Applying zero-trust principles to the new network perimeter: AI agents

November 13, 2025
3
mins read

As co-chair of the O-RAN Alliance Security Work Group, Rakuten Symphony head of security standards and research Nagendra Bykampadi recently joined industry colleagues in Dallas for the annual Zero Trust Architecture Workshop. Following are key takeaways from his presentation about how 6G’s shift toward AI-native networks will require rethinking security from the ground up, starting with how we define trust itself.

6G will be a paradigm shift as AI and machine learning become a native part of telco infrastructure.

No longer will RAN infrastructure serve just telco apps. Non-telco domains that span industrial automation or financial workloads may all share the same physical and virtual resources.

This domain overlap will blur threat boundaries and force a complete rethink of trust.

While 5G introduced new security challenges with the embrace of cloud-native principles, 6G will bring substantially increased security complexity with the introduction of AI-native design. Every layer, from RAN and core to operations and applications, will contain autonomous decision-making components that are always learning and adapting behaviors.

6G's autonomous AI agents fundamentally break traditional security, creating a living attack surface where the network perimeter constantly erodes and each agent’s cryptographic identity becomes the new boundary to defend.

This changes how these networks are attacked, penetrated and compromised. We are entering a world where threats are cognitive, not code-based. 6G will be unlike every G that came before it as we shift from traditional to intelligent architecture.

During O-RAN Alliance face-to-face meetings in Dallas last month, proposals for 6G standards considerations were discussed, with security a core topic for every company contributing.

One of the primary challenges discussed was intelligent operations that rely on clusters of AI agents called multi-agent systems (MAS) that sense, reason and act together. Each agent performs specialized tasks to achieve outcomes faster than humans or single-agent systems, requiring they be given permission levels and trust that we previously only assigned to people.

From a security perspective, every agent, every API call and every model-to-model exchange now represents a potential access point. We’re no longer thinking in terms of traffic flows, but intelligence flows.

Exposure expanding beyond the network edge

As networks evolve from fixed functions to adaptive intelligence, the perimeter shifts from infrastructure and people to the AI agents operating within them. There is no longer a network inside or outside. It simply expands as much as the applications and agents supporting it require.

Suddenly, it’s not just about the security of architecture. Behavioral risk and system dynamics are at play.

It’s important to understand precisely how multi-agent systems (MAS) operate, to understand the risks they introduce.

Each AI agent executes code, stores state and holds credentials. It interacts through APIs, orchestration buses and data pipelines that span domains, often operating simultaneously across RAN, edge and cloud environments.

Within a MAS, these agents do not act in isolation. They continuously exchange observations, reasoning and outcomes to coordinate collective decisions. This interdependence creates powerful optimization loops but also tight coupling. A change in one agent’s data or behavior can cascade through others in milliseconds. Because agents adapt over time, updating their reasoning as they learn from new information, their decision logic is dynamic and sometimes opaque. That combination of autonomy, shared context and continuous learning is what makes MAS so capable but also so difficult to secure.

Attackers used to focus on breaching specific network infrastructure components or systems. When it comes to 6G’s intelligent infrastructure, compromising or impersonating just one agent could be enough to reach every layer the agent touches. Any compromise would quickly spread laterally and upward, from one decision loop to another.

This behavioral manipulation could take one of many forms, including:

  • Prompt or input injection. Feeding malicious instructions into an agent’s reasoning chain so it performs actions outside its intended scope. A maintenance-automation agent instructed to “optimize power usage” may start deactivating security monitors because its reasoning model has been corrupted with misleading training data.
  • Model drift and poisoning. When learning continues in production, even small distortions in training data or feedback loops can reshape agent priorities or weaken classification accuracy, with malicious behaviors appearing “normal.”
  • Privilege inflation. Agents often require elevated access for coordination, such as orchestrating workflows or triggering network reconfigurations. If those privileges aren’t time-limited or context-aware, a compromised agent can execute legitimate commands with malicious intent.
  • Dependency chaining. Agents depend on external data sources, APIs or even other agents. Compromising a low-criticality agent or dataset can influence the high-impact one that consumes its outputs.

In these scenarios, intent can be hijacked without an intrusion being immediately obvious. All without crossing a firewall or exploiting a zero-day.

This shift challenges the traditional, human-centric security models of past networks. While humans will remain in the loop, 6G’s autonomous agents will make thousands of micro-decisions per second that no team could manually review. Security must therefore evolve to operate at the same machine speed, becoming as adaptive and intelligent as the systems it protects.

How zero-trust meets telecom’s MAS moment

Agentic-powered networks dissolve the previously defined user roles and predictable perimeters associated with previous networks. Any system operating within these expanding network perimeters cannot automatically be trusted.

In a world where every process can think, act and adapt, every single interaction must prove itself trustworthy in the moment.

Zero-trust is a familiar concept for any organization implementing modern security strategies. Simply, it is a security posture built on continuous verification that treats every entity—whether human, device or agent—as untrusted until proven otherwise.

In 6G networks, zero-trust becomes the countermeasure to the vulnerabilities introduced.

In agent-specific applications, zero-trust principles that are introduced may include:

  • Verify explicitly with cryptographic identity: Every agent must have a unique, cryptographically verifiable identity. Rather than authenticating communication just once or periodically, it is continuously validated with short-lived, ephemeral credentials for every single task.
  • Least privilege access. Agents get only the minimal rights required to complete a task, with access expiring once the task ends to mitigate misuse when an agent is compromised or acts outside expectations.
  • Assume breach. If one agent fails or is hijacked, damage is contained, with additional support afforded by segmentation, micro-enclaves and isolation policies.
  • Contextual authorization. Permissions should adapt to real-time context like what an agent is doing, where it is operating and how it is behaving versus typical patterns. Authorization must be based on “Identity + Intent.” The system must be able to validate why an agent is performing an action (its task intent), not just who the agent is.
  • Continuous monitoring. Behavior telemetry from agents serves as de facto audit trails, with monitoring efforts identifying deviation from expected patterns, which represents early signs of poisoning, drift or collusion.

In these scenarios, each agent’s credentials, cryptographic keys and behavioral signature define where trust begins and ends. The boundary of trust remains fluid, following the agent wherever it operates.

Importantly, these efforts are designed to unleash the full power of “living” and secure networks, enabling safe automation at required speeds. In a sense, verification and containment become as autonomous as the agents themselves as trust is continuously earned and re-earned.

Intelligence unleashed (but never trusted)

It is ironic that as engineers feverishly work to build confidence in AI-powered models and systems that the way to best harness their full potential is to adopt a zero-trust approach. But embedding the trust mechanisms covered in this article is what allows agents to operate autonomously at machine speed.

As we discussed in Dallas, with proper identity, contextual authorization and continuous monitoring, operators can confidently deploy autonomous and intelligent operations, AI-driven observability and remediation, and cross-domain infrastructure sharing.

With this mindset, telcos can be confident they are not constraining intelligence as they embed assurance into 6G’s fabric and continuously expand the network perimeter.

Now, the discussion turns to finalizing standardization around these efforts and determining the most effective, efficient and secure paths to deployment.

Have a question or comment? Mention Nagendra Bykampadi in the comments to start a conversation!

Nagendra Bykampadi
Global Head of Product Security at Rakuten Symphony

Network Automation
Related Newsletter
UK integration lab reveals new repeatable paths to Open RAN success
Open RAN has delivered the economic, operational and diversification results for those that have managed to introduce it with high levels of automation and software management across testing, planning, deploying, operating and assuring. These have been mainly greenfield rollouts, unencumbered by existing practices and organization structures.
January 29, 2026
4
MINUTES
Destination: The future telco
Is a scalable, cloud and AI-native telco network business that powers operational efficiency and delivers robust, sustained revenue streams finally in sight? The Mobile Network editor Keith Dyer spent the year investigating, revealing that this once idealized “future state” is already a reality for leading stakeholders. In this week’s issue of the Zero-Touch newsletter, he highlights his findings and the key takeaways captured in the Future Telco Report, out now.
December 4, 2025
3
MINUTES
The collaborative path to open at scale
Telecom Infra Project (TIP) executive director Kristian Toivo and Rakuten Symphony CMO Geoff Hollingworth are set to deliver opening keynote interviews at Mobile World Live’s upcoming Unwrapped: The 5G Evolution event, where they’ll discuss the shift to software-based, cloud-agnostic networks and the realities of deploying open and cloud-native RAN architectures. In this article, Geoff and Kristian share their perspective on what it will take to scale openness across networks and how collaboration is shaping the path forward.
November 6, 2025
5
MINUTES
Newsroom
Careers
About Rakuten
Trademarks
Gift and Entertainment Policy
Terms of Service
Ethical Standards
Privacy Policy
Whistleblowing
Code of Conduct
End User License Agreement
Unsolicited Idea Submission Policy
© Rakuten Symphony