The idea of zero trust was based on the premise that the world consists of stable and human identities, but today this notion no longer applies. With the proliferation of AI-driven systems, we see another type of identity emerging: an autonomous actor that requests access, makes decisions, and interacts with the system at machine speed. Identity is becoming a battlefield.

Companies have been encouraged (or forced) to adopt AI technologies in which performance and competitiveness take precedence over everything else, including governance and security. AI increases productivity but also increases the number of identities created. Identities are usually temporary, unknown, and unprivileged, yet have privileges. The number of identities created exceeds what traditional identity and access management (IAM) and zero-trust architecture approaches can accommodate.

At this point, zero trust can only start to break down, not just hypothetically, but in practice. “Never trust, always verify” presumes there is an objective definition of trust. In the context of AI, however, that definition does not stand still. How can you verify an agent whose behavior changes on the fly depending upon the situation? Similarly, how can you apply least privilege to something that may have varying privileges depending on what needs to be done?

In order to do this, zero trust needs to change, evolving from a static architecture into a system of continuous evaluation. Identity will cease to be a persistent characteristic and instead must be a contextual and transient construct, limited by intent. In addition, access requests should be evaluated not only based on “who” or “what” is asking for access but also “why” and “how.”

This situation is leading to a transition into what we could think of as “machine speed trust.” The governance of AI needs to be based on the same parameters that are applied to human users, but with the help of automation and behavior-based policy engines that are able to react just as quickly as any other system.

The winners will not be those who delay AI due to security concerns, nor will they be the ones who sacrifice safety and control for speed. The winners will be those who successfully walk the tightrope between the two, making sure that their security processes are ingrained within AI itself.

We’re not reached ‘Skynet’ yet… But, when machines can act and access at scale, zero trust becomes less about strategy and more about survival by design.

Top trends

• Modernizing governance: With the growth in machine and agent identities, human led/manual governance is creating vulnerabilities attackers can exploit to bypass identity, visibility, and least-privilege controls.
• Zero trust at machine speed: The zero trust paradigm is no longer about having a set of tools and policies, but about implementing an ever-changing model of assessment that happens in real time as quickly as the machines themselves operate.
• The widening gap between AI and security: Companies are moving forward with AI implementations at a pace faster than they can develop necessary security controls. The gap between innovation and governance continues to widen.

Regulatory watch

The EU Council and Parliament reached an agreement regarding changes to the AI Act, part of the Digital Omnibus Package, in March 2026. The decision was made to prohibit AI from producing non-consensual sexual materials and child pornography, and push deadlines concerning high-risk AI systems until 2027–2028. They also decided to relax obligations for smaller entities, and tighten registration and conditions for sensitive‑data processing.

CISO voice

“AI amplifies the inherent asymmetry in cybersecurity, giving attackers a scaling advantage and making a speed-based security ‘arms race’ possibly unwinnable. Instead of obsessing over pace, organizations should focus on security fundamentals like zero trust and strong identity controls, like continuous verification and containment to ensure resilience regardless of how quickly threats evolve.”

— Charl van der Walt, Head of Security Research, Orange Cyberdefense.

Innovation spotlight

The EUDI Wallet ecosystem will be transitioning from pilot stages to actual implementation, with the first major deadline set for December this year, where member states must have at least one wallet available to users. Afterward, the next deadline will be set for 2027, when businesses must accept these wallets.

Barcelona Cybersecurity Congress update

AI governance, leadership, and real-world cybersecurity innovation will all be central themes at the upcoming Barcelona Cybersecurity Congress.

Dates: 3–5 November

Location: Barcelona

Co-located with: Smart City Expo World Congress

CONNECTING EUROPE’S CYBERSECURITY ECOSYSTEM