Federal Agencies Push AI‑Enabled Zero Trust to Outpace Adversaries

Federal agencies are increasingly integrating artificial intelligence into zero-trust architectures to improve threat detection, accelerate response times and shift cybersecurity from compliance-driven to mission-driven, officials said Thursday at the Elastic Public Sector Summit in Washington, D.C.

“It’s a needed necessity right now for our environment to really look at the best practices for anticipating the adversaries that could target your environment,” Government Accountability Office Information Technology and Cybersecurity Director Jennifer Franks said during the event. “Zero trust is looking for you to always be aware and cognizant of who has access, when, where and why in your environment. AI is offering you that visibility to do so in a faster manner.”

Dave Raley, chief digital business officer at Marine Corps Community Services, said modern zero-trust frameworks allow agencies to better manage access and secure data while improving operational speed. Cloud-native architectures, combined with centralized management and segmented environments, enable agencies to secure distinct workloads without slowing down mission execution.

“Mission owners use centralized management and security services with isolated environments for distinct workloads of pipelines,” Raley said.

From Compliance to Mission Outcomes

Franks said many agencies still view security mandates as compliance exercises rather than mission-enabling capabilities.

“Cultural adjustments and really reassessing the behavior anomalies with understanding zero trust and AI tools and technologies [are a challenge], because it is a shift,” Franks said. “We’re used to perimeter-based security models … The same principles that we are applying to our basic information systems definitely apply to AI, so we’re having to scale that in that area.”

Successfully navigating this cultural shift requires collaboration between government agencies and private sector partners, Raley said.

“We should not be treating the contractors as the enemies that we hired, or as threats to us or be authoritarian in telling them what to do,” Raley said. “They’re bringing expertise. We should work with them.”

Leaders are also embedding DevSecOps in processes, Raley noted, urging personnel to view security not as a hurdle, but as a shared objective.

“From a DevSecOps perspective, it’s everyone’s responsibility. Let’s do it together, but let’s also not over rely on the compliance checklist mindset. We should be balancing mission capability with risk or with security and with compliance,” Raley said. “And so often, everybody just reverts to over-reliance on compliance as a goal. But compliance is not a goal. The goal is the mission outcome and security outcomes.”

Segmentation Enables Resilience

True zero-trust segmentation allows agencies to handle security incidents without grinding operations to a halt across the board, Franks said, adding agencies can isolate affected systems and continue operating elsewhere in the environment.

“When you have vulnerabilities to impact your environment, you can segment that off and, you know, provide those network mitigation surfaces, but not necessarily shut down and impact all of your business processes,” Franks noted.

That segmentation also creates the data foundation AI needs to be effective, Raley said. He added zero trust provides the visibility and control required for AI-driven threat detection and response.

“You can assess that threat to see if it is coming in an unexpected time or from an unexpected place or unexpected device,” Raley explained. “All those elements of zero trust feed a lot to ensure that you could then apply AI appropriately to help you accelerate [security and] accelerate those findings.”

Raley said that agency security leaders and technical experts need to understand that overcomplicating technical architectures often delays critical deployments.

“There are too many things that are presented in a very complex way when they could be simplified for even non-technical people. Because, a lot of times, a non-technical person is making decisions, and we need to help them,” Raley advised.

Franks added that zero trust and AI will be integral to cybersecurity practices across agencies.

“We’re seeing that the technologies are offering a capability for us to [secure systems]in a manner that we didn’t necessarily have without them, in a faster capacity,” Franks said.