Common trust principles for cloud-edge ecosystems

One of the most interesting aspects of my last few roles, including my current work at Humain, is operating at the intersection of AI and advanced security/encryption techniques from zero-knowledge proof systems to the extension of Zero Trust principles into the agentic world. In traditional Zero Trust, we authenticate users and devices. In the agentic world, the “user” could be an autonomous agent — a system that reasons, acts, and interacts with data and other agents, often at machine speed. That changes everything. To secure this new ecosystem, Zero Trust must evolve from static identity verification to dynamic trust orchestration, where every action, decision, and data exchange is continuously verified, contextual, and cryptographically enforced. 1. Agent Identity and Attestation Every agent must have a verifiable, cryptographically signed identity and prove its integrity at runtime; not just who you are, but what you’re running: the model, weights, policy context, and data provenance. 2. Intent-Aware Policy Enforcement Access control must become intent-aware, so agents act only within bounded policy domains defined by explicit goals, permissions, and ethical constraints — continuously verified by embedded governance logic. 3. Least Privilege and Time-Bound Access Agents must operate under least privilege, with access granted only for the minimum scope and durationrequired. In fast-moving agentic environments, time-limited trust becomes an essential safeguard. 4. Assumed Breach and Blast Radius Containment We must assume some agents or environments will be compromised. Security design should minimise impact through microsegmentation, strict trust boundaries, and dynamic reassessment of communication between agents. 5. Encrypted Cognition As models process sensitive data, confidential AI becomes essential where combining homomorphic encryption, secure enclaves, and multi-party computation can ensure that the model cannot “see” the data it processes. Zero Trust now extends into the reasoning process itself. 6. Adaptive Trust Graphs Agents, services, and humans form dynamic trust graphs that evolve based on behaviour and context. Continuous telemetry and anomaly detection allow these graphs to adjust privileges in real time based on risk. 7. Cryptographic Provenance Every output, decision, summary, or recommendation must be traceable back to the data, model, and policy that produced it. Provenance becomes the new perimeter. 8. Autonomous Audit and Forensics Every action should be self-auditing, cryptographically signed, and non-repudiable forming the foundation for verifiable operations and compliance. 9. Machine-to-Machine Governance As agents begin to negotiate, transact, and collaborate, Zero Trust must extend into inter-agent diplomacy, embedding ethics, accountability, and policy directly into machine communication. If you’re working on AI security, agent governance, or confidential computation, I’d love to connect.

Zero Trust Architecture (ZTA) is a modern security framework based on the principle of “never trust, always verify.” Unlike traditional perimeter-based models that assume everything inside the network is safe, Zero Trust treats all users, devices, and applications as potentially untrusted, regardless of their location. In software architecture, Zero Trust emphasizes: Identity and Access Management (IAM): Strong authentication and authorization at every access request. Least Privilege: Granting only the minimum access required to perform tasks. Micro-Segmentation: Breaking systems into smaller zones to limit lateral movement in case of compromise. Continuous Monitoring: Real-time verification of user and system behavior. Encryption and Secure APIs: Ensuring secure data exchange across applications and services. By enforcing strict verification and minimizing trust assumptions, Zero Trust reduces attack surfaces and enhances resilience against modern cyber threats, making it a vital approach for cloud, mobile, and hybrid environments.

Zero Trust isn’t new. But where and how we apply it has changed. When users were inside firewalls and apps sat in data centres, perimeter defence worked. Today, your users, devices, and workloads are everywhere. The old zero trust model stops at the data centre. What you need now is 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗘𝗱𝗴𝗲 (𝗭𝗧𝗘). What is ZTE? ZTE extends zero trust principles—identity, least privilege, continuous validation to the edge: • Branch offices • Remote users • IoT devices • SaaS workloads It merges network security and access control, delivered at the cloud edge—not just the core. What leaders should focus on: - Implementing SASE + ZTNA as part of the ZTE rollout - Aligning identity, endpoint, and policy enforcement layers - Designing for user experience and security—no tradeoffs - Ensuring telemetry flows from edge to SOC in real time ZTE is not a product. It’s an architecture shift. And for decentralised workforces, it’s fast becoming non-negotiable.