June 10, 2026
Posted by Refael Angel
A control-by-control mapping of Anthropic’s Zero Trust Framework for AI Agents and how Akeyless Runtime Authority enforces it in production.
More than two-thirds of organizations suspect AI agents have already accessed data beyond their intended scope, according to the 2026 State of AI Agent Identity Security report. That finding highlights a growing reality: as AI agents move from answering questions to executing actions, security teams need more than authentication and access control.
To address this, Anthropic recently published a Zero Trust Framework for AI Agents, which defines the controls autonomous systems require. The framework provides an important reference model. The challenge now becomes enforcing them at runtime. Runtime Authority provides the enforcement layer that turns those principles into operational controls.
The Security Question Has Changed
A year ago, most organizations were asking how to secure AI agents. Today, many enterprises have already moved beyond the proof-of-concept stage. AI agents are being trusted with operational tasks that directly affect production systems, customer data, cloud infrastructure, and business workflows. Security teams are now asking a more practical question:
We have AI agents in production. How do we control them?
This question becomes even more important as the industry moves toward increasingly autonomous and persistent AI systems. Initiatives such as Anthropic’s Mythos highlight a future where agents retain more context, operate across longer time horizons, and take on greater responsibility for business processes.
This shift changes the security model entirely.
The first generation of enterprise AI primarily generated content and answered questions. Mistakes meant incorrect results. Modern autonomous agents are different. They can modify records, trigger workflows, access sensitive systems, and perform actions that have real operational consequences.
Traditional identity and access controls were not designed for this reality. They authenticate identities, grant access, and audit activity after the fact. They do not continuously govern behavior while autonomous systems are actively operating. As AI agents become operational actors, enterprises require continuous runtime governance, not simply access control. Anthropic’s Zero Trust Framework for AI Agents reflects this reality, recognizing that autonomous systems require continuous authorization, constrained access, runtime controls, and complete traceability long after the initial authentication decision has been made.
The Test That Matters: Impossible or Merely Tedious?
One of the most valuable ideas introduced by the framework is a simple design principle:
Does a security control make an attack impossible, or does it merely make it more difficult?
Many traditional controls create friction. Credential rotation, network segmentation, rate limits, and additional authentication layers can increase the effort required by an attacker.
But autonomous systems operate at machine speed. Attackers increasingly do as well. Friction alone is rarely sufficient.
The strongest controls remove capabilities entirely.
Credential rotation is a useful example. Rotation reduces the window of exposure but it does not eliminate the credential itself. The stronger control removes the credential from the agent entirely. If the agent never possesses a secret, there is nothing to steal, nothing to search for, and nothing to leak. The same principle applies to network access. Segmentation makes lateral movement more difficult; eliminating the network path altogether makes it impossible.
This distinction becomes particularly important for AI agents because agents operate autonomously and continuously. Security controls must be capable of enforcing boundaries even when there is no human actively supervising the process.
This philosophy sits at the core of Runtime Authority.
Why Traditional Agent Security Falls Short
Many organizations still rely on machine-to-machine security models built around static API keys, service accounts, stored credentials, and role-based permissions. These approaches were not designed for autonomous systems.
When agents hold credentials, those credentials become targets. They may be exposed through prompts, logs, code repositories, runtime environments, or downstream integrations. Even frequent rotation does not eliminate the underlying risk because the credential still exists. Direct connectivity creates a similar problem. Every database, cloud service, or internal system an agent can reach becomes part of the attack surface.
Traditional authorization models introduce another limitation. Role-based access control can determine whether an agent is allowed to access a resource, but it cannot evaluate whether the action itself is appropriate in context. An agent that is authorized to access a database may still attempt a destructive action that conflicts with its intended purpose.
As AI agents take on greater operational responsibility, security must move beyond controlling access and begin governing execution.
What Runtime Authority Looks Like in Practice
Akeyless Runtime Authority extends Modern Privileged Access Management into AI workflows by operating as an intent-aware enforcement plane between every agent and every target system.
Every agent action passes through the Akeyless Gateway, creating a mandatory control point where identity, policy, authorization, inspection, and auditing are enforced in a single path.
The architecture is built around six reinforcing controls.
- Zero credentials on the agent side. Short-lived dynamic credentials are generated only when required and injected directly into brokered sessions. Agents never possess secrets, API keys, passwords, or tokens.
- Zero direct connectivity to target systems. Databases, cloud services, SaaS platforms, Kubernetes environments, and legacy systems are only accessible through the Gateway. This removes opportunities for lateral movement and creates a centralized enforcement point.
- Full command-level control. Governance extends beyond the initial login event and applies to every action executed during the session.
- Intent-aware policy enforcement evaluates the purpose behind a request before any credential is issued. Policies assess whether the requested action aligns with the originating prompt and approved operational objectives.
- In-session inspection and response masking prevent sensitive information from unnecessarily entering an agent’s context window. Regulated data, customer information, financial records, and secrets can be masked or redacted before being returned to the agent.
- Blended identity and forensic traceability connect every action to both the agent and the human operating behind it. Every interaction is recorded through a complete chain linking the originating prompt, evaluated intent, policy decision, session context, and resulting action.
Together, these controls transform identity security from a point-in-time access decision into continuous runtime governance.
How Runtime Authority Maps to the Framework
One of the strengths of Anthropic’s framework is that it organizes controls into Foundation, Enterprise, and Advanced maturity tiers, giving organizations a practical roadmap for securing autonomous systems.
Runtime Authority closely aligns with the controls the framework prioritizes. Foundation guidance calls for replacing static credentials with short-lived, automatically refreshed credentials. Runtime Authority goes further by ensuring agents never possess credentials at all. Dynamic Secrets are generated just in time, injected directly into brokered sessions, and destroyed when work is complete.
At the Advanced and Enterprise tiers, the framework introduces context-aware authorization, continuous policy evaluation, just-in-time access, and comprehensive auditability. Runtime Authority enforces these principles through intent-aware policy controls, short-lived credentials, non-bypassable time limits, and the ability to immediately terminate active sessions through a centralized kill switch.
The framework also emphasizes the importance of cryptographically rooted identity for every AI agent. The challenge is that modern agents are highly dynamic. Some exist for hours, while others may spin up for seconds and disappear. Rather than maintaining a separate directory of synthetic agent identities, Runtime Authority anchors trust in existing workload identities, including cloud IAM identities, Kubernetes service accounts, OIDC tokens, and other workload identities. Policies attach directly to these trusted identity sources, allowing agents to be governed from first authentication without requiring enrollment into a separate agent directory.
Finally, Anthropic highlights the need to prevent sensitive information from unnecessarily reaching AI systems. Runtime Authority accomplishes this through in-session inspection and response masking, ensuring sensitive data is filtered before it enters the agent’s context window.
At a Glance
Anthropic’s “impossible vs. tedious” test provides a useful lens for evaluating agent security. The controls below show how Runtime Authority enforces key framework requirements in practice.
| Runtime Authority Control | How It Enforces Anthropic’s Guidance |
| Zero credentials on the agent side | Dynamic Secrets are generated only when required, injected directly into brokered sessions, and automatically expire. |
| Zero direct connectivity | Agents never connect directly to databases, cloud services, SaaS platforms, or infrastructure. All access is brokered through the Gateway. |
| Full command-level control | Authorization extends beyond login and applies to every action executed during the session. |
| Intent-aware policy enforcement | Requests are evaluated against the originating prompt and approved operational objectives before access is granted. |
| In-session inspection and response masking | Sensitive data can be masked or redacted before it enters the agent’s context window. |
| Blended identity and forensic traceability | Every action is linked to the originating prompt, policy decision, session context, agent identity, and human operator. |
Beyond Authentication: The Runtime Identity Security Platform
Runtime Authority is part of the broader Akeyless Runtime Identity Security Platform.
As organizations adopt more AI agents, workloads, automation systems, and machine identities, security can no longer focus exclusively on human users. Identity systems must do more than issue credentials, they must govern behavior in real time.
The Runtime Identity Security Platform provides a unified foundation for securing AI agents, machines, workloads, automation systems, and privileged humans. It combines ephemeral identity, secretless authentication, dynamic entitlement provisioning, privileged access management, secrets management, certificate lifecycle management, encryption services, and runtime governance into a single operational layer.
Most importantly, it shifts the conversation from who should receive access to answering the more important question:
Should this specific action be allowed at this specific moment?
Authentication proves identity. Runtime Authority governs behavior.
Importantly, because Runtime Authority operates on the same Akeyless platform, organizations can extend existing identity controls, policies, authentication methods, and Gateway infrastructure into AI agent workflows rather than introducing a separate security architecture.
The Audit Question Every Organization Will Face
As AI adoption accelerates, a new accountability challenge is emerging.
When an autonomous agent performs a sensitive action, can the organization prove who ultimately authorized it?
For many environments today, audit records point only to service accounts, API tokens, or machine credentials. They do not clearly connect an action back to the human request that initiated it. That gap becomes increasingly difficult to justify as AI systems gain operational autonomy.
Runtime Authority addresses this challenge through a complete forensic chain that links:
Human prompt → Classified intent → Policy verdict → Session context → Action on target
The resulting audit chain is immutable, structured, and integrates with existing enterprise logging and monitoring workflows. Security teams can forward enriched records to their SIEM while preserving the full sequence of decisions and actions that occurred during execution. This provides a single source of truth for understanding not only what happened, but why it happened, who initiated it, and how policy decisions influenced the outcome. For security leaders, compliance teams, and auditors, this provides the visibility required to understand not only what happened, but why it happened and who initiated it.
The Future of AI Security Is Runtime Governance
Static credentials, point-in-time authorization, and retrospective auditing are no longer sufficient. Organizations need a security model capable of governing actions while they occur.
Anthropic’s Zero Trust framework for AI agents provides a blueprint for governing autonomous systems. Akeyless Runtime Authority operationalizes those principles through continuous runtime enforcement, intent-aware policy controls, credential-free agent access, and complete forensic traceability. As organizations move from experimentation to production-scale AI operations, runtime governance becomes the mechanism that transforms security principles into enforceable controls.
See Runtime Authority in Action
Request a Runtime Authority demo to learn how Akeyless Runtime Authority helps organizations enforce Zero Trust principles for AI agents.
Frequently Asked Questions
What is Runtime Authority?
Runtime Authority is the Akeyless runtime enforcement layer for autonomous AI agents. It continuously governs agent actions during execution, enforcing identity, policy, authorization, inspection, and auditing through a centralized Gateway.
How is Runtime Authority different from traditional IAM or PAM?
Traditional IAM and PAM primarily focus on authentication and authorization at the beginning of a session. Runtime Authority extends control throughout the session by continuously evaluating actions, enforcing policies, inspecting responses, and enabling real-time intervention.
Why are static credentials a problem for AI agents?
Static credentials can be exposed through prompts, logs, code repositories, runtime environments, or integrations. Runtime Authority eliminates this risk by ensuring agents never possess credentials. Dynamic secrets are generated only when needed and injected directly into brokered sessions.
What does “zero direct connectivity” mean?
AI agents cannot directly access databases, cloud services, SaaS platforms, or internal systems. All communication is routed through the Akeyless Gateway, creating a centralized enforcement point and eliminating unmanaged access paths.
How does Runtime Authority prevent unauthorized actions?
Runtime Authority uses intent-aware policy enforcement. Requests are evaluated against their originating purpose before credentials are issued. Actions that conflict with approved intent can be blocked before any connection to a target system occurs.
How does Runtime Authority support compliance and auditing?
Every action is recorded through a complete forensic chain that links the originating human prompt, classified intent, policy decision, session context, and resulting action. This provides complete traceability and accountability for AI-driven operations.
