This is the unglamorous layer — and the one most people quietly assume is already “done.” If you’re building toward agentic AI, that assumption is probably the most expensive mistake you can make.

Layer one is the substrate: identity, device posture, segmentation, application and data controls, policy engines, enforcement points — all applied to the subjects Zero Trust has traditionally handled well: humans and workloads. Everyone recognises it, and most assume it’s broadly in hand. In most organisations, it isn’t — and that gap starts to matter a lot more once AI enters the picture.

Boiled down, it comes to two things. The substrate is more unfinished than we tend to admit, and under AI those weaknesses don’t just sit there anymore — they get exercised.

The substrate isn’t finished

Zero Trust has been around long enough that people assume the foundations are largely solved. The maturity data consistently says otherwise — most organisations are still uneven, strong in some areas and noticeably thin in others. That’s not really a capability problem. It’s structural.

Identity is the obvious example. Most large environments run multiple identity providers — the residue of acquisitions, partial transformations, and programmes that never fully landed. What you end up with isn’t a single identity plane, it’s a set of federated seams that work well enough most of the time, but were never designed to behave as one system.

There’s a useful parallel in the early railways. Different companies laid track to different gauges — Brunel’s broad gauge versus what became the standard elsewhere. On a map, it looked like a connected network. In reality, it wasn’t. Where lines met, trains couldn’t pass through. Everything had to stop, unload, and transfer across the gap — creating delay, cost, and failure points that were never fully engineered out. The Gauge Act came later, but by then the fragmentation was already embedded.

Enterprise identity looks much the same. It presents as one organisation, but underneath it’s multiple systems meeting at seams where federation, translation, and trust relationships paper over the differences. On paper, unified. In practice, loosely stitched together.

Those seams — trust relationships, service accounts, third-party access — are rarely understood end to end, and almost never tested under stress. What you have isn’t a clean foundation, it’s a position that holds, until it’s pushed.

And that’s the point. This is the normal state, not an exception. The business keeps moving, and the control layers never quite catch up before the next change lands.

AI doesn’t inherit weakness — it accelerates it

If the substrate were just incomplete, this would be a familiar problem. The issue is what happens when you introduce autonomous agents into that environment.

Agents don’t sit neatly on top of those weaknesses — they run straight through them.

They operate under delegated authority in estates where privilege boundaries are already blurred. The difference is pace and behaviour. Humans are slow, predictable, and naturally bounded. Agents aren’t. They operate at machine speed, follow chains of action the user never explicitly defined, and adapt to whatever they encounter.

That changes things quickly.

The federation path no one ever crossed becomes something an agent moves through in milliseconds. The over-privileged service account that was tolerable in a deterministic world becomes a problem the moment a non-deterministic actor inherits it. The third-party access that sat there untouched for years suddenly becomes reachable.

None of these are new vulnerabilities. They were always there. The difference is you don’t get away with them anymore.

What “good enough” actually looks like

This isn’t an argument for waiting until the substrate is perfect — that’s never going to happen. The shift is toward clarity: knowing where it’s weak, and factoring that directly into what you allow on top of it.

In practical terms, that means knowing how many identity providers you actually have — not what the diagram says — and where the seams really sit. Knowing which service accounts carry more privilege than they should, because those are the ones you least want anything autonomous touching. Knowing where third-party and managed access actually reaches, particularly where it extends further than people think it does.

None of this is new work. It just moves from “good hygiene” to “non-negotiable,” because the cost of not knowing is no longer measured at human pace.

The point

The substrate is less complete than most organisations assume, and under agentic AI those gaps get exercised quickly and at scale. You can’t stack a governed AI layer onto an ungoverned foundation and expect it to hold.

Most environments aren’t built on rock — they’re built on a mix of solid ground and sand, with more seams than anyone is fully comfortable with. The first step is being honest about where those seams are, and letting that shape what you build next.

Post 4 of 13 in Stacked Zero Trust.

Previously: Post 3 - The Three Layers of Stacked Zero Trust.

Next: Post 5 - Layer Two: AI as Mediator — the decision layer, and the gap between what it can actually do today and what’s being claimed.

The reference document at the end of the series includes a substrate-readiness assessment as part of the full maturity model.

References drawn on in this post: NIST Special Publication 800-207, Zero Trust Architecture (August 2020); the CISA Zero Trust Maturity Model as the standard reference for substrate maturity banding; industry Zero Trust maturity survey data referenced in general terms, with specific sources cited in the reference document; SPIFFE/SPIRE as an example of workload identity. The break-of-gauge reference draws on the British railway gauge incompatibilities resolved in large part by the Gauge Act 1846.