Authenticating workloads is becoming increasingly complex, particularly with the rise of AI agents and the wide range of identity permissions they require. Organizations need to think ahead about securing workloads in complicated modern environments, but it's no easy task.

Researchers at Zscaler plan to explore this evolution in an upcoming RSAC 2026 session titled "What Are You, Really? Authenticating Workloads in a Zero Trust World." Workloads — the tasks applications and services perform, like processing user requests or running AI training — often operate in the background as non-human identities (NHIs) that need permission and authentication similar to human IT staff.

The Challenges of Tackling Workloads in 2026

Non-human identities, including AI agents that emulate human decision-making, require stringent security controls. Many large companies use a mix of Azure, Google Cloud, AWS, and on-premises services, making it crucial to authenticate workloads across diverse environments.

During their session, Zscaler CISO Sam Curry and Chief Scientist Yaroslav Rosomakho will cover authentication methods such as mutual TLS (mTLS), workload identity tokens, and remote attestation, offering insights into which methods scale best.

According to Rosomakho, workload identity was historically not top of mind. He notes, "What we observe is that right now, there are widespread insecure practices when it comes to workload identity. In many organizations, they simply rely on static IP addresses for identity mapping, which scales poorly, is spoofable, and collapses with any infrastructure change. We also see organizations relying on static credentials like HTTP basic authentication."

Specifically for AI agents, the most common method is using static headers and keys that are never rotated. Rosomakho calls this "a significant problem," as tying processes to static keys can lead to major damage.

How to Authenticate Workloads in Your Environment

Curry advises defenders to look for secrets, inventory AI agents and other NHIs, adopt standards, and work toward zero trust. "It's about testing federation and defining a data security policy," he explains.

He recommends organizations talk to their platform providers about adopting workload authentication standards. The appropriate defense posture depends on specific needs. For instance, Kubernetes Service Accounts give workloads dynamic short-term identities. Alternatively, organizations can adopt open source standards like Secure Production Identity Framework for Everyone (SPIFFE), which securely identifies software systems in dynamic environments using short-lived identities.

Another resource is the Internet Engineering Task Force's Workload Identity in Multi-System Environments (WIMSE) working group, which focuses on standardized solutions for workload identity challenges.

Curry emphasizes urgency: "It's arguable that the most interesting and most common and most valuable communications that will be happening in our economy are going to involve no humans. And so it behooves us to be able to apply confidentiality, integrity, and availability in those circumstances. We can't do that without a more advanced schema for authentication and then authorization. It might be one of the most important subjects for people in the cyber world or the IT world to say, OK, what's our strategy here?"

Organizations should act now, as workloads show no sign of becoming simpler. Adopting standards like SPIFFE, WIMSE, or SAML can help secure non-human identities at scale.

Source: Dark Reading News