One of the perils of covering technology in general, and cybersecurity in particular, is separating hype from reality. Zero Trust is nearly 15 years old (it’s hard to believe it will soon be old enough to drive). In that time, it has become the dominant cybersecurity model, even if idealized implementations remain aspirational for many organizations. It has also become another term in a long list of buzzwords masquerading as cybersecurity’s long sought-after silver bullet.

AI is much younger but if the optimists — and the hype — are to be believed, it shows as much or more promise to revolutionize cybersecurity than Zero Trust ever did. But there is also skepticism and confusion that lead to natural questions about what AI actually can do, as well as what it realistically should do. But those questions don’t appear to be much of a barrier. In fact, 43% of organizations reported at least one genAI production use case for the IT function and, of those, 41% reported full production — as opposed to a limited rollout or alpha launch — for “identifying and mitigating security and compliance risks” in Forrester’s State Of AI Survey, 2025.

With that kind of uptake, it is impossible not to think about how AI will impact Zero Trust — it’s also fraught. According to Forrester’s Security Survey, 2025, one-third of organizations are still struggling with how to leverage their existing technology to advance their Zero Trust initiatives, let alone incorporate emerging technologies. In that same survey, more than a quarter of organizations also reported a lack of technical skills causing delays or disruptions.

GenAI Is An Assistant On The Zero Trust Journey

In the short term, genAI is well positioned to help bridge at least some of the gaps in technology and technical skills. Both general-purpose AI services such as ChatGPT, Claude, and Gemini as well as vendor-specific models will play a role in driving Zero Trust adoption and maturity, because organizations can use them to:

  • Translate natural language into configurations. Like many areas of technology, making an implementation match the letter and spirit of the requirements can be a challenge. LLM-based tools provide a convenient mechanism for practitioners to convert written policies into the policies and configurations required by the various components in a Zero Trust architecture. Think of the difference in the “expressiveness” of high-level programming languages such as Python and low-level languages like Assembly or C/C++. LLMs provide a way to define the desired outcome or end state of a policy or configuration without requiring an architect or engineer to commit esoteric command line arguments to memory — and then correctly type them.
  • Translate configurations between different systems. Many reference architectures depict the policy decision point (PDP) as a monolith, but that is almost never the reality. GenAI tools can streamline the process of converting configurations and policies from one platform or system to an equivalent on a different platform or system. Leveraging AI tools in this way ensures that — in the absence of a single authoritative source — disparate PDPs will produce consistent authorization decisions.
  • Apply best practices and identify areas that require attention. Historically, the extent to which vendors have codified and presented best practices has varied widely. The result has been that practitioners may or may not implement those practices and, more significantly, may not really know whether they have done so or what the gaps are. Vendor-specific models provide an interface to an interactive body of knowledge that enables practitioners to implement and maintain their deployments more easily: they take the concepts of “configuration wizard” and “health check” to an entirely new level.
  • Use natural language for reporting and auditing. Security tools are notorious for each having their own domain-specific languages (DSLs) to query data in the system. As vendors increasingly include chatbots in their management consoles, operators will be able to access the information they need more quickly and easily without the idiosyncrasies of DSLs or overlaying other reporting tools.

AI Agents Will Become The “Officers” Of Policy Enforcement

In the longer term, AI agents can help resolve one of the biggest issues in Zero Trust policy enforcement. Today, most authorization decisions are made and reevaluated at specific intervals: An entity authenticates, some attributes are evaluated, access is granted, a timer starts, and when it expires, the process begins again. But the real promise of Zero Trust is a continuous feedback loop. As AI agents become more widely deployed and capable, they will be able to tighten that feedback loop because:

  • AI agents will be able to communicate with a wide range of systems. Anthropic’s Model Context Protocol (MCP) enables agents to communicate with different data sources. Google’s Agent2Agent (A2A) protocol provides a standardized interface for agents to communicate with each other. These communication paths will make gathering and updating context — like the attributes used in authorization decisions — a much easier proposition than the existing approaches to Zero Trust system integration.
  • AI agents will be able to “see something, do something.” The benefits of MCP and A2A don’t stop at enrichment. These interfaces also provide a mechanism for agents to act. Rather than the current model of reevaluating authorization at set intervals and rendering a binary (allow/deny) decision, AI agents will be able to make provisional judgements about access and continuously monitor and update access in close to real time.

Dive Deeper At The Security & Risk Summit

There is a lot to unpack in both AI and Zero Trust. And there is still more to unpack when it comes to using AI for Zero Trust. That’s why I hope you’ll join me and my Forrester colleagues in Austin, Texas, on November 5–7 for the Forrester Security & Risk Summit.

I’ll be presenting a session titled, “The Role Of AI In Zero Trust Architectures” as part of the Zero Trust, data, and cloud track. The rest of the agenda is full of keynotes, breakouts, workshops, roundtables, and special programs to help you master risk and conquer chaos as you navigate the volatile cybersecurity landscape. I hope to meet you there!