Microsoft ZT4AI — Zero Trust for AI
Microsoft’s adaptation of Zero Trust principles to AI systems and agentic deployments, branded ZT4AI (Zero Trust for AI). Originally introduced as a control set with ~700 controls; the framework received a March 2026 update delivering a refreshed reference architecture, workshop, assessment tool, and patterns-and-practices articles, announced in Vasu Jakkal’s pre-RSAC 2026 post.
Foundation: Zero Trust principles applied to AI
ZT4AI inherits the three Zero Trust principles and extends them to the AI lifecycle:
- Verify explicitly — every model invocation, every tool call, every data retrieval, every cross-agent message is authenticated and authorized at the time of use; no transitive trust from prior decisions.
- Use least privilege — agents receive the minimum capability required for the current task; capabilities are scoped, time-bounded, and revocable. Aligns with Least Agency Principle applied to NHIs.
- Assume breach — the architecture operates as if any individual agent, model, tool, or credential is already compromised; controls focus on containment and rapid remediation.
The framework’s lifecycle scope spans data ingestion, model training, deployment, and agent runtime behavior — explicitly broader than runtime-only zero-trust frameworks.
Architectural pillars (Microsoft’s structuring)
ZT4AI’s reference architecture organizes controls into pillars consistent with Microsoft’s broader Zero Trust portfolio:
| Pillar | What it covers | Microsoft product surface |
|---|---|---|
| Identity | Workload + agent identity; authN; authZ; conditional access | Entra Agent ID / Entra Suite / Conditional Access Optimization Agent |
| Data | Classification; DLP; provenance; oversharing prevention | Microsoft Purview (DLP for Copilot; Data Security Posture Agent) |
| Devices | Endpoint hygiene; device-of-origin attestation; AI-app inventory | Microsoft Intune (Enhanced AI App Inventory) |
| Apps & Workloads | Container security; binary drift; antimalware; agent runtime | Defender for Cloud (Container Security; Posture Management) |
| Network | Network-layer controls: prompt-injection blocking; shadow AI detection | Entra Internet Access (PI Protection + Shadow AI Detection) |
| Visibility, Automation, Orchestration | SIEM + SOAR + agentic SOC | Microsoft Sentinel (Data Federation; Playbook Generator; MCP Entity Analyzer) |
| Governance | Policy lifecycle; compliance; assessments | Responsible AI Standard; ZT4AI Assessment Tool |
Control set scale
Public references cite ZT4AI as a ~700-control framework at its initial introduction. The March 2026 update did not publicly enumerate a new control count; the structure is now organized via the reference architecture + workshop + assessment-tool deliverables rather than a flat control list.
Predictive Shielding — adaptive policy contraction
The March 2026 update introduces Defender Predictive Shielding (preview) — a primitive for dynamically adjusting identity and access policies during active attacks. Sequence:
- Detector signals an active attack (Defender for Cloud / Sentinel anomaly).
- Predictive Shielding tightens applicable Conditional Access policies — e.g., elevates MFA strength, forces re-authentication, narrows permitted scopes, blocks specific tool calls.
- After the attack signal recedes, policies revert to baseline automatically.
This is the step-down counterpart to step-up authentication: the policy contracts in response to detected threat rather than expanding for an authorization request. The wiki has previously treated step-up (D2 L4 in the CMM); step-down was implicit. The general primitive — automatic policy contraction triggered by anomaly signals — is broader than Microsoft’s specific implementation and worth tracking separately. See Behavioral Anomaly Detection for Agents for the detection side.
Cross-walk to wiki frameworks
| ZT4AI Pillar | Wiki CMM domain | Wiki RA plane |
|---|---|---|
| Identity | D2 (Identity & Authorization) | Identity plane |
| Data | D6 (Data, Memory & RAG) | Data plane |
| Devices | D8 (Supply Chain & Tooling) | (Endpoint substrate; cross-cutting) |
| Apps & Workloads | D4 (Runtime & Guardrails) | Runtime plane |
| Network | D5 (Egress & Communications) + D4 | Egress plane |
| Visibility / Orchestration | D7 (Observability & Behavioral Monitoring) | Observability plane |
| Governance | D1 (Governance & Accountability) | (Cross-cutting) |
The mapping is approximate — ZT4AI is organized around Microsoft’s product taxonomy while the CMM is organized around independent operational domains. A specific control may appear in different cells depending on which framing is applied.
Adoption signals
- Vendor lock-in — ZT4AI is most directly actionable inside the Microsoft Security stack (Entra + Defender + Purview + Sentinel + Security Copilot). Other-vendor practitioners can take the framework’s principles but the implementation guide assumes Microsoft tooling.
- Wide reference base in the wiki — ZT4AI was already referenced 12 times across the wiki at this page’s creation, even without a dedicated framework page. The reference base reflects ZT4AI’s strong mindshare among Microsoft-centric practitioners.
- March 2026 update — Microsoft’s continuing investment is a positive signal for the framework’s longevity; a pure marketing-only framework would not warrant a workshop + assessment-tool refresh.
Limitations
- Microsoft-centric. Reference architecture and assessment tool assume the Microsoft Security stack; cross-cloud or non-Microsoft deployments need translation.
- No agency-vs-autonomy distinction. Uses both terms but does not formalize the split (now anchored from the AWS Scoping Matrix).
- No formal threat enumeration per pillar. Like MAAIS (and unlike MAESTRO), the ZT4AI pillars list controls without per-pillar threat models tying each control to a specific adversary action.
- Control count not publicly maintained. The “~700 controls” figure is from earlier ZT4AI documentation; the March 2026 update reorganized rather than re-enumerated; current control count is not publicly stated.
- No specific ATLAS / OWASP ASI mapping. Practitioners must do their own crosswalk to MITRE ATLAS techniques or OWASP ASI Top 10 categories.
Use cases
- Microsoft-stack practitioners — direct implementation guide for agentic-AI security inside the Microsoft Security ecosystem.
- Reference-architecture comparison — useful as a reference design when comparing alternative architectures (the wiki RA, CSA MAESTRO, MAAIS, AWS Scoping Matrix).
- Workshop / assessment — Microsoft’s ZT4AI Assessment Tool (March 2026 update) provides a self-evaluation surface for orgs already on the Microsoft stack.
Provenance
The framework’s foundational ZT4AI documentation predates the wiki. The March 2026 reference architecture, workshop, and assessment-tool refresh are anchored at Vasu Jakkal’s pre-RSAC 2026 post. The wiki’s prior 12 inbound references are now consolidated through this canonical framework page.