Securing AI Using Zero Trust Principles

Cindy Green-Ortiz is a globally recognized cybersecurity strategist, principal architect, and trusted advisor to Fortune 100 enterprises and public sector leaders. With 40 years of experience in security and technology leadership, Cindy has guided complex organizations across industries—including financial services, healthcare, hospitality, military, energy, and manufacturing—in transforming their security posture and achieving sustainable business outcomes.At Cisco, Cindy is a principal security architect, leading global Zero Trust initiatives. She co-led Cisco’s AI program, Wintermute, and co-led the Post Quantum Resistant Cryptography Working Group. As a Cisco Press author, Cindy translates technical depth into practical frameworks that inspire engineers, architects, and executive leaders alike. Her ability to bridge cutting-edge technology with security management has made her a sought-after public speaker and educator.Cindy has delivered impactful presentations and workshops at Cisco Live, Offensive Summit, Cisco Secure, ISC2, ISACA, and WiCyS, engaging audiences from the boardroom to the classroom. She is committed to mentoring the next generation of cybersecurity professionals and frequently collaborates with academic institutions to advance cybersecurity education, research, and policy.Publications:--Cisco Live Speaker: BRKXAR-2008: Navigating the Future of Cybersecurity: AI, Quantum-Resistant Cryptography, and Zero Trust (2025); BRKXAR-2008: Exploring the Paradigm Shift in Security: AI and Quantum Cryptography’s Influence on Zero Trust (2025)--Co-Author: Zero Trust Architecture (2023)--Technical Editor: In Zero Trust We Trust (2024)--Cisco Insider Advocate: “Ask Me Anything” (2023)--Co-Author of a Cisco Whitepaper: “IPv6 Addressing Analysis for the US Army” (Clearance required, 2023)--Cisco Live Speaker: “BRKXAR-2008 Zero Trust Segmentation” (2022–2024)--DHS Whitepapers: “Going Dark: Impacts of Encryption” (2017); “Digital Blackmail (Ransomware) as an Emerging Tactic” (2016); Wang Laboratories, Chairman’s Golden CircleZig Zsiga, CCDE 2016::32, CCIE #44883, CISSP, has been in the networking industry for 20 years. He is currently a principal architect supporting the Cisco CX U.S. public sector business and customers. Zig holds an active CCDE and two CCIE certifications, one in Routing and Switching and the second in Service Provider. He also holds a BS in computer science from Park University. He is a father, a husband, a United States Marine, a gamer, a nerd, a geek, and a big soccer fan. Zig loves all technology and can usually be found in the lab learning and teaching others. This is his second published book, and he is also the host of the Zigbits Network Design Podcast (ZNDP), where he interviews leading industry experts about network design. All of Zig’s content is located at https://zigbits.tech.Publications:--Author: Cisco Certified Design Expert (CCDE 400-007) Official Cert Guide (2023)--Cisco Insider Advocate: “Ask Me Anything” (2023)--Cisco Live Speaker:--BRKRST-2044: Enterprise Multi-Homed Internet Edge Architectures (2017–Present)--LTRENT-2016: Learning IPv6 in the Enterprise for Fun and (Fake) Profit: A Hands-On Lab (2018–Present)--TECCRT-3005: CCDE Techtorial (2019–Present)--LTRCRT-3000: CCDE Practical Exam Practice Lab (2020–Present)--LTRENT-2016: Learning VxLAN in the Enterprise for Fun and (Fake) Profit: A Hands-On Lab (2024–Present)Saskia Laura Schröer holds a PhD with a specialization in Information Systems and an MSc focusing on data science. Saskia is certified in CCNP Enterprise and is a DevNet Associate, a WiCyS speaker, and a Cisco Live speaker. Saskia is a security consulting engineer in Cisco’s EMEA Cybersecurity Centre of Excellence with almost 10 years of experience in consulting, IT audit, network engineering, and security. Her focus lies on the technical and organizational aspects of cybersecurity, across various sectors. In her PhD, supervised by Prof. Pavel Laskov, Saskia has developed a core expertise at the intersection of cybersecurity and artificial intelligence, which she is leveraging to drive innovation at Cisco.Publications:--Cisco Live Speaker: BRKXAR-1009: Exploring the Paradigm Shift in Security: AI and Post-Quantum’s Influence on Zero Trust (2026)--Schroer, S. L., Apruzzese, G., Human, S., Laskov, P., Anderson, H. S., Bernroider, E. W., & Wang, G. (2025, April). “SoK: On the Offensive Potential of AI.” In 2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) (pp. 247–280). IEEE.--Schroer, S. L., Pajola, L., Castagnaro, A., Apruzzese, G., & Conti, M. (2025). “Exploiting AI for Attacks: On the Interplay Between Adversarial AI and Offensive AI.” IEEE Intelligent Systems.--Schroer, S. L., Canevascini, N., Pekaric, I., Widmer, P., & Laskov, P. (2025, June). “The Dark Side of the Web: Towards Understanding Various Data Sources in Cyber Threat Intelligence.” In 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 79–89). IEEE.--Schroer, S. L., Seideman, J. D., Luo, S., Apruzzese, G., Dietrich, S., & Laskov, P. (2025). “Using a Stack to Find an AI Needle: Topic Modeling for Cyber Threat Intelligence.” Digital Threats: Research and Practice.--Weinz, M., Schroer, S. L., & Apruzzese, G. (2024, September). “‘Hey Google, Remind Me to Be Phished’: Exploiting the Notifications of the Google (AI) Assistant on Android for Social Engineering Attacks.” In 2024 APWG Symposium on Electronic Crime Research (eCrime) (pp. 109–122). IEEE.

• Part I: Defining Responsible AI and the Evolving AI LandscapeChapter 1 Overview 1Foundations of Zero Trust in AI Security 3The Origins and Evolution of Zero Trust 3Zero Trust Principles in AI Security 4Key Frameworks and Regulations 5The Intersections of AI and Security 8Zero Trust as a Paradigm Shift in Securing AI 11Ways to Build AI-Ready Data Centers and Cloud Architecture 12Network Design Basics with AI in Mind 13Key Components Required for an AI-Ready Environment 14AI Data Center Deployment Options 17Summary 21Key Terms 22End-of-Chapter Questions and Answers 22Chapter 2 Responsible AI and Integrated Awareness 29Definition and Principles of Responsible AI 29Ethical AI Development 30The Landscape of AI: From Basics to Advanced Concepts 31Foundations of AI Architectures 31Agentic AI 33Chain-of-Thought Reasoning Models 33Key Zero Trust Principles for AI Agents and Reasoning Models 35Foundational Considerations in AI 35Ways to Overcome Organizational Barriers to Secure AI Adoption 36AI/ML Pipeline 39No Free Lunch Theorem: Common Challenges in AI Development 41Explainable AI (Is AI a Black Box?) 41AI in Organizations 43AI Adoption Framework 43Essential Skills for the AI Era 44Ethical Considerations and Bias Mitigation 45Ethical Frameworks and Guidelines for AI 46Additional Considerations for AI 47Emerging Technologies 48Defining an AI Maturity Model 51Applying Zero Trust to AI Deployment Models 53Understanding Risk, Control, and Governance Across the AI Landscape 53Securing AI Agents Through Zero Trust Guardrails 55Summary 58Key Terms 59End-of-Chapter Questions and Answers 59Chapter 3 Artificial Intelligence Threat Landscape 67Overview of AI Threats 67AI as Target: Adversarial Machine Learning 69Threat Model 71Integrity: Evasion, Poisoning, and Backdoor Attacks 73Confidentiality: Model Inversion, Extraction, and Membership Inference Attacks 76Availability: Energy Latency Attacks 79Other Common Attacks: Supply Chain and Third Party 80Specific Considerations for Attacks on Generative AI 83Attacking AI Systems vs. AI Models 86Libraries for Testing AI Models 88AI Systems vs. AI Models 88Case Studies of AI Security Events: MITRE ATLAS 89Overview 89AI as Attack Vector: Offensive AI in Generative Adversarial Networks 93Summary 97Key Terms 97End-of-Chapter Questions and Answers 98Chapter 4 Zero Trust Principles and Methods 107Benefits of Zero Trust for AI Security: A Proof of Value 107The Evolution of Zero Trust: A Foundation for Securing AI 108AI as a Catalyst for Zero Trust Transformation 110Applying the Five Zero Trust Categories to AI 111Policy and Governance 112Identity 122Vulnerability Management 131Enforcement 135Analytics 144Practical Workshop Design: Zero Trust for AI 150Risk and Regulation 151Implementation Guidance 151Capability Alignment 151Organizational Dynamics in Zero Trust for AI 152Risk and Regulation 152Implementation Guidance 152Capability Alignment 153Roadmap: Zero Trust for AI Security Maturity 153Risk and Regulation 153Implementation Guidance 154Capability Alignment 154Application of Zero Trust: Securing Embodied AI Through Zero Trust 155The Trust Gap in Embodied AI 155Securing Perception, Planning, and Action 155Simulation, Noise, and Real-World Deployment 156Collaborative, Ethical, and Societal Risks 156Case Study: Application of Zero Trust—Salt Typhoon and Advanced Threat Campaigns Against Embodied AI 157Case Study: Application of Zero Trust—Implications of State-Sponsored Network Compromise Campaigns 158Case Study: Application of Zero Trust—Real-World Technology Shift at Scale to AI-Native Software Development 160Case Study: Nation-State Espionage, the Quantum Threat, and Harvest Now Decrypt Later 161HNDL Description and Analysis 162PQC Recommendations 162PQC Insights and Business Implications 163Summary 164Key Terms 165End-of-Chapter Questions and Answers 165Chapter 5 Securing AI from the Start 173Importance of Early Data Classification 174Data Classification Tools 176Data Classification 177Governance and Legal Requirements 181Potential Threats and Consequences from Missing Data Classification 183Ways to Build Security into the AI Development Lifecycle 189Proactive vs. Reactive Security Measures 191Business and Operational Benefits 193Quantitative and Qualitative Metrics 193Value Propositions 193Cost Savings from Early Security Implementation 194Improved Trust and Compliance 196Ways to Future-Proof AI Systems by Building Crypto-Agility for Post-Quantum Resilience 197Scalability and Adaptability of Secure AI 198The Need to Secure AI from the Start: Challenges and Considerations 199Securing AI Application Development 200Securing AI Application Deployment 201Moving from Software Development to AI Application Development 201Securing AI Chatbots and Agents 206Understanding the Advanced Threat Landscape and Mitigation 206Securing Agentic AI and Retrieval-Augmented Generation 207AI Security Readiness Framework 2091. Embedding Security in AI Governance and Strategy 2112. Strengthening Data Security and Privacy 2123. Ensuring Model Integrity and Robustness 2124. Mitigating AI-Specific Threats and Attack Vectors 2145. Addressing Compliance and Ethical Requirements 2146. Building a Security-Resilient Infrastructure 2157. Cultivating a Security-Aware Culture 216Summary 217Key Terms 218End-of-Chapter Questions and Answers 218Part II: Building Operational Resilience—People, Processes, and InfrastructureChapter 6 Organizational AI Security Readiness 225Assessing Organizational Readiness 226Stakeholder Engagement and Ownership 226Security Readiness Assessments 226Baseline of Current Capabilities 227Risk Assessment and Prioritization 228Gap Analysis and Areas for Improvement 229Compliance and Regulatory Readiness 230Technical Infrastructure and Tooling Evaluation 232Culture and Awareness Readiness 233Incident Response and Recovery Preparedness 233Actionability and Roadmap Development 234Building a Security-First Culture 234Leadership and Commitment 235Security Policies and Governance 235Risk Management and Accountability 236Integration of Security in AI Lifecycle 236Cultural Change Strategies 237Training and Awareness Programs 237Tailored Training Programs 238Awareness Campaigns 238Hands-On Exercises 239Continuous Learning 239The Reasons to Measure Effectiveness 239Organizational AI Security Readiness: Challenges and Considerations 240AI Model Security Readiness 240Data Governance and Privacy for AI Readiness 241AI-Specific Incident Response Readiness 243Explainable AI (XAI) Readiness 244Zero Trust Principles Applied to AI Security Readiness 245AI Supply Chain Readiness 246Summary 247Key Terms 248End-of-Chapter Questions and Answers 248Chapter 7 AI-Ready Data Privacy and Business Impact 255The Strategic Value of Data in the Age of AI 256Data as an Enterprise and National Security Asset 256The Criticality of Protecting Strategic, Classified, and Proprietary Data 257How AI-Driven Decision Automation Amplifies Business Impact from Data Compromise 258The Convergence of AI Data Governance and Digital Sovereignty 258Evolving Attack Surfaces in AI Ecosystems 259The Influence of Visionary Fiction on the AI Landscape 259From Imagination to Implementation: Agentic and Embedded AI 259AI as a Living System: Expanding the Threat Model 260Zero Trust for AI Systems Reimagined 260Science Fiction Realized, Responsibility Required 261Privacy and Security Challenges in Agentic and Embedded AI 262Autonomous Data Processing and Contextual Inference Without Human Oversight 263Data Lineage, Provenance, and Chain of Custody in Distributed AI Environments 263The Difficulty of Enforcing Access Control and Policy Verification Within Embedded Architectures 263Risk Propagation Across Cross-Domain AI Collaboration Systems 264Monitoring, Containment, and Assurance for Self-Adaptive Models 265AI Model Protection and PQC Readiness 265Model Inversion, Prompt Injection, and Data Poisoning Threats 266Techniques for Model Watermarking, Signing, and Integrity Validation 266Confidential Computing, Secure Enclaves, and Trusted Execution Environments 267PQC Readiness and the Transition to Post-Quantum Encryption (FIPS 203, FIPS 204, FIPS 205) 268Cryptographic Agility and Lifecycle Management for AI Models and Data Pipelines 269Privacy-Preserving Data Engineering for Next-Generation AI 269Differential Privacy, Homomorphic Encryption, and Secure Multi-Party Computation 270Federated Learning and Encryption-in-Use for Distributed AI Training 271PQC-Based Encryption Methods for AI Inference and Storage Environments 271The Role of Hardware-Based Isolation and Zero-Knowledge Proofs in Preserving Privacy 272Regulatory and Compliance Integration for AI Privacy 272Techniques for Mapping Global Privacy and Security Mandates to AI Systems 273Alignment with NIST AI RMF, EU AI Act, GDPR, DORA, NIS2, and Other Sectoral Frameworks 274Industry-Specific Considerations for Financial Services, Healthcare, Energy, and Defense 275Data Residency, Retention, and Erasure Requirements in AI-Driven Environments 276Compliance Telemetry and Assurance Reporting for Continuous Verification 276Zero Trust Strategies for AI Compliance and Enforcement 276Techniques for Applying Zero Trust Principles Across AI Data Pipelines and Model Lifecycles 277Identity-Aware Access and Microsegmentation for AI Workloads 278Enforcement of Contextual Access Policies for Training and Inference Data 278Continuous Assurance and Compliance-as-Code for AI Infrastructure 279Integration of PQC Within Zero Trust Data Protection Models 279Data Governance, Configuration Management, and Lineage 280AI-Ready Data Dictionary for Zero Trust Configuration Management 281Integration Guidance 282AI Bills of Materials for Transparency, Auditability, and Accountability 286Model Lineage and Dependency Mapping for Explainability and Forensic Readiness 286Version Control, Rollback, and Governance Across Distributed AI Systems 287Lifecycle Governance for Agentic and Embedded AI Deployments 287Business and Operational Impact of AI Privacy Failures 288Consequences of Data Compromise in Autonomous and Embedded AI Systems 289Regulatory Penalties, Contractual Risk, and Loss of Market Trust 289Case Studies: Leakage from Generative AI Platforms and Autonomous Decision Engines 291Financial and Operational Disruption from Model Exfiltration or Training Data Theft 291Long-Term Strategic and Reputational Impacts on Global Enterprises 292Final Recommendations 292Data as a Continuously Governed Enterprise Asset 293Agentic and Embedded AI as Critical Expansion Points for Privacy Risk 293PQC Readiness as a Foundation for Future-Proof AI Data Protection 294Key Zero Trust Enablers for AI Privacy 294Strategic Guidance for Maintaining Resilience, Compliance, and Stakeholder Trust 295Summary 295Key Terms 296End-of-Chapter Questions and Answers 296Chapter 8 Third-Party AI Risk 303Third-Party Risk Questionnaire Limitations for Assessing AI Risk 304What to Know Before Assessing Third-Party AI Risk 305Data Protection and General Information Security 305Data Protection and Mobile Security 306Human Resources Management 306Asset Management and Media Handling 307Access Management and User Controls 307Cryptographic Controls 308Physical and Environmental Security 308Operations and Network Security 308Application Security/Development 309Supplier Relationships/Vendor Management 309Incident Management 309Business Continuity and Disaster Recovery 310Governance and Compliance 310Cloud Security 310Data Center Operations 311Offshore Delivery Center Controls 311Continuous Monitoring of Vendor Performance 311AI Third-Party Risk Assessments 313Securing the AI Supply Chain Through Zero Trust and Cryptographic Resilience 314Securing Core AI Supply Chain Components 316Zero Trust Foundations for the AI Supply Chain 317Policy and Governance 318Identity and Access Management 320Vulnerability Management 321Enforcement (Policy Enforcement Points) 322Analytics and Continuous Monitoring 323How to Use This Questionnaire: A Practical Guide for Executives, Architects, and Engineers 324Strategic Takeaways 328Continuous Vendor Monitoring: The AI-Specific Playbook 329Implementation Roadmap, Turning Theory into Practice 330AI Third-Party Supply Chain—Additional Risks 331AI Third-Party Dependencies and Risk Amplification 331Vector Databases in Zero Trust AI Architectures 332Third-Party AI Post-Quantum Cryptography Risk 334Services as Code, Digitized Delivery, and Network as Code in Third-Party AI Audits 338Real-World Case Studies That Illustrate the Threat Landscape 341Case Study: Model-Namespace-Reuse on Hugging Face 342Case Study: Dual Dependency—CrowdStrike and AWS Outages 343Summary 346Key Terms 347End-of-Chapter Questions and Answers 347Chapter 9 Build AI-Ready Environments 353AI-Ready Environments 354Overview of Network Design 355Network Design Fundamentals 356Network Design Principles 366Architect-Focused Network Design Techniques 372Network Design Pitfalls 375Techniques for Designing AI-Ready Environments 379Key Components Required for an AI-Ready Environment 380AI Use Cases 387Sustainability Intersection with AI-Ready Environments 389Sustainable Practices and Energy Efficiency with AI Workloads 390Sourcing Matters 390Cost Optimization Strategies 390Ways to Optimize Established or Existing Data Centers to Become AI-Ready 391Greenfield vs. Brownfield AI Environments 392Cloud Provider Offerings 392Organizations with Mature AI Environments 392Businesses Still Exploring AI Solutions 392Summary 393Key Terms 393End-of-Chapter Questions and Answers 394Part III: Defending at Scale—Platform Protection, Monitoring, and ResponseChapter 10 Build and Secure Enterprise-Grade Generative AI Applications: ChatAI, RAG, MCP, Agentic AI, and Embedded AI 401Enterprise Generative AI Applications 402Types of Generative AI 402GenAI in the Enterprise Landscape 406Techniques to Bridge GenAI to Zero Trust 409Security Considerations of ChatAI Applications 411Enterprise Use Cases for ChatAI 411Security Considerations for ChatAI 414Security Considerations for Agentic AI 422The Need to Secure MCP 424Agentic AI: Design, Architecture, and Security Considerations 425Additional Considerations for Cyber-Physical Interactions: Embedded AI 428Case Study: Cyber-Physical Interactions—Musk Robot Army 430Foundational Zero Trust Security for Enterprise Generative AI 431Zero Trust Controls Mapped Across the AI System Lifecycle 436Zero Trust Applied to the AI Lifecycle 438Case Study: Governance and Shared Responsibility—The Deloitte AI Incident 439Summary 440Key Terms 441End-of-Chapter Questions and Answers 441Chapter 11 Monitor and Respond to AI Security Threat Vectors 447Continuous Monitoring Strategies 448Monitoring the AI System 448Using AIOps vs. MLOps 453Monitoring Changes in External Regulations 455Monitoring Changes in the Threat Landscape 455Using Organizational Processes 457Implementing Real-Time Monitoring Solutions 458Monitoring Solutions for AI Systems 458Vulnerability Management 460Software Bill of Materials 463Monitoring AI Systems in the SIEM 464Incident Response Plans 465Business Continuity and Disaster Recovery for AI-Ready Data Centers 469Description, Analysis, and Recommendations 469Executive Imperatives for CIOs and CISOs 470Foundational Architecture for AI-Ready Data Centers 471RoCEv2: Driving Secure, Scalable Performance for Modern Infrastructures 471AI Design Considerations 472Core Risks Unique to AI Workloads 474Business Continuity and Disaster Recovery for AI-Enabled Applications 474Core BC/DR Challenges for AI-Enabled Applications 475Ways to Build AI-Specific BC/DR Strategies 476Summary 476Key Terms 477End-of-Chapter Questions and Answers 478Chapter 12 Case Study 485Offensive AI: A Deep Dive into How Attackers Can Use AI 486Offensive AI as a Threat to Individuals 490Offensive AI as a Threat to Systems 491Offensive AI as a Threat to Society 492An Adversary’s Perspective: Cost vs. Benefit of Utilizing AI 492Detailed Case Studies of Offensive AI Attacks 494“Hey Google, Remind Me to Be Phished.” 499Lessons Learned and Best Practices 502Summary 505Key Terms 506End-of-Chapter Questions and Answers 506Chapter 13 Conclusion: Vigilance, Policy, Iteration, and Beyond 515Part I: Defining Responsible AI and the Evolving AI Landscape (Chapters 1–5) 516Addressing AI Deployment Models and Zero Trust Principles 516Overcoming Organizational Barriers and Applying AI/ML Pipelines 517Ethics, Governance, Zero Trust, and Security in AI Implementation 518Future of AI: Quantum Computing and the Evolving Threat Landscape 518Introduction to the AI Threat Landscape and Ethical Foundations 519AI as a Target: Evasion Attacks, Data Poisoning, and Threat Modeling 519Backdoor Attacks 520Model Inversion and Membership Inference Attacks and the Impact on Availability 520Supply Chain Attacks and Offensive AI 521Introduction to Zero Trust for AI Security and Historical Context 521Zero Trust Implementation: The Categories and Foundational Controls 523The Power of “Know What You Have” 523Testing, Roadmaps, Zero Trust, and Long-Term Planning 524The Importance of Data Classification 525Data Classification, Ethical Considerations, and Governance 526Threat Modeling for AI, Mitigations, and AI Governance 527AI Security and the Rundown 528Part I Summary: Defining Responsible AI and the Evolving AI Landscape 529Part II: Building Operational Resilience—People, Processes, and Infrastructure (Chapters 6–9) 530Organizational Readiness and Cultural Maturity 530Secure Data Practices and Privacy Engineering 530Third-Party AI Risk and Shared Responsibility 531Infrastructure for AI: Cloud, Edge, and Hybrid Environments 531Part II Summary: Aligning Strategy to Execution 531Part III: Defending at Scale—Platform Protection, Monitoring, and Response (Chapters 10–12) 532Enterprise-Grade AI Security and GenAI Platforms 532Secure Integration and API Governance 532Monitoring and Threat Detection in AI Systems 533Incident Response and Adaptive Resilience 533Offensive AI: AI as an Attack Vector 533Part III Summary: Lifecycle-Driven Defense 533Conclusion: The Work Ahead—From Readiness to Relentless Execution 534Continuous Adaptation: Securing the Lifecycle 535Governance, Culture, and Organizational Readiness 535Measuring Maturity and Progress 535Final Guidance for Security Leaders 536Future Threats: From Visionaries to Reality 536Conclusion: The Road Ahead 539References 540Curated Reading, Film, and TV Series List on AI, Zero Trust, and Future Threats 542Appendix Study Guide 545Study Guide Questions 546Category 1: Policy and Governance 546Category 1 Answer Key 554Category 2: Identity 556Category 2 Answer Key 564Category 3: Vulnerability Management 565Category 3 Answer Key 573Category 4: Enforcement 574Category 4 Answer Key 583Category 5: Analytics 584Category 5 Answer Key 592Closing 593Glossary 595Afterword 609Final Word 613 9780138363413 TOC 4/3/2026