Anthropic Just Wrote the Case for Data Resilience (They Just Didn't Call It That)

Anthropic published a security framework called “Zero Trust for AI Agents” in May. If you build, deploy, or secure AI agents, read the whole thing. It is one of the clearest pieces of guidance on agent security I have seen, and it comes from a leader in the space.

I spend my days (and nights) thinking about data resilience and data security, so I read it asking a simple question. Where does this framework actually touch the things my world cares about? I expected a few loose connections. Instead, multiple sections read like I slipped the author $20 to write Veeam's positioning.

That is not a coincidence. The direction this framework points is the direction enterprise security has been moving for years, and it is the direction Veeam has been pointing toward for the AI Era.

Zero Trust for Agents Is a Different Animal

Zero Trust is not new. The phrase goes back decades and the principles were codified by NIST and later the NSA. Never trust and always verify. Grant least privilege. Assume breach. None of that is novel.

What is novel is the thing being governed. Traditional Zero Trust assumes the entity behaves predictably. A human authenticated through MFA interacts with systems through known workflows. A microservice makes the API calls its code tells it to make. The behavior is bounded.

Agents break that assumption, and not because they are flawed. They break it because they are non-deterministic by design. An agent given a tool might use that tool in a way nobody anticipated. They reach into databases, APIs, and tools through MCP integrations. They chain those actions together at machine speed. The blast radius of one compromised agent is far larger than one compromised user account, and it expands the moment you connect another tool.

Anthropic is blunt about the stakes. They write that frontier models are compressing the timeline between vulnerability and exploit from months to hours. Threat actors are also leveraging AI to sharpen tactics they have always used, such as reconnaissance, initial access through phishing and vishing, exfiltration, and credential access. The tactics have not radically changed, but the rate at which they execute now runs at machine speed.

How the AI Era Is Evolving Each Zero Trust Principle

Assume Breach

Anthropic is explicit about it. Design your agent deployments for breach from day one. Do not try to prevent every intrusion. Limit the damage when one happens. Segment by identity. Contain and understand the blast radius of each agent. Make sure compromising one system does not hand an attacker the rest.

If you have spent any time in backup and recovery, you have heard a version of this your whole career. Assume the bad thing happens. Architect so you can come back from it. This is not groundbreaking. The takeaway here though is that one of the most credible names in AI is now saying it about autonomous agents, in a security framework, to an audience of CISOs and architects who are deploying these systems faster than they are securing them.

Least Privilege

The framework makes one conceptual move I think will outlast the rest of it. The distinction between least privilege and least agency.

Least privilege is familiar. Give an entity only the access it needs. An agent that reads log files should not have write access to production. Least agency goes further. Give an agent only the autonomy it needs for the task in front of it. If it needs to query a database, hand it a parameterized query interface, not raw SQL. If it needs to change a config, give it a scoped API, not shell access.

If you accept that an agent will eventually be compromised or simply reason its way somewhere you did not intend, then an agent with narrow agency is a contained incident and an agent with broad agency is a catastrophe. The access controls can be technically correct and the autonomy can still be the thing that hurts you.

Never Trust and Always Verify

Threat actors are already using AI to move at machine speed, which is widening the coverage gap. The coverage gap is the percentage of alerts that go uninvestigated, and every uninvestigated alert is risk you cannot see. This means we have to move at machine speed on defense too. It does not mean fire humans and replace them with AI. Human in the loop is critical for decision making. It means close the coverage gap with the same kind of automation the attackers are using. An agent for every alert, to triage, enrich, and correlate, so the percentage of findings that actually get investigated goes up instead of drowning a SOC analyst in a queue.

Applying Anthropic's Zero Trust Agent Guidance with Veeam

Integrity and Recovery

Every meaningful control Anthropic recommends here is at the heart of what Veeam does. They tell you to capture a known-good baseline so you can identify a clean state and restore to it when an agent is compromised. That is the entire premise of immutable backup paired with clean restore point identification. You scan, you verify, you know which point in time is trustworthy, and you recover to it. They tell you to segment by identity so a compromise cannot move laterally. That is isolated, immutable storage with its own network and credential boundary. They tell you to run orchestrated response playbooks with graduated escalation. That is exactly how a well-built recovery runbook works. Every decision about network, compute, priority, and restore point is resolved before an incident, so that during the incident a human authorizes and the automation executes.

Recovery is the last resort if everything else fails. The question is not only whether you have backups. It is whether you can answer three things under pressure. Are you protecting the data the agents are being fed and acting on? Is that data immutable, so an attacker cannot quietly alter it? And can you map cleanly back to the point of incident, so you know which restore point is actually clean rather than already poisoned? If you cannot answer those, you do not have a recovery posture. You have a prayer.

When the most safety-focused AI company in the world tells you to build for breach and recover to a known-good state, that is the data resilience thesis wearing a different badge.

Input Validation and Output Controls

An agent's output is only as trustworthy as the data feeding it. Anthropic spends real time on this. Memory poisoning corrupts the context an agent uses to make decisions. Tool poisoning tampers with the responses an agent gets back and trusts as fact. RAG pipelines pull from sources that may be stale, over-permissioned, or deliberately tainted. The agent does not know the difference. It reasons over whatever it is given and acts with confidence either way.

Strip the jargon and it comes down to one thing. If you cannot vouch for the data, you cannot vouch for the agent. That is a data integrity problem before it is an AI problem, and it is squarely where data resilience and data security posture live. Most organizations are pointing agents at data they have never classified and cannot prove is intact. That is the quiet risk underneath the loud ones.

Veeam's DataAI Command Graph shows where your sensitive data sits, who (or what) can touch it, whether it has been altered, and the ability to restore a known-clean version.

Observability and Traceability

Anthropic wants immutable, append-only audit logs, streamed to a SIEM, and correlated with other security events. Veeam not only meets those benchmarks, it provides an agent activity log that breaks down every action an agent has taken, the users and groups who have access to the agent, and the files and data systems the agent can reach. This is critical for forensic analysis and anomaly detection, but also for compliance. Full audit trails of who touched what data, why, and who authorized it, plus complete lineage from source to output to satisfy the explainability requirements regulators are starting to demand.

Veeam provides this through agent activity monitoring which is a log of every action agents took on data.

Anomaly Detection

Dwell time, how long a threat sits before you detect it, and coverage, the percentage of findings you actually investigate. Anthropic singles these out as the two metrics with the most leverage when exploit windows collapse to hours. Veeam threat detection sets a clean baseline and flags anomalies early, which attacks the dwell time problem directly, while data security posture tooling highlights overly permissive agent access.

Agent Authentication and Privilege Management

There are two domains where Veeam does not map, and I am not going to pretend otherwise. Agent authentication, and privilege management. Anthropic wants every agent to carry a unique cryptographic identity. They want short-lived tokens issued by an identity provider, just-in-time privilege escalation, per-action continuous authorization, and attribute-based access control (ABAC). These are real, important controls, and they live at a layer that backup and data security tools do not operate in. That is identity provider and platform territory.

Why This Matters Now

The conversation about securing AI agents has been dominated, reasonably, by the front half of the problem. How do you stop the agent from being compromised in the first place. Identity, least privilege, least agency, prompt injection, sandboxing. That work is essential and it is where most of the attention has gone.

But Anthropic's framework, by leaning so hard on assume breach, is quietly making a second argument. You will not stop every compromise. Agents interpret goals, chain tools, and act at machine speed, and at some point one of them will do something you did not intend, whether through manipulation or its own ambiguity. When that happens the question becomes how fast you can identify a clean state and recover.

The agent era makes the blast radius bigger and the speed higher, which means the recovery posture matters more, not less. The organizations that come through the next few years in good shape will not only be the ones with the best agent identity controls. They will be the ones who assumed breach, protected and classified the data their agents depend on, kept an immutable known-good state, and could prove they were back to clean.

Everyone is racing to stop agents from being compromised. Far fewer are asking what happens when one is. That second question is the one I would be asking before I deployed a single agent against data that matters.