Zero Trust Architecture for AI Systems
Common Mistakes
1. Implementing network perimeter security and calling it Zero Trust. Placing AI services behind a VPN or private subnet does not implement Zero Trust. Zero Trust requires identity verification on every request regardless of network location.
2. Not applying Zero Trust principles to AI agent tool calls. The AI agent that calls EHR APIs is itself a component that must authenticate (service account), be authorized (minimum necessary tool ACL), and log every action (audit log). Agents without Zero Trust controls become the most significant lateral movement risk in clinical AI.
3. No certificate rotation for mTLS. mTLS certificates with no expiry or manual rotation policy become unrotated in practice. Automate certificate rotation with cert-manager or Vault PKI; certificates should expire in 90 days or fewer.
Key Takeaways
- Zero Trust replaces network perimeter trust with identity-based, per-request authorization for every AI component
- AI agentic workflows are the highest Zero Trust risk: an authenticated agent with multiple tools can move laterally without triggering network-based detection
- mTLS for service-to-service communication is the Zero Trust authentication mechanism — more secure than API keys because certificates are bound to service identity
- Egress inspection on LLM API calls is the safety net for the policy that PHI must not be sent to providers without a BAA
- Network segmentation should isolate the PHI data zone from the AI processing zone; PHI data zone has no egress