Zero Trust for AI Systems: A Reference Architecture and Assurance Framework

Artificial intelligence systems are rapidly becoming integral to defense, intelligence, and critical infrastructure; yet, existing cybersecurity frameworks provide limited guidance for securing AI-specific components, such as model supply chains and training data pipelines. While Zero Trust Architecture (ZTA) offers a powerful foundation for modern cybersecurity, and while secure MLOps practices and ZT-adjacent controls for ML pipelines have emerged in practitioner literature, these efforts have not been integrated into a comprehensive framework that decomposes AI systems into distinct trust layers, specifies evidence artifacts per layer, and provides compliance crosswalks to federal AI governance requirements. This paper addresses that integration gap by proposing a comprehensive Zero Trust framework tailored to the AI lifecycle. We introduce a structured threat model identifying adversarial opportunities across AI workflows and map Zero Trust principles—identity, continuous verification, least privilege, micro-segmentation, and policy enforcement—to AI-specific components. We present a reference Zero Trust Architecture composed of four trust layers: Data Trust, Model Supply Chain Trust, Pipeline Trust, and Inference Trust. We further define an assurance evidence framework integrating cryptographic provenance, continuous integrity monitoring, and policy-driven access control to produce audit artifacts intended to support alignment assessments against NIST AI RMF, DoD Zero Trust guidance, and ISO/IEC 42001 requirements. A scenario-based demonstration illustrates threat mitigation in mission environments. This work establishes a foundation for standardized Zero Trust implementations for AI systems.