Authenticating workloads is becoming increasingly complex, driven by the adoption of AI agents and the expansive identity permissions these systems require. Security teams must plan ahead to secure workloads across complicated modern environments, requiring a shift away from legacy authentication practices.
Researchers from Zscaler plan to detail this evolution in an upcoming RSAC 2026 Conference session titled, "What Are You, Really? Authenticating Workloads in a Zero Trust World."
In computing terms, workloads encompass the tasks applications and services conduct to function, alongside the IT resources those tasks consume. Workloads represent a wide range of processes, from managing front-end user requests on a web server to cloud-native microservices, complex data analysis, and AI training models.
The complexity of non-human identities
Many workloads execute tasks quietly in the background and are classified as non-human identities (NHIs) because they require permission and authentication much like human IT personnel.
When organizations introduce AI agents—systems designed to emulate human workflows, including autonomous reasoning and decision-making—workloads grow more complicated and require stringent security controls. In large enterprise environments, these agents often operate across Azure, Google Cloud, AWS, and on-premises services simultaneously. Security teams must authenticate these workloads using methods that scale safely across every segment of a given environment.
During their technical session, Zscaler Chief Information Security Officer Sam Curry and Chief Scientist Yaroslav Rosomakho will detail specific authentication methodologies, including the mutual TLS (mTLS) protocol, workload identity tokens, and remote attestation. They will also provide data on which methods scale most effectively.
Rosomakho notes that, historically, workload authentication and identity were not primary priorities for organizations. The rapid increase in complexity has outpaced the methods many organizations currently use to secure their NHIs.
"What we observe is that, right now, there are widespread insecure practices identity," Rosomakho says. "In many organizations, they simply rely on static IP addresses for identity mapping, and obviously that scales poorly. It's spoofable, and any change to infrastructure collapses your workload identity definitions. We also see plenty of organizations that rely on all sorts of static credentials, such as HTTP basic authentication."
Furthermore, Rosomakho notes that the most common method organizations use to identify and authenticate AI agents relies on static headers and keys that are never rotated.
"It's a significant problem," he says, adding that relying on static keys for critical processes introduces substantial operational and financial risk to organizations.
Modernizing workload authentication
From a protection standpoint, Curry points out that security teams have multiple options to resolve these structural weaknesses. As a baseline, organizations should inventory their AI agents and other NHI processes, scan for hardcoded secrets, adopt formal standards, and transition toward zero-trust architecture. He also recommends partnering with platform providers to ensure they support modern workload authentication standards.
"It's about testing federation and defining [a data security] policy," Curry explains.
The most effective defense posture depends on an organization's specific architecture. For example, Kubernetes Service Accounts ensure that workloads spun up within Kubernetes receive dynamic, short-term identities, allowing them to authenticate securely to external services.
Security teams can also adopt open-source standards designed specifically for workload authentication. The Secure Production Identity Framework for Everyone (SPIFFE) is used "for securely identifying software systems in dynamic and heterogeneous environments." The core mechanism of SPIFFE, and similar modern solutions, relies on establishing a well-defined environment built entirely on short-lived identities.
The Internet Engineering Task Force (IETF) also operates the Workload Identity in Multi-System Environments (WIMSE) working group. WIMSE focuses on defining standardized solutions for the identity challenges associated with modern workloads, maintaining active technical documents and architectural guidelines.
Whether an organization adopts SPIFFE, WIMSE guidelines, or protocols like Security Assertion Markup Language (SAML), Curry and Rosomakho recommend taking immediate steps to formalize workload identity, as infrastructure complexity will only continue to increase.
"It's arguable that the most interesting and most common and most valuable communications that will be happening in our economy are going to involve no humans," Curry says. "And so, it behooves us to be able to apply confidentiality, integrity, and availability in those circumstances. We can't do that without a more advanced schema for authentication and then authorization. It might be one of the most important subjects for people in the cyber world or the IT world to say, OK, what's our strategy here?"