- Most Zero Trust programs protect users and devices. They leave workloads — containers, serverless functions, VMs, and AI agents — completely unprotected from east-west lateral movement.
- Zero Trust for Workloads enforces security at the runtime layer: every workload communication path is verified, east-west traffic is inspected inline, and egress is filtered, without agents or application changes.
- The core problem: IP addresses are ephemeral in the cloud. Any Zero Trust enforcement that relies on IPs breaks the moment a pod reschedules or a function spins up. You need workload identity, not network address.
- Aviatrix Zero Trust for Workloads (ZTW) is agentless, cross-cloud, and covers every workload type — Kubernetes pods, serverless functions, VMs, and AI agents — from a single control plane.
- 8% of organizations have actually implemented Zero Trust in practice (Aviatrix 2025 State of Cloud Network Security report). The gap is almost always enforcement at the workload layer.
- Why traditional Zero Trust tools don't protect workloads, and what falls through the gap
- The five workload communication paths that need Zero Trust enforcement
- How workload identity works without relying on IP addresses
- A step-by-step implementation framework for Zero Trust at the runtime layer
- How Aviatrix ZTW enforces Zero Trust agentlessly across Kubernetes, serverless, VMs, and AI agents
- The questions your team should be asking at each stage
The Gap in Your Zero Trust Program
Zero Trust network architecture has been a priority for most security teams for years. Identity providers are in place. VPNs have been replaced with ZTNA. MFA is enforced. And yet, breaches are still spreading — laterally, inside cloud environments, between workloads that nobody is watching.
Aviatrix's 2025 State of Cloud Network Security report found that only 8% of organizations have actually implemented Zero Trust in practice. The gap is enforcement at the layer that matters most in cloud environments: the workloads themselves.
of organizations have actually implemented Zero Trust in practice — Aviatrix 2025 State of Cloud Network Security report. The gap is enforcement at the layer that matters most in cloud environments: the workloads themselves.
Most Zero Trust programs are user-centric. They verify the human before granting access to an application. That's important, but it leaves an entirely different attack surface unprotected. Once an attacker (or a compromised workload) is inside your cloud environment, the connections between your containers, serverless functions, VMs, databases, and AI agents are wide open. That's the problem Zero Trust for Workloads solves.
What Is Zero Trust for Workloads?
Zero Trust for Workloads is a security model that applies Zero Trust principles — never trust, always verify, least privilege — at the workload level rather than the user level.
In practice, it means every workload in your environment has a verified identity, every connection that workload makes is explicitly authorized, and all traffic to and from that workload is inspected and logged. This applies to:
Kubernetes pods and containers
Serverless functions (AWS Lambda, Azure Functions, GCP Cloud Run)
Virtual machines and cloud-native compute instances
AI agents, LLM inference pipelines, and agentic applications
Microservices, APIs, and message queue consumers
The key distinction from traditional Zero Trust Network Access (ZTNA): ZTNA secures how humans access applications. Zero Trust for Workloads secures how workloads communicate with each other. These are different problems requiring different enforcement mechanisms.
"Zero Trust for Workloads is not an extension of ZTNA. It's a separate enforcement layer for a completely different attack surface — the east-west traffic that moves inside your cloud environment, invisible to the perimeter tools you already have."
Why Traditional Zero Trust Tools Don't Protect Workloads
The proxy model stops at the perimeter
Most ZTNA solutions use a proxy architecture: all traffic is routed through a cloud-based intermediary that verifies user identity before forwarding the connection to the application. This model is effective for user-to-application access. It does nothing for workload-to-workload traffic. When your payment service calls your fraud detection service, that connection never goes through a user proxy. It moves east-west, inside your cloud environment, completely outside the scope of your ZTNA tool.
Agents break for ephemeral workloads
Some workload security approaches rely on deploying agents on each workload — software that monitors traffic and enforces policy at the endpoint. This works reasonably well for long-lived virtual machines. It breaks immediately for modern cloud architectures. A Kubernetes pod may live for 30 seconds. A serverless function spins up to handle one request and disappears. An AI agent is instantiated dynamically by an orchestration framework. You cannot deploy, manage, or maintain agents on infrastructure that doesn't persist.
Elephant in the Room
The shift to containerized and serverless architectures is specifically what creates the enforcement gap that attackers exploit. The more modern your cloud stack, the more your workloads look like ephemeral processes — and the less your agent-based security tools can keep up with them.
IP-based identity collapses in the cloud
Traditional network security policies rely on IP addresses: allow traffic from 10.0.0.5 to 10.0.0.6. In a dynamic cloud environment, IP addresses are ephemeral and meaningless. When a Kubernetes pod reschedules, it gets a new IP. When a Lambda function cold-starts, it gets a new address. When you scale horizontally, you have dozens of IPs where you had one.
Any Zero Trust enforcement that relies on IP-based identity is broken the moment your workloads start doing what cloud-native workloads do: move, scale, and restart.
- Are your current workload security policies written against IP addresses or CIDR blocks?
- What happens to those policies when a pod reschedules or a new function instance spins up?
- Do you have a way to track the security posture of a container that lives for less than a minute?
- If a serverless function in your environment made an unauthorized API call right now, would you see it?
The Five Workload Communication Paths That Need Zero Trust
Zero Trust for Workloads needs to cover every path through which a workload communicates. There are five. Most organizations protect one or two. All five are attack vectors.
1East-West: Workload to Workload
This is the primary attack path for lateral movement. East-west traffic moves between services inside your cloud environment — your API gateway talking to your application layer, your application layer calling your database, your microservices communicating through a message queue. None of this traffic crosses the perimeter. All of it is potentially dangerous if one workload is compromised.East-west enforcement requires inline inspection between every workload that verifies the identity of both parties, confirms the connection is explicitly authorized, and blocks anything that isn't.
2North-South: Workload to Internet
Every outbound call your workload makes to an external service is a potential data exfiltration path or command-and-control channel. A compromised container calling out to an attacker's infrastructure. A misconfigured function exfiltrating data to an external storage endpoint. An AI agent making unauthorized calls to third-party APIs.Egress filtering controls these outbound paths, logging every external call, blocking unauthorized destinations, and alerting on anomalous outbound patterns.
3Workload to Data
The connections between your workloads and your data stores — databases, object storage buckets, and secret managers — are among the most sensitive traffic in your environment. A compromised workload that can reach your primary database without restriction is a breach waiting to happen.Zero Trust enforcement at the workload-to-data layer means your microservices get access to only the specific data stores they need, for only as long as they need it, with every access logged.
4AI Agent and Agentic Application Traffic
AI agents are a new and rapidly growing workload type that introduces unique Zero Trust challenges. They make dynamic, often unpredictable API calls to external services, other AI models, data stores, and orchestration frameworks. They can be granted broad permissions during development that never get tightened before production.AI agents must be treated as any other workload in your Zero Trust architecture: assigned a stable identity, governed by least-privilege access policies, with all outbound calls filtered and logged. The fact that the agent is making decisions autonomously doesn't mean its network access should be autonomous.
5CI/CD Pipeline and DevSecOps Traffic
Your deployment pipelines are workloads too. A compromised CI/CD pipeline is one of the most dangerous attack vectors in cloud environments. It has access to production infrastructure, secrets, and deployment keys. Zero Trust for Workloads should extend to build agents, deployment runners, and the connections they make during pipeline execution.
Elephant in the RoomMost teams implement Zero Trust on paths 1 and 2 and consider the job done. Paths 3, 4, and 5 are where the most damaging breaches actually start — because they're the least monitored and the most trusted. Your database doesn't question why your application is suddenly querying every record in the table. Your secrets manager doesn't ask why the CI/CD runner is pulling every API key. Zero Trust for Workloads makes everything question everything.
Zero Trust for Workloads vs. Traditional Approaches
Here's how Zero Trust for Workloads compares to the approaches most teams already have in place — and why they don't cover the same ground.
Approach | What It Protects | What It Misses | Agent Required? | Ephemeral Workloads? |
Perimeter Firewall / ZTNA | User-to-application access | East-west workload traffic entirely | No | N/A — doesn't reach workloads |
Agent-Based CWPP | Long-lived VMs and containers | Serverless, short-lived pods, AI agents | Yes — breaks for ephemeral | No |
Network Segmentation (IP-based) | Broad network zones | Fine-grained workload-level enforcement | No | No — IPs change constantly |
Cloud-Native Security Groups | Intra-VPC traffic rules | Cross-cloud consistency; dynamic workloads | No | No — static rules break on rescheduling |
All 5 communication paths, all workload types | Nothing in scope left uncovered | No — agentless by design | Yes — uses workload identity, not IP |
See how ZTW stacks up in your environment
Take the free Workload Attack Path Assessment — get a personalized gap analysis in under 15 minutes.
The Foundation: Workload Identity Without IP Addresses
Everything in Zero Trust for Workloads depends on one thing: being able to identify a workload reliably, regardless of where it's running, what IP address it has, or how long it's been alive.
Traditional network security uses IP addresses as workload identity. In cloud environments, this breaks immediately. Dynamic workload identity solves this by assigning each workload a stable cryptographic identifier derived from its attributes — what it is, what it belongs to, what it's supposed to do — rather than where it happens to be sitting on the network at this moment.
Identity Approach | How It Works | Cloud-Native Problem |
IP address | Policy tied to source/dest IP | IP changes on reschedule, scale-out, or restart |
CIDR block | Policy tied to subnet range | Subnets are too coarse for workload-level enforcement; over-permissive |
Service account / IAM role | Cloud provider identity attached to compute | Not portable across clouds; doesn't cover workload-to-workload traffic inline |
Dynamic workload identity (ZTW) | Stable identifier derived from workload attributes — survives IP changes, reschedules, scale events | Requires enforcement mechanism independent of network topology |
With dynamic workload identity, your policies say things like: "the payment-service workload may call the fraud-detection workload on port 443" — not "allow traffic from 10.0.1.5 to 10.0.1.12." The former survives infrastructure changes. The latter breaks constantly.
- How does your current security tooling identify a Kubernetes pod — by IP, by label, or by a stable workload identity?
- Do your security policies survive a deployment rollout, a horizontal scaling event, or a zone failover?
- Can you query your logging system for all traffic to or from the 'payment-service' workload, regardless of which IP addresses it used last week?
How to Implement Zero Trust for Workloads: A Step-by-Step Framework
Zero Trust for Workloads is an enforcement posture you build progressively. Here's a practical framework aligned with how Aviatrix ZTW customers approach implementation.
1Inventory your workloads and assign identity
You can't enforce Zero Trust on workloads you don't know exist. Start by cataloguing every workload in your environment: Kubernetes namespaces and deployments, serverless functions, VMs, and AI agents. For each, define a stable workload identity — the label, tag, or attribute-based identifier that will follow it through the environment.
Map all workloads across every cloud account and region.
Define naming standards for workload identities that match your deployment patterns.
Identify which workloads handle sensitive data and prioritize those for immediate enforcement.
2Map workload communication paths
Before writing a single policy, observe the actual traffic. What talks to what? Which services call which APIs? Where does data flow between workloads and datastores? What does your CI/CD pipeline touch?Use your cloud provider's flow logs, a network observability tool, or Aviatrix CoPilot to build a communication map. Distinguish between expected traffic (your app calling your database) and unexpected traffic (your app calling an external IP at 2am).
- Do you have a real-time map of workload-to-workload traffic across your cloud environments?
- Can you identify traffic flows that are active but have never been formally authorized?
- How quickly could you detect a new, unexplained east-west connection between two workloads?
3Define least-privilege workload policies
With your communication map in hand, define policies that explicitly authorize only the connections your workloads need. Start with a default-deny posture for everything, then layer in explicit allow rules for each legitimate path.
Use workload identity — not IP or CIDR — as the subject and target of every policy.
Scope policies to specific ports and protocols — not "allow all traffic between workload A and workload B."
Include time-bound policies for CI/CD and AI agent traffic that should only run during specific windows.
Start with your highest-risk paths: workload-to-database, service-to-secrets-manager, AI agent egress.
4Enforce inline, without agents
Once policies are defined, enforcement needs to happen inline — intercepting and verifying each workload connection as it's made, not inspecting it after the fact. This is where agent-based approaches fail for ephemeral workloads and where Aviatrix ZTW's agentless model is essential.Agentless enforcement works by operating at the network layer rather than the endpoint layer. The enforcement mechanism sits between workloads — not on them — so it doesn't require installation, maintenance, or compatibility with every workload type you run.Critical Issue"Agentless" doesn't mean invisible or unaccountable. It means the enforcement engine operates independently of your workloads rather than inside them. Every connection is still verified. Every policy is still enforced. The difference is you're not managing agent deployments across thousands of ephemeral pods or debugging why an agent couldn't start on a particular function runtime.
5Monitor, adapt, and prove enforcement continuously
Zero Trust for Workloads is not a one-time configuration. Your workloads change constantly — new services get deployed, existing ones get refactored, traffic patterns shift. Your enforcement posture needs to keep pace.
Log every workload connection — accepted and denied — with workload identity, timestamp, and policy applied.
Alert on deviations from baseline traffic patterns. A workload calling a service it has never called is worth investigating.
Review and tighten policies regularly. Over-permissive rules accumulate if you don't revisit them.
Generate audit-ready reports — compliance teams need continuous evidence that controls are enforced, not just configured.
- How long would it take your team to produce a log of every connection a specific workload made last Tuesday?
- Do you have alerts for workloads communicating with services they've never reached before?
- Can you generate an audit report showing that Zero Trust policies are enforced at runtime, not just documented in a policy register?
Zero Trust for Workloads: Use Cases That Drive Real Outcomes
Kubernetes and containerized environments
Kubernetes is the canonical example of why traditional security tools fail for workloads. Pods are ephemeral. Namespaces are logical boundaries that don't correspond to network segments. Services communicate across namespaces constantly. IP addresses rotate with every scaling event.
Zero Trust for Workloads in a Kubernetes environment means every pod has a stable identity, every inter-namespace connection is explicitly authorized, and every connection attempt that violates policy is blocked inline before it can be used for lateral movement.
Serverless and event-driven architectures
Serverless functions are among the most difficult workloads to secure because they have no persistent state, no fixed IP, and often no agent support. They're also increasingly common entry points for data exfiltration — a misconfigured Lambda function with overly broad egress permissions can exfiltrate data to an external endpoint with no one watching.
ZTW's agentless enforcement covers serverless functions natively: each function instance is identified by its workload attributes, its outbound calls are filtered against egress policy, and every invocation is logged.
AI agents and agentic applications
AI agents introduce a new dimension of workload security risk. Unlike a traditional microservice that calls a predictable set of APIs, an AI agent makes decisions dynamically — and those decisions can result in unexpected API calls, data access, or outbound connections that no human explicitly authorized.
Treat AI agents as workloads, not users. Assign them a workload identity. Define least-privilege egress policies that allow only the external services they legitimately need. Log every outbound call. Block everything else. The autonomy of the AI decision-making layer does not mean its network access should be autonomous.
Ransomware prevention and lateral movement blocking
Ransomware spreads by moving laterally through environments with flat east-west connectivity. A compromised container calls an adjacent service. That service calls a database. The database credentials get exfiltrated. The encryption starts.
Zero Trust for Workloads interrupts this chain at the first lateral hop. If your payment service doesn't have an explicit policy to call your HR database, that connection is blocked even if the payment service is fully compromised. The blast radius stays exactly as small as your policy design allows.
Compliance: PCI-DSS, HIPAA, FedRAMP, SOC 2
Every major compliance framework increasingly requires evidence of runtime enforcement, not just policy documentation. PCI-DSS requires microsegmentation of cardholder data environments. FedRAMP references NIST 800-207's Zero Trust requirements. HIPAA requires access controls on workloads that handle protected health information.
Aviatrix ZTW generates continuous, machine-readable logs of every workload connection — accepted and denied — providing the audit-ready evidence these frameworks require without a manual reporting sprint before every audit.
Kubernetes & Containers
Stable pod identities, inter-namespace enforcement, no agents — survives scaling events automatically.
Serverless Functions
Agentless coverage for Lambda, Azure Functions, Cloud Run — every invocation identified and filtered.
AI Agents & Agentic Apps
Least-privilege egress for autonomous workloads — every external call governed and logged.
Ransomware Prevention
Lateral movement blocked at the first hop — blast radius limited to exactly your policy design.
PCI-DSS / HIPAA / FedRAMP
Continuous audit-ready logs of every policy decision — no manual sprint before every audit.
Multi-Cloud Consistency
Same policy model across AWS, Azure, GCP, OCI from a single control plane.
How Aviatrix Zero Trust for Workloads Works
Without real enforcement at the workload layer, Zero Trust remains a well-intentioned framework rather than an operational reality. Aviatrix Zero Trust for Workloads (ZTW) delivers pervasive, agentless Zero Trust enforcement across every workload communication path — without requiring changes to your applications, your cloud architecture, or your operations team's existing workflows.
Agentless by design
ZTW enforces Zero Trust at the network layer, not the endpoint layer. There's no agent to deploy, no agent to maintain, no agent compatibility to manage across your container runtimes. Enforcement works for Kubernetes pods that live for 10 seconds, Lambda functions that execute once, and AI agents that are instantiated dynamically by an orchestration framework.
Dynamic workload identity, not IP addresses
Every workload in your environment gets a stable identity derived from its attributes — what it is, what namespace it belongs to, and what tags it carries — not its IP address. Policies follow workloads through scale events, reschedules, deployments, and migrations. IP changes are invisible to the policy engine.
Inline east-west enforcement
ZTW inspects every workload-to-workload connection inline, at the point of communication, not in a log review after the fact. Every hop is verified against policy. Unauthorized connections are blocked before they can be used for lateral movement. Every accepted and denied connection is logged with full workload identity context.
Egress filtering for north-south and workload-to-internet traffic
Every outbound call from your workloads to external APIs, third-party services, or the internet is filtered against egress policy. Data exfiltration paths and command-and-control channels are blocked before data leaves your environment. AI agent calls to unauthorized external services are blocked inline.
Cross-cloud consistency — AWS, Azure, GCP, OCI
ZTW enforces the same workload identity model and the same least-privilege policies across every cloud in your environment. The same policy that governs your Kubernetes pods in AWS applies to your serverless functions in Azure and your VMs in GCP — from a single control plane, without rewriting rules for each cloud's native security model.
CoPilot visibility and Wiz integration
Aviatrix CoPilot provides runtime visibility over workload traffic flows, anomalies, and gateways across clouds with audit-ready logging for compliance. The Wiz partnership surfaces and prioritizes workload security findings so your team acts on the highest-risk issues rather than drowning in undifferentiated alerts.
ZTW Capability | What It Does | Compliance / Use Case Served |
Dynamic workload identity | Stable identity for every workload, survives IP changes, reschedules, scale events | Foundation for all downstream Zero Trust enforcement |
Inline east-west enforcement | Intercepts and verifies every workload-to-workload connection at the point of communication | Lateral movement prevention; microsegmentation; NIST 800-207 Network pillar |
Egress filtering | Inspects and filters all outbound workload connections to internet and external services | Data exfiltration prevention; AI agent control; NIST 800-207 Data pillar |
Agentless enforcement | No agents on workloads — works for Kubernetes pods, serverless, VMs, AI agents | Ephemeral workload coverage; no deployment overhead |
Cross-cloud consistency | Same policy model across AWS, Azure, GCP, OCI from a single control plane | Multicloud compliance; eliminates policy gaps at cloud seams |
High-performance encryption (HPE) | Encrypts all workload-to-workload traffic in transit without throughput penalties | PCI-DSS, HIPAA, FedRAMP data-in-transit requirements |
Audit-ready logging (CoPilot) | Every workload connection logged with identity, timestamp, policy, and decision | SOC 2, FedRAMP, PCI-DSS audit evidence; ZTMM 2.0 advancement |
What makes ZTW different from 'we have a CWPP'
Cloud Workload Protection Platforms (CWPPs) scan for vulnerabilities and detect threats. They are not inline enforcement tools — they observe and alert after the fact. ZTW enforces policy at the connection level, blocking unauthorized traffic before it can be used. Detection after the fact does not prevent lateral movement. Inline enforcement does.
Ready to see agentless Zero Trust enforcement in action?
Talk to an Aviatrix architect about your Kubernetes, serverless, or AI agent environment.
Common Zero Trust for Workloads Challenges and How to Work Through Them
We can't put agents on everythingYou don't need to. Agentless enforcement at the network layer covers every workload type, including the ones your agent can't reach. If agent deployment is the reason your workloads aren't protected, the answer is to remove the agent requirement, not to carve out exceptions.
Our policies would need constant updates as workloads changePolicies tied to workload identity rather than IP addresses survive infrastructure changes automatically. The policy that says "payment-service can call fraud-detection on port 443" remains valid through reschedules, scaling events, and deployments. You update policies when the business logic changes, not every time a pod restarts.
We can't afford the latency of inline enforcementThis is a real concern with some enforcement architectures that route traffic through centralized inspection points. ZTW's inline enforcement operates at the network fabric level, not through a traffic hairpin to a central proxy. The performance impact is designed to be negligible for production workload traffic.
We need to prove it's working to auditorsThis is one of the most underrated requirements in Zero Trust programs. CoPilot's logging gives you continuous, timestamped, machine-readable records of every policy decision — every accepted connection, every denied attempt, every anomaly. That's the evidence chain auditors want, generated automatically, not assembled manually before each audit.
Ready to Close the Workload Enforcement Gap?
Your users are verified and your perimeter is controlled, but workloads still communicate east-west without enforcement. Aviatrix Zero Trust for Workloads secures runtime traffic agentlessly across Kubernetes, VMs, serverless, AI agents, and multi-clouds.