Diving into an Agentic AI Taxonomy: A Zero Trust Perspective (part 2)

Welcome back to our series exploring a taxonomy of agentic AI systems, what enterprises need to worry about for each, and Controls & Recommendations. There’s been a flurry of very relevant activity in the industry in just the 2 weeks since we published the first article in this series: Anthropic published their Zero Trust for AI Agents guide, which provides a useful framework and starting point for an agentic AI-specific maturity model. Their approach is well-aligned with the work we’ve been doing in this area, so you should expect some further guidance and tools from us in the near future.

Returning to our series, in our first articles we introduced the core taxonomy, and how we’re using the Agentic Trust Framework for our analysis:

• “Agentic AI: The Wild Frontier”
• “Diving into an Agentic AI Taxonomy: A Zero Trust Perspective (part 1)”.

Now, let’s move to the next agent model, where we look at the Enterprise tier of Web-based agents. These have some clear similarities with their free tier counterparts, as well as some important differences that we’ll be calling out.

In our previous blog, we started by taking a look at the first set of agents, which are Web-based agents with a free or personal paid tier. Now we’ll dive into the Enterprise version of these agents. This group still encompasses the Web-Based agents you are accustomed to, such as ChatGPT and Claude, however, this paid tier provides security and visibility capabilities that are desirable or required by enterprise customers.

In general, these AI platforms include the following types of enterprise capabilities in their paid enterprise tiers. (Keep in mind that the distribution of these controls across plans, and plan naming is not only different for different AI platforms, but is also constantly changing.)

• Single Sign-On integration with the enterprise’s Identity Provider

• Domain Capture to ensure that any user signing up with that service with a corporate email is automatically rolled into enterprise management
• Role Management, and integration with identity lifecycle provisioning via SCIM
• Centralized billing and account management
• Enterprise-controlled integration with the enterprise’s tenants in SaaS data sources such as M365, Slack, and Google Workspace.
• Audit logs for compliance reporting and usage analytics
• Data isolation, where the vendor promises “no training on your data”
• Compliance with regulatory requirements such as GDPR or CCPA

As enterprise security practitioners, this list of capabilities is immediately appealing. It should be clear that best practices require us to make the investment of effort and budget to obtain these services. Most enterprises are beyond an experimental phase where casual usage of free tiers is appropriate. In fact, we’d argue that allowing enterprise users to utilize a free tier of services from corporate devices, working with corporate data is an abdication of responsibility.

Now, let’s examine this tier through the lens of the Agentic Trust Framework, to which we add Controls and Recommendations.

Zero Trust Principles: Commentary and Recommendations

In this section, we’re contrasting this tier with unmanaged free tier usage, and explaining what good looks like for enterprise usage of these types of agentic systems. We provided numerous recommendations in the table above, and want to use this space to synthesize them.

Recommendation 1: Treat Enterprise Identity as Foundational

Identity is not a significant factor for free tier access, because regardless of whether the user registers with a personal or corporate email address, there’s no management around it. With the Enterprise tier, however, it becomes a necessary foundation for any effective enterprise control around these types of systems.

Enforcing usage of a centrally managed, paid enterprise account accomplishes two things you need: First, it gives your users an allowed (sanctioned) agentic AI system that they can use. This is an important element of “saying yes” to the business, and avoiding shadow AI that would otherwise proliferate. Second, it gives you a set of strong controls that are integrated into your enterprise identity systems, processes, and user experience. For example, SSO ensures that agentic system access follows the overall user lifecycle.

Recommendation 2: Build on Workspace and App Authorization models

Users will naturally want to connect these agentic systems to their daily work platforms such as M365, Google Workspace, and Slack. This should be encouraged, as long as it can be done under enterprise security control. Specifically, use this as a catalyst to verify that your enterprise tenants in these platforms are appropriately configured. Have an informed conversation with data and process owners to selectively allow agents to access specific areas and perform specific actions.

Recommendation 3: Leverage Data Visibility and Categorization Capabilities

We spoke about Data Security in our previous article, and in the Enterprise tier this becomes so much more important, as agentic activities performed on enterprise data is very often a huge part of the value. However, it’s too easy for organizations to inadvertently give agents access to an unexpectedly broad set of data, e.g. “everything each user can see in M365.”

It’s important to take this moment to assess how much visibility you have into enterprise data (especially unstructured or semi-structured data in these SaaS platforms), and the associated degree of categorization or classification. Data loses its provenance and categorization during agentic analysis, so it’s important to prevent or strictly limit agentic access to sensitive data.

Finally, for agentic access to SaaS platforms such as M365, note that these types of agents generally operate in an on-behalf-of model, where they inherit the calling user’s permissions and access authorizations. Unlike the more autonomous agents that we’ll be talking about in future articles, these agents do not have their own identity or authentication, and they only take action in direct response to an interactive user prompt.

Recommendation 4: Continue to Educate and Listen to Users

Recognize, and communicate to your users that this is a rapidly evolving space, and that everyone is learning how to safely and effectively use agentic AI systems. Create an ongoing learning community and environment, with regular presentations and open discussions within the enterprise.

Let users know that the controls and process you’re putting in place are to ensure that the business remains secure and compliant, and also acknowledge that sometimes users will run into unexpected or overly restricted controls. Create a simple process for users to request that security review the intended access, and commit your team to respond relatively quickly.

It’s important also to remind the security team that business usage of these types of tools can deliver considerable value and user productivity. Security needs to listen to users, understand the business needs and desired outcomes, and create secure means to support them.

Wrapping Up Part 2 (and looking ahead to part 3)

This article concludes our analysis of the two types of simple Web-Based Agents, across their free and enterprise tiers of service. The major Agentic AI platforms all have substantial security and controls available as part of their paid enterprise tiers of service. When integrated with enterprise security systems and processes, this will result in good and effective visibility and security for employee usage of these types of systems. This needs to be combined with additional network or endpoint-based controls to ensure that any disallowed web-based agent sites are blocked, and users are redirected to an allowed site.

Our next set of articles will shift gears, and dive into the set of SaaS Platform Agents, such as Microsoft Copilot, Google Gemini, Workday Sana, and Salesforce Agentforce.