We have previously discussed zero trust architecture with MuleSoft, particularly the foundational principles with attribute based access control (ABAC) and how MuleSoft can serve as a powerful enabler in achieving API security within enterprise systems.
Considering the innovation, efficiency, and speed that AI and autonomous agents bring to everything, today we will focus on the extensibility of zero trust principles and architecture to cover both agentic and non-agentic worlds. This unified approach enables organizations to leverage existing investments in their security frameworks and safeguard their data while embracing autonomous agents.
AI innovations, API security, and zero trust
Businesses have welcomed the use of AI for code generation, reasoning, and general automation; now, they are expanding into AI agent territory, powered by large language models (LLMs). These agents can reason, respond to prompts, and act autonomously, offering time and cost savings. Salesforce, with its Agentforce platform, is at the forefront of this transformation, enabling businesses to operate more efficiently and scale with AI-driven solutions.
As AI continues evolving, organizations are increasingly reliant on APIs and integrations to seamlessly connect data from disparate sources, whether deployed in the cloud or on-premises. With this innovation comes new security challenges.
AI and autonomous agents, while powerful, can inadvertently expose sensitive data through APIs if not properly secured. Threats such as AI-driven API abuse, data exfiltration, and adversarial AI attacks are on the rise. Because of this, organizations must implement robust security measures to safeguard their assets as data is central to business continuity.
Zero trust architecture, enhanced by MuleSoft, ensures that API interactions are secure and dynamically adapting to real-time threats. MuleSoft plays a crucial role in providing the necessary guardrails, empowering Agentforce and other autonomous agents to innovate safely without compromising data security.
Unified principles for both worlds
A key differentiator of a robust zero trust architecture lies in its flexibility to adapt to evolving technological landscapes. Whether dealing with autonomous agents or traditional users and systems, the core traits of zero trust: never trust, always verify, and enforce least privilege – remain unchanged. MuleSoft’s composable architecture, powered by AI-driven technologies, traditional OAuth security and Attribute-Based Access Control (ABAC), ensures consistent policy enforcement for API ecosystems of different scales, complexities and industries.
Dynamic attributes for contextual access control
In the agentic world, intelligent agents like Agentforce rely on dynamic attributes such as agent ID, request purpose, and behavior history. Similarly, non-agentic users and systems depend on a combination of static (RBAC) attributes such as user roles, permissions, device type and dynamic attributes (ABAC) such as IP address, device type, and network type.
Anomaly detection and mitigation
AI-powered anomaly detection is equally effective for agents and traditional systems. For example, MuleSoft can detect unauthorized API calls by agents or unusual login patterns from users, triggering automated actions to mitigate risks.
Policy enforcement
The zero trust architecture enables centralized policy enforcement through Policy Enforcement Points (PEPs). These PEPs when extended to the agentic world ensure that access requests, whether originating from an agent or a user, comply with established zero trust principles. Dynamic policies adapt to changing attributes, making the framework extensible across both worlds.
Data masking and tokenization
Data masking and tokenization principles remain consistent across agentic and non-agentic worlds, as both rely on underlying APIs to enforce transformations. APIs dynamically apply masking or tokenization based on roles, access context, and predefined policies, ensuring sensitive data is protected while maintaining usability.
Composable architecture
MuleSoft’s composable architecture supports secure interactions at scale, ensuring consistent zero trust enforcement, whether integrating agents or traditional systems across the three layers, and regardless of if the services are interacting with each other (i.e. east/west traffic), are external consumers (i.e. north/south traffic), or are agents.
MuleSoft AI chain
MuleSoft AI Chain (MAC) is an open MuleSoft framework that helps organizations design, build, and manage AI agents in MuleSoft’s Anypoint Platform. This project is built on the idea that MuleSoft users shouldn’t have to leave MuleSoft to get the most out of AI; they should be able to leverage their existing skills and the power of Anypoint Platform to innovate.
The MAC Project offers a suite of AI-powered MuleSoft connectors, including MuleSoft AI Chain, MAC Inference MAC Vectors, Einstein AI, Amazon Bedrock, MAC Whisperer and MAC WebCrawler. These connectors ease the way autonomous agents are built, by connecting LLMs, vector databases, AI services, chains, tooling and conversations. Through the unification layer of MuleSoft AI Chain connectors, customers can easily switch between LLMs and vector databases with zero effort.
The MAC project augments ABAC-based zero trust solution architecture by providing an AI engine that performs key tasks such as anomaly detection, threat analysis, policy automation and data masking/tokenization. Let’s discuss these further.
Anomaly detection and threat analysis
The PDP is now enriched with connectivity to relevant LLMs for prompt enrichment, vector databases and knowledge bases for comparing the patterns with historical data and up to date information. This approach allows for dynamic analysis of API requests and more precise enforcement of ABAC policies, adapting to evolving security scenarios.
For example, credential stuffing can be detected by leveraging knowledge bases and LLMs for pattern detection and such patterns can be stored in a vector database for future references. This is particularly useful and efficient in a multi-layered zero trust architecture where the same information is validated at each entry point. Depending on the anomalies, ABAC can come into play to authorise, limit or deny information retrieval at each point of entry in the architecture.
Policy automation
With comprehensive OOTB policies, PDP can also enforce these policies depending on anomalies and threat analysis. With MuleSot’s open API architecture, policy enforcement and alerting can also be done within PDP by invoking platform APIs. This can range from applying policies for SLAs, throttling, IP blacklisting, or revoking API credentials. The data and patterns generated from policy automations can be stored in vector DBs future reference and to enhance LLMs to progressively improve the best course of automated action. For instance, if a bot attempts to scrape an API with randomized headers access tokens, PDP can identify clusters of requests with slight variations and apply rate-limiting or block access dynamically.
In the case of a compromised account accessing data from an untrusted location, RAG retrieves historical user behavior patterns, such as typical geolocations or endpoint usage, and flags the deviation as a risk. PDP can then dynamically enforce policies like requiring re-login, multi-factor authentication, or enforcing login from a trusted location or device. This combination ensures real-time, intelligent, and automated policy enforcement while minimizing false positives.
Data masking and tokenization
PDP can also do data masking and tokenization by performing dynamic, context-aware, and intelligent protection of sensitive information during API invocations. LLMs analyze API payloads to identify sensitive data patterns, such as personally identifiable information (PII), payment details, or health records.
Vector databases store embeddings of known sensitive data formats, which RAG uses to retrieve relevant context and ensure comprehensive masking or tokenization. For example, when sensitive data like SSN or credit card information is detected in an API request, PDP can dynamically replace it with a masked or tokenized equivalent while retaining format compatibility. This approach ensures regulatory compliance with frameworks like GDPR or HIPAA while minimizing workload to downstream systems.
PDP AI engine
A key addition to the PDP implementation is the AI engine that adds the AI intelligence to existing capabilities of traditional OAuth security and ABAC validations.
This PDP AI engine is divided into four key modules:
- Threat analysis
- Anomaly detection
- Policy Automation
- Data masking/tokenization
These modules work in tandem with OAuth and ABAC modules to identify and mitigate security risks, enforce appropriate API security polices, and protect sensitive data in real time. Also, the metadata, outcomes and learnings are fed back to the vector databases and fine-tune LLMs to improve accuracy for specific environments or security clearance levels (e.g. public, restricted, or top confidential) or industries (e.g. financial services or public sector).
To improve accuracy and ensure human-in-the-loop when needed, the PDP and the AI engine also use monitoring tools such as Anypoint Monitoring or equivalent. Here are more details on capabilities of each of these modules:
1. Threat analysis
The threat analysis module is responsible for identifying and mitigating potential threats by analyzing incoming requests for malicious patterns, such as injection attacks, high-risk IP addresses, or unusual behavioral patterns. It does so by leveraging a combination of one or more LLMs and vector databases specialized in threat analysis. As part of the information flowing into the PDP from PEP, it evaluates payloads, metadata, and request context. Detected threats trigger a combination of alerts, policy enforcement such as request denial or rate limiting.
2. Anomaly detection
The anomaly detection module monitors API usage patterns to identify deviations from normal behavior, such as unusual access times, request frequencies, or cumulative anomalies over time. Using behavioral baselines and rolling window analysis, the AI engine assigns risk scores to incoming requests in real time. Anomalies trigger adaptive responses, such as throttling or heightened monitoring, without impacting legitimate workflows.
3. Policy automation
The policy automation module supports the threat analysis and anomaly detection module by taking the appropriate policy automation based on insights from these modules. The policies are maintained in a fast retrieval NoSQL persistent repository using storage such as Dynamo DB, Redis, or equivalent. This repository contains metadata for policies, conditions and endpoint information. Vector databases enhance policy automation by enabling fast semantic search and anomaly detection, identifying relevant policies or conditions from this repository with minimal latency.
Depending on the confidence score generated in semantic search, LLMs who serve as intelligent advisors may be engaged based on real-time conditions. These dynamic refinements or contextual changes are feedback into the vector databases and policy repository for improving accuracy in future. Finally, there is always a human in the loop option that gets activated using alerts.
4. Data masking/tokenization
The data masking/tokenization module protects sensitive information by dynamically applying data masking or tokenization based on the user’s role, context, and risk profile. MuleSoft APIs intercept request payloads, transforming sensitive fields into partially masked or fully tokenized values using DataWeave. Similar to the Einstein trust layer, only masked or tokenized information is sent to LLMs for any contextual analysis.
Solution considerations for the agentic world
In an agentic world, autonomous agents are set up to meet business requirements as their primary goal and are continuously evolving in terms of capabilities and effectiveness using the underlying AI framework. While agentic platforms come with their security frameworks, they’re not fully responsible for the security and access control for underlying data from other systems in the organization. Thus, it becomes crucial for the zero trust architecture and the AI engine to provide real-time context aware decisions for anomaly detection, policy enforcement, and data security to prevent unintended behaviour. Below are some solution considerations with mitigations for overreaction to legitimate scenarios and underreaction to illegitimate scenarios.
AI overreaction to legitimate scenarios
A user may engage with the autonomous agent to book an appointment. They may make multiple booking attempts within a short timeframe because they are unsure of available slots. These invocations can be misinterpreted by the PDP AI engine as an abuse attempt that subsequently throttles or blocks all further booking requests from the agent. Bots compose 42% of overall web traffic, with 65% being malicious, leading to challenges in distinguishing legitimate high-frequency traffic from attacks.
To mitigate this, use a combination of thresholds for repeated actions with or without grace periods or notifications before enforcing an automatic throttle or blocking. It is also recommended to leverage contextual analysis to differentiate between legitimate retries and actual malicious bot behavior exploiting the autonomous agent. In such a case, although the autonomous agent is identified and presumably trusted by the APIs, the PDP AI engine can allow or restrict based on the traffic patterns, header information of the end user device.
AI underreaction to illegitimate scenarios
A bot engaged with an autonomous agent retrieves sensitive data, such as citizen legal records, in small increments over an extended period. Each retrieval appears legitimate on its own but collectively results in significant data exfiltration. The AI engine fails to correlate these requests over time, allowing the bot to avoid detection.
To mitigate this, implement rolling window analysis to monitor cumulative data access patterns over extended timeframes, correlating requests from the same agent or user to identify anomalies that may not appear suspicious in isolation. Combine this information with dynamic quotas that set adaptive limits on the total volume of data accessible within a session, day, or week, adjusting thresholds based on the agent’s role, purpose, and historical behavior to ensure legitimate access while preventing misuse.
For non-agentic systems, which include traditional applications and integrations, the focus is on predictable, consistent, and rule-based API access. APIs must enforce static role based access controls combined with ABAC policies that are pre-configured and straightforward to audit, ensuring compliance with organizational and regulatory standards.
For example, a non-agentic system accessing customer data might always receive tokenized data with static masking applied uniformly, regardless of context, ensuring simplicity and stability. The PDP AI engine will still perform checks such as anomaly detection and automated policy enforcement and rate limiting but the rules are simpler to prevent abuse by malicious actors or misconfigured clients. Additionally, robust logging and monitoring are required to audit access and demonstrate compliance, as manual intervention in these systems often necessitates periodic reviews and manual updates to policies
Solution considerations for the non-agentic world
For non-agentic systems, which include traditional applications and integrations, the focus is on predictable, consistent, and rule-based API access. APIs must enforce static role based access controls combined with ABAC policies that are pre-configured and straightforward to audit, ensuring compliance with organizational and regulatory standards.
For example, a non-agentic system accessing customer data might always receive tokenized data with static masking applied uniformly, regardless of context, ensuring simplicity and stability. The PDP AI engine will still perform checks such as anomaly detection and automated policy enforcement and rate limiting but the rules are simpler to prevent abuse by malicious actors or misconfigured clients. Additionally, robust logging and monitoring are required to audit access and demonstrate compliance, as manual intervention in these systems often necessitates periodic reviews and manual updates to policies.
Key stakeholders for zero trust implementation success
Implementing a zero trust solution architecture with MuleSoft APIs and integration capabilities requires a coordinated effort across several key roles, with MuleSoft Architect playing a central role. Here’s how these roles align to achieve a zero trust architecture.
Integration architect
An integration architect is the key stakeholder. This role ensures that MuleSoft’s composable architecture principles are seamlessly applied to enable secure, scalable and adaptive integration across agentic and non-agentic APIs. They design the API architecture and define reusable components across the experience, process, and system layers. They also work in close collaboration with other SMEs for IDM, infrastructure, security and ML/AI to design the PDP solution using IDM, MAC, MuleSoft API Manager, etc.
Integration or API developer
The integration or API developer implements zero trust principles within the API ecosystem using MuleSoft features like API gateways, runtime policies, and secure data flows. They ensure APIs are robust, scalable, and compliant with the organization’s security requirements.
Chief information security officer (CISO) or security architect
The CISO or security architect defines the overarching zero trust framework and policies in line with the organizational guidelines, ensuring consistent application of security principles. They establish foundational strategies for access control, data protection, and threat detection.
Identity and access management (IAM) specialist
The IAM specialist configures and manages ABAC policies, integrating them with MuleSoft’s API Manager and PDP layer to enable real-time identity validation, ABAC and RBAC role enforcements.
AI/ML engineer
An AI or ML engineer embeds anomaly detection and behavioral analysis capabilities into the PDP AI engine, allowing MuleSoft APIs to gain protection from threats like data exfiltration or bot-driven abuse.
DevOps engineer
A DevOps engineer ensures a scalable, reliable, and observable runtime environment for MuleSoft APIs, supporting deployment across cloud and hybrid infrastructures while maintaining operational efficiency.
Governance and compliance officer
A governance and compliance officer works with an integration architect to ensure adherence to regulatory requirements and organizational security policies, while maintaining transparency and auditability within the composable architecture.
Security, scalability, and adaptability all together
By combining innovations in AI, ABAC security tools, and MuleSoft’s composable API-led architecture, organizations can ensure robust data security while maintaining seamless scalability and adaptability. This approach not only enables autonomous agents to operate securely within trust boundaries but also ensures traditional systems benefit from predictable and consistent controls reusing the same architecture.
This solution also adheres to the familiar C4E model that combines the three key pillars of people, process and technology. The technology dimension includes MuleSoft API Manager, APIs lifecycle and MAC project, which ensure secure, scalable, and efficient deployment of APIs and integrations.
The process dimension is realized through composable architecture principles, defining Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) for consistent zero trust policy enforcement. And finally, the people dimension focuses on key roles like Integration Architects, Security Architects, API Developers, IAM Specialists, AI/ML Engineers, and DevOps teams, ensuring the right expertise drives the implementation.
By aligning with these principles, MuleSoft’s zero trust solution reduces operational complexity, supports dynamic security challenges, and enables organizations to confidently innovate in an evolving technological landscape.
