As the complexity of authenticating workloads continues to rise, particularly with the introduction of AI agents and varied identity permissions, organizations are faced with the challenge of securing these workloads in modern environments. This task is far from straightforward.
Researchers at Zscaler are set to delve into this evolving landscape during a session at the upcoming RSAC 2026 Conference, titled "What Are You, Really? Authenticating Workloads in a Zero Trust World."
In computing, workloads encompass the tasks that applications and services perform to fulfill their functions, as well as the IT resources consumed during these tasks. They range widely, from handling front-end user requests on web servers, such as managing shopping carts, to cloud-native microservices, complex data analysis, AI training, and beyond.
The Challenges of Tackling Workloads in 2026
Many workloads operate silently in the background and are classified as non-human identities (NHI), as they require permissions and authentication similar to human IT personnel. When considering AI agents, which mimic human tasks and can make autonomous decisions, the complexity of workloads increases. This necessitates more stringent security measures. Moreover, large organizations often utilize a mix of services across platforms like Azure, Google Cloud, and AWS, alongside on-premises solutions, making it essential for them to authenticate workloads in a scalable manner.
During their technical session, Zscaler's chief information security officer (CISO) Sam Curry and chief scientist Yaroslav Rosomakho will discuss various methods for authentication, including the mutual TLS (mTLS) security protocol, workload identity tokens, and remote attestation. They will also provide insights into which methods are more scalable than others.
Rosomakho mentioned to Dark Reading that traditionally, workload authentication and identity management have not been priorities for organizations. He noted that while earlier environments were simpler, the current landscape has rapidly become complex. Unfortunately, this increased complexity does not align with how many organizations secure their non-human identities.
"Currently, we observe widespread insecure practices regarding workload identity," Rosomakho explained. "Many organizations depend on static IP addresses for identity mapping, which scales poorly and is vulnerable to spoofing. Any changes in infrastructure can disrupt workload identity definitions. Additionally, numerous organizations still rely on static credentials, like HTTP basic authentication."
Furthermore, Rosomakho pointed out that the predominant method for identifying and authenticating AI agents involves static headers and keys that lack regular rotation.
"This poses a significant issue," he said, adding that linking critical processes to static keys can lead to severe technical and financial repercussions for unprepared defenders.
How to Authenticate Workloads in Your Environment
Curry emphasized that there are several strategies for addressing these challenges. Organizations should start by identifying secrets, taking inventory of AI agents and other NHI processes, adopting standards, and moving toward a zero-trust model. Additionally, they should engage with their platform providers about implementing workload authentication standards.
"Testing federation and defining a data security policy are crucial," he noted.
The appropriate defense strategy will vary based on an organization's specific requirements. For instance, Kubernetes Service Accounts allow workloads created in Kubernetes to receive dynamic short-term identities, enabling secure authentication with external systems.
Organizations may also consider adopting one of the many open-source standards designed for this purpose, such as the Secure Production Identity Framework for Everyone (SPIFFE). SPIFFE aims to securely identify software systems in dynamic and heterogeneous environments, focusing on creating a well-defined framework built on short-lived identities.
Another initiative is the Internet Engineering Task Force's Workload Identity in Multi-System Environments (WIMSE) working group, which aims to establish standardized solutions for the various challenges associated with workloads today. They maintain a charter, mailing list, and relevant documents for interested parties.
Whether adopting SPIFFE, WIMSE, or another standard like Security Assertion Markup Language (SAML), Curry and Rosomakho advocate for organizations to take proactive steps now. The complexity of workloads shows no signs of decreasing.
"It's likely that the most interesting, common, and valuable communications in our economy will involve no humans," Curry stated. "Therefore, it's essential to ensure confidentiality, integrity, and availability in such scenarios. Achieving this requires a more advanced schema for authentication and authorization. This is arguably one of the most critical considerations for professionals in the cybersecurity and IT fields today: What is our strategy?"
