate decisions that prioritize convenience over security.
Permissions are expanded to speed development. Access controls are loosened to avoid friction. Systems become more connected than they need to be.
The result is an environment where attackers encounter few barriers once they gain an initial foothold.
This problem becomes even more dangerous in the age of AI, where automated systems can exploit excessive permissions and weak controls at unprecedented speed.
The answer, according to Kindervag, is not necessarily more products. It is better policy.
The Case for Segmentation
The same philosophy applies to network architecture.
Kindervag has long argued that flat networks remain one of cybersecurity's biggest weaknesses. Once attackers gain access, they can often move freely through environments that were never designed to contain compromise.
That concern extends beyond traditional IT systems.
As organizations deploy connected devices, operational technology, IoT infrastructure, and AI-driven platforms, the number of potential pathways continues to expand.
Zero Trust addresses that challenge by focusing on protection surfaces, transaction flows, and segmentation. Rather than attempting to secure everything equally, organizations identify what matters most and build controls around those assets.
For Kindervag, that approach remains just as relevant today as when he first introduced the concept.
AI may be transforming the technology landscape, but it has not changed the fundamentals of security.
Organizations still need to know what they are protecting. They still need to control access. And they still need policies that prevent systems from doing things they were never authorized to do.
The tools may evolve. The principles, Kindervag argues, have not.
