The company Anthropic has introduced a practical cybersecurity guide, urging the industry to rethink AI system defenses by implementing Zero Trust (“never trust, always verify”) principles. According to experts, this step is an absolute necessity driven by the breakneck speed of threat evolution.
1. A New Pace of Threats: From Months to Hours
The main challenge AI poses to traditional security is unprecedented speed. The use of neural networks by cybercriminals has cut the time window between vulnerability discovery and its practical exploitation from several months to a mere matter of hours.
In this reality, classical perimeter defense and point filters are no longer sufficient. The situation is complicated by the fact that modern AI agents have moved far beyond simple chatbots. They are deeply integrated into companies’ internal infrastructure, have access to APIs and databases, and can make decisions on their own.
Important: Security architects must protect against not only AI-accelerated external threats but also the vulnerabilities of the agents themselves within the corporate perimeter.
2. Zero Trust Philosophy for AI Agents
The core of Anthropic’s new guidance relies on rigid Zero Trust principles: zero default trust, verification of every single action, and designing systems assuming they may already be compromised.
The framework builds upon recognized industry standards:
- NIST SP 800-207 recommendations (published in 2020).
- The Zero Trust Implementation Guidelines series, which the US National Security Agency (NSA) began actively releasing in 2026.
The developers emphasize that this is not just a compliance checkbox exercise, but a practical toolkit for architects, engineers, and InfoSec teams. Within this concept, two key terms are introduced:
- Blast radius — the zone of potential damage if an agent is compromised.
- Least agency — an approach requiring restrictions not just on the AI’s access rights (roles), but also on its invocation frequency, accessible domains, and strict behavioral boundaries.
3. Key Threat Map
Before defending a system, one must understand how it will be attacked. Anthropic highlights several critical vectors:
- Direct Prompt Injection: embedding malicious instructions directly via user input.
- Indirect Prompt Injection: a hidden attack where malicious code enters the AI through external sources—web pages, incoming emails, or documents that the agent processes while executing a task.
- Tool Tainting and Substitution: replacing a legitimate API tool with a malicious counterpart or creating dangerous call chains (where individually safe functions yield a destructive result when combined).
- Abuse of Privileges and Identity: hijacking the management of an agent’s service account.
- Memory and Context Poisoning: long-term distortion of the model’s logic by tampering with training data or dialogue history.
- Supply Chain Attacks: vulnerabilities in third-party libraries, plugins, and base models.
4. Three-Tier Technical Defense Model
To minimize risks, Anthropic suggests abandoning static API keys and shared service account passwords (deemed dangerous even for the basic tier) and implementing a three-tier maturity model.
Basic and Mandatory Measures
- Unique cryptographic identity for each individual AI agent instance.
- Use of short-lived tokens instead of permanent passwords.
- A “deny by default” principle and strict role-based access control (RBAC).
- Sandboxing: a mandatory measure for all agents that analyze untrusted content (files from the internet, emails, documents).
Advanced Defense Tier
- Implementation of the mTLS standard (mutual authentication of client and server using digital certificates).
- Hardware-bound identity of the AI agent via hardware security modules (HSM or TPM).
- A remote attestation procedure to verify the integrity of the AI system’s code before execution.
5. Observability and Monitoring
Defense is impossible without total control. The section of the guide dedicated to observability recommends detailed logging of any agent steps: from tool calls to external communications.
All events must be instantly forwarded to SIEM systems for real-time threat correlation.
- Target detection metric: for critical systems, the time to detect anomalies should be less than one hour.
- Traceability Matrix: a special tool that allows linking any final action of an AI agent to the user’s initial request, fully reconstructing the entire chain of decisions made by the neural network.
6. The SOC of the Future: Human-AI Synergy
Moving to incident response, Anthropic formulates a strict rule: “Automate the bureaucracy surrounding an incident, but not the key decisions.”
In modern Security Operations Centers (SOC), there is a ongoing transition from classic SOAR systems to agent-based architectures. AI models can and should be delegated routine tasks: artifact collection, running parallel investigation branches, and drafting post-mortem reports. However, final decisions—such as system isolation, incident disclosure, and customer communication—must remain exclusively with humans (Human-in-the-loop).
Facts and Figures Supporting the Approach:
- Effectiveness against prompt poisoning: According to a Microsoft Spotlighting study, implementing comprehensive measures reduces the success rate of indirect prompt attacks from over 50% to less than 2%.
- Constitutional Classifiers: Anthropic’s own tests showed that built-in “constitutional” filters block more than 95% of jailbreak attempts (model hacks) while causing a minimal increase in false positives.
- Supply Chain Vulnerability: Anthropic’s research proves that an attacker only needs to introduce 250 malicious documents to successfully embed a hidden backdoor into models ranging from 600 million to 13 billion parameters. For defense here, it is recommended to use AI-BOM (Artificial Intelligence Bill of Materials), dependency auditing, and OpenSSF Scorecard tools.
Conclusion
Security in the era of AI agents can no longer be provided by external add-ons or simple ingress traffic filtering. Defense must be built from within, based on cryptographic identity, strict privilege limitation, process isolation, and continuous auditing.
Ultimately, the winners will not be the companies that deploy the most advanced and “smartest” neural networks, but those whose core security architecture proves to be the most resilient to compromise.
