Securing AI Agents with Zero Trust and MCP

The Core Problem

Your development team wants to deploy AI assistants that can:

• Interact with internal systems
• Modify configurations
• Automate workflows

Meanwhile, security teams are asking critical questions:

• How much access do these agents need?
• How is that access controlled?
• How is it audited?

The challenge: How do you give AI agents the access they require without introducing new security risks?

In this talk, I demonstrate how to build secure AI agent infrastructure from day one using Zero Trust patterns and the Model Context Protocol (MCP).

Drawing from real-world production experience building MCP servers at Pomerium, I present practical, deployable patterns using open-source tooling.

The Infrastructure Challenge

AI agents require infrastructure access. However, traditional OAuth was not designed for AI-driven automation use cases.

OAuth scopes are typically too coarse-grained:

• GitHub’s repo scope grants read/write access to everything repository-related.
• Slack’s chat:write allows agents to post anywhere.
• Internal API tokens often lack granularity entirely.

The result is overprivileged AI agents.

An agent that only needs to create pull requests can also merge pull requests, delete branches, and modify repository settings.

The solution is not to block AI agents. The solution is to build proper infrastructure around them.

A Practical Approach to AI Agent Security

I demonstrate a dual-layer Zero Trust architecture using the Model Context Protocol (MCP) that works with any MCP server.

Layer 1: Identity-Aware Proxy (Pomerium)

• Handles authentication
• Provides secure development tunnels
• Integrates with your existing SSO infrastructure
• No VPNs or bastion hosts required

Layer 2: Fine-Grained Authorization

• Transforms coarse OAuth scopes into precise tool-level permissions
• Policy-as-code stored in your infrastructure repository
• Real-time enforcement without agent code changes

Live Demonstration

I demonstrate this architecture using the GitHub MCP server:

1. Before: An AI agent with standard OAuth can perform any action allowed by the repo scope.
2. After: The same agent operates under fine-grained policies — it can create pull requests but is blocked from merging them.
3. Observability: Every AI action is logged with full context for audit trails.
4. Workflow: A complete development-to-production deployment with security built in.

The same patterns apply whether you're securing GitHub access, Slack integrations, internal APIs, or any other service your AI agents interact with.

Why This Matters for Your Team

Observability: Complete audit trails of AI agent activity integrated with your existing logging infrastructure.

Developer Experience: Security patterns that do not slow down development workflows.

Production Ready: Deploy today using open-source components under the Apache 2.0 license.

Incremental Adoption: Add security controls to existing AI agent deployments without rewriting everything.

Key Takeaways

• Infrastructure patterns for securing AI agents in development and production
• How to implement fine-grained authorization using Identity-Aware Proxies
• Observable, auditable AI workflows that satisfy compliance requirements
• A working reference implementation you can fork and adapt

Industry Context

The Model Context Protocol is becoming a standard for extending AI assistants such as Claude, ChatGPT, and VS Code Copilot.

As DevOps teams deploy these agents into production workflows, solid infrastructure patterns make the difference between experimental tooling and production-ready systems.

The live demo uses Pomerium Zero to accelerate policy updates during the presentation. However, all demonstrated patterns are fully implementable in the open-source version via YAML configuration.

Open-source repository: https://github.com/pomerium/pomerium

Reference Implementation

The MCP server code and authorization policies will be available immediately after the talk:

https://github.com/nickytonline/github-mcp-http