For decades, enterprise security rested on a comfortable fiction: if you could build a high enough wall around your environment, the things inside it were safe to trust. Firewalls, VPNs, and network segmentation defined the perimeter, and anything that made it past the gate was assumed to be legitimate. That model was already eroding before AI agents arrived on the scene. Now, in the era of autonomous, tool-wielding, action-taking agents that read your databases, send your emails, and coordinate with dozens of other agents across multi-step workflows, perimeter-based security is not just insufficient. It is dangerously obsolete.
Anthropic said it plainly in their May 2026 Zero Trust for AI Agents eBook: "Perimeter-based cybersecurity defenses can't keep up with modern threats, and the threats themselves are accelerating… the infrastructure your agents run on is exposed." That document, 36 pages of rigorous implementation guidance, is the clearest signal yet that the industry has recognized a fundamental architectural problem (see a full breakdown of this eBook in episode 360 of the Practical AI podcast). At Prediction Guard, we have been building toward the solution for some time. This post explains why an in-boundary, self-hosted control plane (not the perimeter) is the correct security primitive for the agentic era, and why Zero Trust principles are the only foundation that is able to monitor and control the behavior of real-world agent deployments.
Traditional perimeter-based security assumes a stable, knowable boundary. There are trusted insiders and untrusted outsiders, and the job of security tooling is to enforce that line. The model worked reasonably well when software executed predefined logic on behalf of human users who authenticated once at the edge.
AI agents break every assumption in that model simultaneously.
An agent (such as Claude Code, Hermes Agent, OpenClaw, LangChain custom applications, etc.) is not a user (see our founder's talk at last year's Midwest AI summit for a more detailed definition of agents). It does not authenticate once and then act within a narrow, understood scope. It interprets goals, selects tools dynamically, chains API calls across systems, and operates across session boundaries with persistent memory. An agent that has been manipulated through prompt injection, memory poisoning, or a compromised MCP server is not an outsider that bypassed the perimeter. It is an insider acting within legitimately granted permissions. An AI firewall or external AI gateway has nothing to say about that threat.
The attack surface is qualitatively different, too. Anthropic's eBook catalogs five distinct threat classes for agentic systems that have no clean analog in traditional security models: prompt injection and instruction manipulation, tool and resource misuse, identity and privilege abuse, supply chain and dependency risks, and memory and context poisoning. Each of these can succeed entirely within the perimeter, using credentials and access that the system was designed to grant.
The perimeter-first approach also fails a critical design test that Anthropic's framework applies to every control: does this make the attack impossible, or just tedious? Agentic attackers (including AI-accelerated adversaries that can grind through friction at machine speed and near-zero per-attempt cost) are not deterred by inconvenience. They are deterred by architectural impossibility. A VPN hop is tedious. A cryptographically scoped, short-lived token that never existed outside a specific task context is something closer to impossible to abuse after the fact.
Zero Trust is not a product. It is an architectural principle, one with roots that trace back to Stephen Paul Marsh's 1994 doctoral thesis and concrete implementation guidance in NIST SP 800-207 and the NSA's Zero Trust Implementation Guides published earlier this year. The principle is disarmingly simple: trust nothing, verify everything, assume breach has already occurred.
Three corollaries flow from that premise. Never trust and always verify means every access request, regardless of origin, regardless of whether it comes from inside the corporate network or from an agent you deployed yourself, undergoes authentication and authorization. Assume breach means designing systems with the expectation of compromise, focusing on blast radius containment rather than intrusion prevention. Least privilege means granting only the minimum access necessary for a specific task, constraining what each identity can reach so that any single compromise is bounded.
For agentic deployments, these principles surface in concrete controls. Anthropic's framework introduces the term "least agency" (coined by OWASP) as an extension of least privilege into the agent domain. Least agency restricts not just what an agent can access, but what each agent tool can do, how often, and where: a database tool gets read-only queries, an email summarizer gets no send or delete rights, an API gets minimal CRUD operations. The blast radius of any individual agent is engineered to be small before the first request is made.
Identity becomes foundational in a way that perimeter security never demanded. Without verifiable agent identity, you cannot enforce access controls, maintain meaningful audit trails, or attribute actions to specific agents in a multi-agent system. Short-lived tokens, hardware-bound credentials, and cryptographic identity are not optional enhancements are the structural prerequisite for every other control in the stack.
Observability is similarly load-bearing. In a perimeter model, security monitoring looks for outsiders trying to break in. In a Zero Trust agentic model, monitoring looks for agents behaving outside the envelope of their intended purpose (including gradual drift caused by memory poisoning that no single-event detection would catch). Behavioral baselines, anomaly scoring, and continuous audit logging are the instruments of that monitoring. They require infrastructure that treats every agent action as an event to be recorded and evaluated, not a trusted internal process to be assumed benign.
The Cloud Security Alliance described the agentic control plane precisely in a March 2026 analysis: "At its core, the Agentic Control Plane is about governing how autonomous agents exist and operate within digital environments. It encompasses identity, authorization, orchestration, runtime behavior, and ultimately, trust." That framing captures exactly why the control plane, not the network boundary, is the right abstraction for securing agentic AI.
The perimeter-based model asked: who is allowed in? The control plane model asks: for every action, by every agent, against every resource, at every moment — is this permitted, is it within the defined scope, and is it being recorded? That question is answered at the control plane layer, before any data leaves the security boundary, on every single request.
This is precisely the architecture that Prediction Guard is built to provide. Our self-hosted AI control plane is designed around the premise that governance cannot be an afterthought bolted onto the edge of an AI deployment. It must be embedded in the infrastructure where your agents are operating. Every agent action, every tool invocation, every MCP connection runs through the same governance harness (enforcing policies derived from NIST, OWASP, and custom organizational rules before data leaves your infrastructure). Pre-model PII detection and anonymization, prompt injection scoring and blocking, post-model output validation, MCP tool call restriction, grounding verification, human tool call escalations, and related governance modules: these controls are in the critical path, not the audit log.
Where legacy approaches stitched together fragmented point solutions (a content filter here, a logging integration there, an access management layer somewhere else) the Prediction Guard control plane collapses those into a single, coherent enforcement surface. Every model, agent harness connection, tool, and API connection operates under the same governance framework from day one, with zero AI interactions occurring outside standards-aligned governance. The practical implication: a 4x or greater reduction in total cost of ownership compared to fragmented AI security architectures, and governance overhead of less than 200ms per request, enforced inside your security boundary.
The deployment model matters as much as the enforcement logic. Prediction Guard runs on-premises, in air-gapped environments, in GovCloud, or in your own cloud VPC. That is a deliberate architectural choice, not a deployment option. Data sovereignty is not compatible with a model in which your AI governance layer is a third-party SaaS endpoint that your agents call out to. Zero Trust for agents requires that governance happen inside your trust boundary, not at someone else's API.
Anthropic's eBook makes an observation that should concentrate the attention of every enterprise security leader: frontier AI models are compressing the timeline between vulnerability discovery and exploit from months to hours, at a marginal cost measured in dollars. This is not a future concern. It is a present-tense operational reality.
The implication for perimeter-based defenses is severe. Perimeter security was always somewhat reactive (e.g., you updated rules in response to known threats, patched against known vulnerabilities, and hoped the window between discovery and fix was manageable). When that window was measured in months, the model was defensible. When it is measured in hours, response processes that take days are simply too slow. The Anthropic framework notes that "agentic adversaries might attack hundreds" of targets simultaneously, with unlimited patience and near-zero per-attempt cost.
Forrester's December 2025 analysis of agent control planes identified the same structural problem from an enterprise governance perspective: the architecture is emerging faster than the standards needed to make it work cleanly at scale, and enterprises that rely on platform-specific or vendor-specific governance implementations will find themselves hand-building integration logic for every new agent deployment. The answer is a governance layer that sits outside both the build and orchestration planes (portable, standards-aligned, and capable of operating across heterogeneous agent environments).
A 2026 KPMG survey reinforced the stakes: 75% of large-enterprise security leaders cite security, compliance, and auditability as the most critical requirements for agent deployment, with multi-agent orchestration complexity as the primary bottleneck to moving from pilots to production. The governance gap is not a theoretical future problem. It is the reason most organizations are still running agent pilots rather than production systems.
Anthropic's framework organizes Zero Trust controls for agentic deployments into three capability tiers (Foundation, Enterprise, and Advanced) and seven control domains: agent identity and authentication, access control and privilege management, observability and auditing, behavioral monitoring and response, input validation and output control, network security, and supply chain integrity.
The Foundation tier is the entry point: cryptographic agent identity, short-lived credentials, least-agency scoping per tool, audit logging, basic prompt injection detection. This is not optional for any serious deployment. It is the minimum that a Zero Trust architecture demands, and it is what Prediction Guard enforces by default on every deployment, for every agent, before any configuration has been touched.
The Enterprise tier adds depth: behavioral baselines and anomaly detection, fine-grained policy enforcement across multi-agent workflows, SIEM integration, automated incident response, and supply chain validation for MCP servers and model dependencies. This is where most regulated organizations (healthcare, finance, defense, government) need to operate, and where the combination of a sovereign control plane with continuous behavioral monitoring becomes operationally essential.
The Advanced tier is for environments where compromise carries severe operational or financial consequences: hardware security modules for key management, fully sandboxed execution environments, cryptographically verified audit trails, and security operations running at the speed of autonomous threats. Prediction Guard's architecture supports this tier through air-gapped deployment options, tamper-resistant audit logging, and SIEM integration that surfaces agent behavioral anomalies as first-class security events.
The practical starting point for any organization is to ask Anthropic's design test question about every existing or planned control: does this make the attack impossible, or just tedious? If the honest answer is "tedious," that control will not survive an AI-accelerated adversary. The controls that pass the test (scoped short-lived tokens, cryptographic identity, network paths that do not exist rather than paths that are merely inconvenient, governance enforced in the critical path rather than monitored at the edge) are the building blocks of the control plane architecture.
Gartner projects that 70% of enterprises will deploy agentic AI as part of IT infrastructure operations by 2029, up from less than 5% in 2025 (see here). The EU AI Act's provisions for high-risk AI systems take effect in August 2026. The US government has required all federal agencies to adopt Zero Trust by 2027. The regulatory and operational pressure is converging on a single conclusion: you cannot deploy agents at enterprise scale on a foundation of perimeter security and point solutions.
Anthropic's Zero Trust for AI Agents eBook is an important contribution to the field precisely because it names the problem clearly and provides a vendor-agnostic framework for addressing it. "The organizations best positioned for this shift will not necessarily be the ones with the most advanced AI. They will be the ones whose fundamentals are strong enough that AI-assisted scanning finds fewer bugs in the first place, and whose agent deployments were architected for breach from day one."
That is the mandate. Architect for breach from day one. Trust nothing. Verify everything. Enforce governance in the critical path, inside your security boundary, on every agent action, before data moves.
That is what a control plane is for. And that is what Prediction Guard is built to be.
Prediction Guard is a self-hosted AI control plane for regulated enterprises. Providing governance, observability, and policy enforcement across model interactions, agent orchestration, and MCP tool access, deployed within your own infrastructure.