Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Click Here to Read the Report
Jun 02 2026
Artificial Intelligence

AI Exposes the Limits of Perimeter-Based Security in State and Local Government

Artificial intelligence’s rapid evolution exposes weaknesses in legacy government security models built for a different era.
Adam Ford
by

Adam Ford is CTO of state and local government and education for Zscaler.

The recent report “Beyond Generation: The Rise of Agentic AI in State Government” by the National Association of State Chief Information Officers highlights how state and local governments are rapidly scaling generative artificial intelligence and beginning to explore agentic AI. At the same time, the technology itself is advancing just as quickly.

Models such as Anthropic’s Mythos are demonstrating the ability to identify vulnerabilities and accelerate exploitation workflows — capabilities that could help under-resourced critical infrastructure sectors surface weaknesses they have struggled to address.

As states move forward, they are confronting governance challenges, legacy systems and growing concerns about deploying AI in citizen-facing services, particularly as autonomous systems gain the ability to act on sensitive information. Those challenges are compounded by the reality that many of these environments are still built on legacy architectures never designed for autonomous systems or machine-speed attacks. That gap is starting to show.

The result is a growing disconnect between how quickly AI is evolving and how these environments are secured. As agentic AI expands what systems can do and accelerates the pace of cyberthreats, traditional security models struggle to keep up, requiring agencies to reduce exposure through zero trust, gain visibility into AI systems and data flows, and continuously validate how these systems behave in real-world conditions.

Click the banner below to consider ways to build AI infrastructure.

XS_Q225_AI_cta_desktop03 XS_Q225_AI_cta_mobile03

 

Autonomous Systems Introduce New Operational Risk

Agentic AI can initiate actions, access data and interact across environments without direct human input. In government environments, where systems are interconnected and data is widely shared, this type of behavior creates operational risk.

AI systems supporting services such as benefits or permitting may interact with multiple systems containing sensitive information. Without clear constraints, unintended actions can affect both security and service delivery, directly impacting citizen services.

One way agencies can better protect sensitive data and maintain compliance is by transitioning to a zero-trust architecture.

READ MORE: IT modernization supports transformational government.

Legacy Architectures Create Risk and Complexity

Most state and local governments still rely on perimeter-based security models, such as VPNs. These models grant broad access once users are inside the network, and from there, users are left unchecked.

Recent research highlights how reliance on legacy security models is increasing exposure to attacks. For state and local governments, this puts sensitive data and critical citizen services at risk. As attackers use AI to move at machine speed, many defenders still rely on legacy VPN architectures that limit visibility and slow response. According to the report, 70% of the organizations surveyed report limited or no visibility into AI-driven threats moving over VPN traffic.

These findings underscore a broader issue: Agencies must have continuous visibility into their environments. Perimeter-based models assume trust once inside the network, allowing users — human or machine — to move laterally without sufficient controls.

Zero trust removes implicit trust by ensuring users and systems access only what they need, when they need it. By enforcing least-privileged access and continuously verifying interactions, agencies can limit lateral movement and contain risk when systems or internal users behave unexpectedly.

For state and local governments, this shift may seem daunting given limited resources, budgets and time. However, zero trust does not require a complete overhaul. Many agencies can begin by replacing VPN-based access for remote users or high-value applications, then expand controls incrementally based on risk and mission-critical priorities. This phased approach aligns with limited resources and ongoing modernization efforts.

Building Visibility Into AI Systems and Data

While implementing zero trust is essential, agencies also must understand where AI is being used and how it interacts with data. AI capabilities are increasingly embedded across applications and workflows, often without centralized oversight.

Without visibility, agencies cannot identify where sensitive data is being shared or how systems are interacting. Establishing visibility across applications, prompts and data flows allows agencies to detect shadow AI, enforce policy and protect critical information while also improving governance and accountability across departments.

LEARN MORE: State and local agencies must beware shadow AI.

Continuously Validating AI Behavior

Because AI systems operate continuously, security must operate continuously as well.

Testing systems before deployment, monitoring behavior in real time and enforcing controls during interactions help identify vulnerabilities and reduce risk. Approaches such as red teaming and runtime monitoring ensure systems behave as intended, even as conditions change.

As these systems scale, manual oversight alone will not be enough. Security teams will need to use AI to keep pace — applying automation to detect anomalies, uncover risky behavior and respond in real time. This “fight AI with AI” approach reflects how security must evolve alongside the technology it is designed to govern.

Strengthening Security While Modernizing Government IT

State and local governments are under pressure to modernize services, improve the digital experience and maintain critical operations, all while managing limited resources.

AI can support these goals, but only if it is deployed with the right safeguards. By reducing exposure with zero trust, building visibility into AI use and continuously validating system behavior, agencies can strengthen their security, support modernization and protect the services citizens rely on every day.

AndreyPopov/Getty Images

More On

Related Articles