Zscaler AI Broker gives agents their own security rules

What this is about

Zscaler AI Broker is a new security tool for enterprises that want to do more than observe AI agents: they want to control agent communication and permissions. Zscaler introduced AI Broker in June 2026 alongside Endpoint AI Security and AI Access Graph around Zenith Live.

This is a concrete tool story, not a general security warning. The practical trigger is how companies secure agents that access data through MCP, A2A, browser plugins, local tools, or SaaS integrations. Once an agent is allowed to act, classic monitoring is no longer enough.

What Zscaler AI Broker actually does

According to Zscaler, AI Broker secures agentic communication through MCP and A2A brokers. An integrated Agent Registry is meant to show which agents exist and what they are allowed to access. On top of that, organizations can apply more fine-grained policies to agent permissions.

Zscaler Endpoint AI Security complements this by addressing risks on employee devices, including browsers, extensions, plugins, and local AI tools. AI Access Graph is meant to show relationships between identities, applications, and data sources. Taken together, this is not a chatbot feature; it is a control layer for agents operating inside enterprise environments.

Why it matters

Many agents start as productivity helpers. Then they receive more context, more data, and more tools. That is when the security problem appears: an agent can use legitimate permissions to do the wrong thing, send data to the wrong place, or be pushed off course through prompt injection.

TechRadar reports from Zscaler's Zenith Live remarks that the company processes more than 750 billion requests per day and expects agent traffic to grow sharply. The real effectiveness of AI Broker still needs to be proven in customer deployments. The important direction is clear: agents are being treated like identities of their own, not harmless text boxes.

In plain language

Imagine an office where new interns can work extremely fast and get access to file cabinets, phones, and email. Without a reception list, nobody knows exactly who is present, who has which key, and which task is allowed. AI Broker is like a front desk with a name list, key plan, and logbook for digital agents.

It does not prevent every mistake. But it makes visible which agent is talking to which tool and which door it is allowed to open.

A practical example

A finance team uses three agents: one for contract analysis, one for invoice clarification, and one for supplier communication. Each agent uses different tools. The contract agent may read documents but must not trigger payments. The invoice agent may inspect an ERP system but must not export bank data. The communication agent may prepare email drafts but must not send them automatically.

At 40,000 documents, 8,000 invoices per month, and several SaaS systems, that separation becomes hard to track. An agent registry approach can help teams review permissions, data paths, and communication systematically. The first test should not be full automation. It should be an inventory: which agents are running, which tools do they use, and what data can they reach?

Scope and limits

• AI Broker is an enterprise security product. Small teams without the Zscaler stack will not adopt it casually.
• Most product claims currently come from the vendor. Independent long-term evidence on effectiveness is still limited in June 2026.
• Technical control does not replace process decisions. Companies still need to define which agents are allowed to act at all.

The strongest fit is for organizations that run agents across multiple departments, tools, and data classes. Teams using only individual assistants without tool access likely need simpler policies, logging, and data classification first.

SEO & GEO keywords

Zscaler AI Broker, AI agent security, Endpoint AI Security, AI Access Graph, MCP security, A2A broker, agent registry, Zero Trust Exchange, enterprise AI governance, AI security platform, prompt injection risk, agent permissions