Zero Trust was designed for a world where a human logs in, gets verified once, and goes about their work. That world is gone. Artificial intelligence has broken the model in two directions at once: attackers now use it to defeat the checks at the front door, and businesses now run swarms of AI agents and automated identities that never log in like a person at all. The old boundary was the login. The new boundary is the action being requested, and most Australian businesses are not watching it.
This is the first in our series on how AI is reshaping each layer of your security stack, and you can read the full ecosystem overview that ties the whole series together. We are starting with identity and access, because in 2026 that is where the fight is being decided.
Zero Trust is a security model built on three ideas: never trust by default, always verify, and assume you are already breached. Instead of trusting anyone inside the network perimeter, every request to reach a system or piece of data is checked against identity, device health, and context, every time. The principle has not changed. What has changed is how hard it now is to apply, because the things requesting access are no longer just people at keyboards.
Two shifts matter. The first is on the attack side. AI has made phishing, voice cloning, and deepfakes good enough to defeat the human judgement that static trust quietly relied on. A convincing email or a cloned voice from a “manager” sails past the instinct that used to catch it. Verifying someone once at login is no longer proof of anything.
The second shift is bigger and quieter. Your environment is filling with non-human identities: AI agents, service accounts, API tokens, and OAuth grants. Industry analysis suggests these already outnumber human identities in most organisations, and surveys repeatedly estimate that the large majority hold far more permission than their actual job requires. The 2026 Verizon Data Breach Investigations Report drove the point home when compromised OAuth tokens in the Salesloft Drift ecosystem were used to pivot into the Salesforce environments of major enterprises. Those were not password attacks. They were identity attacks against machines. The lesson the industry took from it is blunt: AI security is identity security.
Here is the reality. When an autonomous agent operates continuously inside your systems, the meaningful security decision is not “did this entity authenticate”. It is “should this specific action, right now, be allowed”. Identity has shifted from a one-time event at sign-in to a continuous, real-time decision about every request. Zero Trust is not being replaced by AI. It is being forced to operate at machine speed, on machine identities, evaluating intent and context on every action rather than once at the door.
The good news is that the controls that deliver Zero Trust are tools you can deploy now, and we run them for our clients every day. The point is not any single product. It is layering identity controls so that a failure at one point is caught at another.
| Control | What it does | Why it matters more with AI |
|---|---|---|
| Multi-factor and phishing-resistant authentication | Confirms identity with a second factor, ideally a passkey or hardware key | AI-cloned voices and deepfake video defeat human verification; cryptographic factors do not |
| Conditional access (Microsoft Entra) | Allows or blocks based on risk signals: device, location, behaviour | Risk-based, real-time decisions replace one-time trust at login |
| Zero Trust network access (Twingate) | Grants least-privilege access to specific applications, not the whole network | Limits how far a compromised human or machine identity can move |
| Credential and secrets management (Keeper) | Stores passwords, MFA codes, and shared secrets securely | Removes the hard-coded credentials and reused passwords that token attacks exploit |
| Identity threat detection and response (Huntress ITDR) | Watches Microsoft 365 accounts for signs of compromise | Catches the suspicious login or token misuse that slips past the front door |
That last layer is the safety net. Even with strong access controls, identities get compromised, so something has to watch for the login that should not be happening and shut it down. This stack works alongside our broader managed cyber security and sits at the centre of how we deliver access management for Perth businesses.
You do not have to take our word for where this is heading. In March 2026 Microsoft launched a dedicated Zero Trust for AI reference architecture, with a Zero Trust assessment for AI scenarios following in mid-2026, treating AI agents as identities that must sit behind the same controls as people. Zscaler moved to govern how AI agents access data, and Cisco has been vocal that agents need their own identity model because they combine machine speed with human-like access. The common thread across all of them is the one above: extend Zero Trust to non-human identities, and verify the action, not just the actor.
If you already work to the Essential Eight, you have a head start. Multi-factor authentication and restricting administrative privileges are two of the eight controls, and both are foundations of Zero Trust. The gap the Essential Eight does not fully address is the explosion of machine and AI identities, which is exactly where a Zero Trust identity programme extends your existing baseline. We cover that adjacent territory in our work on AI governance.
Inventory your non-human identities. Most businesses can name their staff but have no idea how many service accounts, API tokens, and AI agents hold access, or what those identities can reach. You cannot apply least privilege to something you cannot see.
Move from one-time login to continuous verification. Turn on risk-based conditional access, deploy phishing-resistant authentication for privileged accounts first, and make sure something is watching identities for compromise after login, not just at it.
Get an identity-focused security review. Ask your provider to map your identities, human and machine, against Zero Trust principles. If they can only talk about firewalls and passwords, that is a gap. Contact Epic IT for a free access and identity review and we will show you where your real exposure sits.
Next in the series: how AI is changing EDR, when your endpoint starts defending itself.
Our Perth-based team can run a free access and identity review, mapping your human and machine identities against Zero Trust principles. Contact us on 1300 EPIC IT.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
