In May, Anthropic published a security framework called “Zero Trust for AI Agents.” And if you build, deploy, or secure AI agents, you’ll want to read the whole thing. It is one of the clearest pieces of guidance on agent security so far, and it originates from a clear leader in the space.
Since I already spend my days (and nights) thinking about data resilience and security, I read Anthropic’s guide asking a simple question: Where does this framework actually touch the things my world cares about?
I expected a few loose connections. Instead, multiple sections read like I slipped the author $20 to write Veeam’s positioning.
That is not a coincidence.
The direction this framework points to is where enterprise security has been heading for years, and it’s the same path Veeam has been following in the AI era.
Zero Trust for Agents is a Different Animal
Of course, Zero Trust is not new. The phrase goes back decades, and the principles were codified by NIST and, later, the NSA:
- Never trust and always verify
- Grant least privilege
- Assume breach
None of that is novel.
What is new is the thing being governed. Traditional Zero Trust assumes the entity behaves predictably. For example, a human authenticated through MFA interacts with systems through known workflows, or a microservice makes the API calls its code tells it to make. The behavior is bounded.
Agents break that assumption, and not because they are flawed. They break it because they are non-deterministic by design. An agent given a tool might use it in a way nobody anticipated: They reach into databases, APIs, and tools through MCP integrations, and they chain those actions together at machine speed. The blast radius of one compromised agent is far larger than one compromised user account, and it expands the moment you connect another tool.
Anthropic is blunt about the stakes. They write that frontier models are compressing the timeline between vulnerability and exploit from months to hours. Threat actors are also leveraging AI to sharpen the tactics they have always used, such as reconnaissance, initial access through phishing and vishing, exfiltration, and credential access. Their tactics have not radically changed, but the rate at which they execute now runs at machine speed.
How the AI Era Is Evolving Each Zero Trust Principle
Like so many other things in our lives, AI is redefining the foundations of Zero Trust. Here are some of the ways that’s happening.
Assume Breach
Anthropic is explicit about it. Design your agent deployments for breach from day one. Do not try to prevent every intrusion. Limit the damage when one happens. Segment by identity. Contain and understand the blast radius of each agent. Make sure compromising one system does not hand an attacker the rest.
If you have spent any time in backup and recovery, you have heard a version of this your whole career. Assume the bad thing happens, and architect so you can come back from it. This is not groundbreaking.
The takeaway here, though, is that one of the most credible names in AI is now saying it about autonomous agents, in a security framework, to an audience of CISOs and architects who are deploying these systems faster than they are securing them.
Least Privilege
The framework makes one conceptual move that may outlast the rest: The distinction between least privilege and least agency.
Least privilege is familiar. Give an entity only the access it needs. An agent that reads log files should not have write access to production, for example.
Least agency goes further. Give an agent only the autonomy it needs for the task in front of it. If it needs to query a database, hand it a parameterized query interface, not raw SQL, or if it needs to change a config, give it a scoped API, not shell access.
If you accept that an agent will eventually be compromised or simply reason its way somewhere you did not intend, then an agent with narrow agency is a contained incident and an agent with broad agency is a catastrophe. The access controls can be technically correct but the autonomy can still be the thing that hurts you.
Never Trust and Always Verify
Threat actors are already using AI to move at machine speed, which is widening the coverage gap. The coverage gap is the percentage of alerts that go uninvestigated, and every one of those alerts is a risk you cannot see.
This means we also must move at machine speed on defense too. Doing that does not mean firing all the humans and replacing them with AI. A human in the loop is critical for decision making.
What it does mean, though, is closing the coverage gap with the same kind of automation the attackers are using. An agent should be used for every alert to triage, enrich, and correlate potential risks, so the percentage of findings that are investigated goes up instead of drowning a SOC analyst in an infinite queue.
Anthropic’s Zero Trust Agent Capability Domains, Mapped to Veeam
If you’re a customer of Veeam, it’s incredibly reassuring to know there’s a strong overlap between Anthropic’s proposed framework and the coverage we’re already providing. Here are some specific examples.
Integrity and Recovery
Every meaningful control Anthropic recommends is at the heart of what Veeam does.
Their team tells you to capture a known-good baseline so you can identify a clean state and restore to it when an agent is compromised.
That is the entire premise of immutable backup paired with clean restore point identification: You scan, verify, learn which point in time is trustworthy, and quickly recover to it.
Anthropic tells you to segment by identity, so a compromise cannot move laterally. That is isolated, immutable storage with its own network and credential boundary.
Anthropic says to run orchestrated response playbooks with graduated escalation, and automate the bookkeeping while keeping humans on the containment decisions.
That is exactly how a well-built recovery runbook works. Every decision about network, compute, priority, and restore point is resolved before an incident, so that during one a human authorizes and the automation executes.
When the most safety-focused AI company in the world tells you to build for breach and recover to a known-good state, that is Veeam’s data resilience thesis, just wearing a different badge.
- Recovery is the last resort if everything else fails. The question is not only whether you have backups. It is whether you can answer three things under pressure:
- Are you protecting the data the agents are being fed and acting on?
- Is that data immutable, so an attacker cannot quietly alter it?
- Can you map cleanly back to the point of incident, so you know which restore point is clean rather than already poisoned?
If you cannot answer those questions, you do not have a recovery posture.
You have a prayer.
Input Validation and Output Controls
Here is the part of the framework that most resilience conversations miss, and it is the part that matters most.
An agent’s output is only as trustworthy as the data feeding it. Anthropic spends real time on this. Memory poisoning corrupts the context an agent uses to make decisions. Tool poisoning tampers with the responses an agent gets back and trusts as fact. RAG pipelines pull from sources that may be stale, over-permissioned, or deliberately tainted. The agent does not know the difference; it reasons over whatever it is given and acts with confidence either way.
Strip the jargon and it comes down to one thing: If you cannot vouch for the data, you cannot vouch for the agent.
That is a data integrity issue before it is an AI problem, and it sits squarely at the intersection of data resilience and security posture. Knowing where your sensitive data sits, who (or what) can touch it, whether it has been altered, and having the ability to restore a known-clean version of it is the foundation the whole agent stack is balancing on.
Most organizations point agents at data they have never classified and cannot prove is intact. That is the quiet risk underneath the loud ones.
Observability and Traceability
Anthropic wants immutable, append-only audit logs streamed to a SIEM and correlated with other security events. Veeam not only meets those recommendations, but we also provide an agent activity log that details every action an agent has taken, the users and groups who have access to the agent, and the files and data systems the agent can reach.
This is critical for forensic analysis and anomaly detection, but also for compliance. You get full audit trails of who touched what data, why, and who authorized it, plus complete lineage from source to output to satisfy the explainability requirements that regulators are starting to demand.
Anomaly Detection
Dwell time is how long a threat sits before you detect it. Coverage is the percentage of findings you investigate. Anthropic singles these two metrics out as having the most value when exploit-windows collapse to hours.
Veeam threat detection sets a clean baseline and flags anomalies early, which attacks the dwell time problem directly. And data security posture tooling highlights overly-permissive agent access.
Agent Authentication and Privilege Management
There are two domains where Veeam does not map, and I am not going to pretend otherwise: Agent identity and authentication, and privilege management.
Anthropic wants every agent to carry a unique cryptographic identity. They’d like short-lived tokens issued by an identity provider, just-in-time privilege escalation, per-action continuous authorization, and attribute-based access control (ABAC). These are real, important controls, and they live at a layer that backup and data security tools do not (yet) operate in: Identity provider and platform territory.
Why This Matters Now
The conversation about securing AI agents has been dominated, reasonably, by the front half of the problem. How do you stop the agent from being compromised in the first place? The popular answers have been identity, least privilege, least agency, prompt injection, and sandboxing.
That work is essential and it is where most of the attention has gone.
By leaning so hard on assume breach, Anthropic’s framework is quietly making a second argument. You will not stop every compromise. Agents interpret goals, chain tools, and act at machine speed. And, at some point, one of them will do something you did not intend, whether through manipulation or its own ambiguity. When that happens, the question becomes: “How fast you can identify a clean state and recover?”
The agent era makes the blast radius bigger and the speed higher, which means the recovery posture matters more, not less. From a security standpoint, the organizations that flourish the next few years will not only be the ones with the best agent-identity controls. They will also be the ones who assumed breach, protected and classified the data their agents depend on, kept an immutable known-good state, and could quickly prove they were back to clean.
Everyone is racing to stop agents from being compromised. Far fewer are asking: “What happens when one is?”
That question is the one I would be asking before I deployed a single agent against data that matters.
How is your organization answering it?
The post Anthropic Just Wrote the Case for Data & AI Trust (They Just Didn’t Call It That) appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/vydgM6c
Share this content: