Earlier this year, Cisco outlined our vision for Zero Trust for the agentic workforce. At its core is a simple principle: trust should not be established once and assumed indefinitely. As agents interact with models, tools, applications, and data, their activity must be continuously evaluated.
Putting that principle into practice requires controls that can follow agents as they work. Consider a coding agent like Claude Code or Codex. To complete a single task, it may call an LLM for reasoning, connect with MCP tools to read Jira and push to GitHub, hit SaaS APIs for data, and browse the web for additional context. It does all this autonomously, at machine speed, carrying whatever credentials it was handed at startup.
Why existing controls fall short
Traditional Zero Trust controls authenticate a user and grant access to a resource. Once access is granted, we rely on humans to exercise judgment or machines to follow pre-defined rules. An agent is neither a user nor a deterministic machine. It is a process that reasons, decides, and acts – with broad scope, exponential scale, and no human judgment.
As a result, access control is no longer enough. A coding agent may be authorized to connect to GitHub, Jira, and an approved set of models. The real question is not whether it can connect to those systems, but what actions it takes across them as it works toward a goal. Reading a repository, creating a pull request, modifying a production configuration, or accessing sensitive data may all carry different levels of risk.
This is the shift from access control to action control. Organizations need to evaluate agent activity not just when access is granted, but throughout the workflow itself. That is the agent security challenge—and it is categorically different from the problems Zero Trust was originally designed to solve.
From Access Control to Action Control
Cisco Secure Access is evolving to help make that shift with Agent Gateway—new functionality that extends policy enforcement across agent interaction with LLMs, MCP servers, SaaS APIs, and web destinations. To move from access control to action control, Agent Gateway will help answer five questions before a request is allowed to proceed:
- Who is the agent? Cisco uses Duo to identify the Codex, Claude Code, or LangChain agent itself – not just the laptop it runs on.
- What is it trying to access? Agent Gateway will map requests to a named resource group: an approved model set, a group of MCP tools, a set of SaaS APIs, or a web category.
- Is this action allowed? Policy will decide whether the request is permitted, observed, or blocked. A “fetch” from the GitHub repo is allowed; a “create_file” to the same repo can be denied.
- Which credential should be used? Tokens, OAuth grants, and API keys will live in Cisco’s vault. The agent never touches them. Agent Gateway will inject the right credential server-side per method and path.
- What happened? Every decision – agent identity, resource touched, policy verdict, credential reference, route taken—will land in one audit event.
What makes Cisco’s approach different
Many approaches to agent security introduce a second access stack that enterprises adopt alongside their existing SSE and identity infrastructure. Cisco’s approach is different: if you already run Secure Client, Secure Access, and Duo, you already have the enforcement surface. With Agent Gateway, Cisco extends these capabilities into the agentic workflow. No agent code changes. No new management portal. No second identity system.
- Agent identity via Duo Non-Human Identity (NHI). Duo will identify the agent process itself using Duo identity, extending naturally from user MFA to agent and non-human identities. No separate identity service required. In MCP environments, Duo and Secure Access work together to enable fine-grained tool-level authorization, so organizations can govern which tools an agent is allowed to invoke, not just which MCP servers an agent can access.
- Shared policy across the workflow. Agents operate across models, MCP tools, APIs, and web activity—not within a single control plane. With Agent Gateway, Cisco will apply a common policy framework across those environments, helping organizations govern approved models, MCP tools, enterprise APIs, and web destinations.
- Server-side credential injection. Keys and tokens live in Cisco’s vault. The agent never touches them. Agent Gateway will inject the right credential server-side per method and path. This separates agent authorization from credential possession, allowing agents to perform approved actions without access to the underlying credentials. This closes a class of exfiltration risk that no proxy-only solution addresses.
What this means in practice
Consider an enterprise deploying hundreds of coding agents across software development. Each agent may be authorized to use approved LLMs, access Jira through MCP tools, retrieve source code from GitHub, consult internal documentation, and interact with selected enterprise APIs. On paper, that sounds straightforward. In practice, those agents may perform thousands of actions every day across dozens of systems.
Traditional access controls can answer whether an agent is allowed to connect to GitHub. They struggle to show whether a particular action was appropriate once the agent got there. Even basic audit questions require stitching evidence from LLM provider logs, MCP server logs, GitHub audit trails, and whatever the agent’s orchestration framework happens to capture.
With Agent Gateway and Duo, every agent has a named identity tied to its owner and business purpose. Every GitHub interaction shows which method was called, whether it was allowed, and which vault reference provided the token. When a model provider has an outage, requests can automatically fail over to another approved model within the same policy framework. Observation mode can identify unusual patterns—such as a burst of write requests to a normally read-only API—and surface them as policy recommendations.
The value is not another dashboard. It is a single control loop for agent identity, action, credential, policy, and outcome.
Some products or features described may be in various stages of development and offered on a when-and-if available basis. Cisco reserves the right to change delivery timelines and will have no liability for any delays or failures to deliver.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
