Introduction
Fabrikam's multi-agent code review system processes proprietary enterprise customer code—the most sensitive asset many companies possess. A cross-tenant data breach where Customer A's source code leaks to Customer B would be catastrophic: legal liability, regulatory penalties, reputation damage, and immediate customer churn. Traditional perimeter-based security models assume trust within the network boundary. Zero-trust architecture assumes no component ever has inherent trust—every request, from any source, requires explicit authentication and authorization.
Implementing zero-trust for multi-agent systems means applying security controls at every agent interaction boundary, not just at the external API gateway. One agent calling another agent must authenticate with cryptographic proof of identity. Network policies prevent compromised agents from communicating with unrelated agents. Data isolation ensures tenant context propagates through every operation. In this module, you learn how to design zero-trust identity architecture for multi-agent networks with per-agent managed identities and least-privilege access, design network controls to prevent lateral movement between agents, implement multitenant data isolation architectures with tenant context propagation, and configure compliance controls that map regulatory requirements to agent behaviors.
Threat modeling with STRIDE
Before designing controls, you need a vocabulary for threats. STRIDE is the Microsoft threat-modelling framework that enumerates six attack categories relevant to any distributed system including multi-agent architectures: Spoofing (impersonating a legitimate agent identity), Tampering (modifying messages in transit or data at rest), Repudiation (denying that an agent action occurred), Information disclosure (leaking proprietary or tenant-sensitive data), Denial of service (exhausting resources to degrade availability), and Elevation of privilege (an agent gaining permissions beyond its granted scope).
Each category maps to one or more units in this module: spoofing and elevation of privilege are addressed by the per-agent managed identity and JIT access controls in Units 2-3; tampering by the network isolation and encrypted channel controls in Units 4-6; repudiation by the immutable audit schemas in Unit 7; information disclosure and lateral movement by the tenant-isolation and data-residency controls in Units 5-7.
For AI-specific threats that go beyond classical infrastructure threats—prompt injection, model extraction, adversarial inputs—the OWASP LLM Top 10 framework provides the relevant threat vocabulary. Prompt injection defenses and guardrail architecture are specialized topics in AI prompt security; this module focuses on the infrastructure-layer controls (identity, network, data isolation, compliance) that apply regardless of which AI-specific defenses sit above them.
SIEM and SOAR integration
The security controls in this module generate data: managed identity audit logs, network flow logs, tenant-context processing records, and compliance evidence. Individually, these data streams support compliance reportings. Aggregated into a Security Information and Event Management (SIEM) system, they enable unified threat detection across the entire agent ecosystem.
OpenTelemetry traces, structured operation logs, and immutable audit records (capturing agent ID, timestamp, and action taken) should feed enterprise security tooling such as Microsoft Sentinel (SIEM) for unified threat detection and SOAR (Security Orchestration, Automation, and Response) platforms for automated incident response. When a compromised agent generates anomalous call patterns, the same OpenTelemetry trace data that supports debugging also enables Sentinel to correlate the anomaly across tenants and trigger an automated containment runbook.