Impossible, Not Tedious (Design Test)

Sources#

• Zero Trust for AI Agents

Summary#

A single design-review question that Zero Trust for AI Agents applies to every control: does this make the attack impossible, or just tedious? Controls whose value comes from friction rather than a hard barrier — extra pivot hops, rate limits, non-standard ports, SMS-based MFA — degrade sharply against an adversary that can grind through tedious steps at scale. The framing matters because agentic attackers have unlimited patience and near-zero per-attempt cost: the human assumptions baked into "this would take too long to be worth it" no longer hold.

The surviving-control pattern#

Controls that pass the test share a structural property — they remove a capability rather than throttle it:

• hardware-bound credentials (can't be exfiltrated, not just hard to)
• expiring / short-lived tokens (the window closes, not just narrows)
• cryptographic identity (forgery is computationally hard, not merely inconvenient)
• network paths that do not exist rather than paths that are merely inconvenient

The framework's rule of thumb: "When in doubt, prefer a control that removes a capability over a control that throttles it."

Where it's applied#

The test informs every tier recommendation and shows up explicitly at decision points:

• Foundation floor raised — friction-only controls (rotating long-lived API keys that can be grepped from a lockfile, SMS MFA, rate limits) no longer qualify even at the entry tier.
• Blast-radius assessment (Phase 3) — "if your containment plan relies on friction... assume it will fail." See Blast Radius (Agentic).
• Tool sandboxing (Phase 5) — "rate limits are friction, not barriers: they buy time but do not stop a determined agentic attacker."

Lineage and convergence#

This is the same argument made independently in LLM-Driven Vulnerability Research, which observes that "mitigations whose value comes from making exploitation tedious weaken against model-assisted adversaries that grind through tedious steps cheaply," while hard barriers (KASLR, W^X) remain important. The two sources converge: the offensive research found friction degrades empirically; the security framework turns that finding into a prescriptive design test. Both are downstream of AI-Accelerated Offense — near-zero per-attempt cost is precisely what AI-acceleration delivers to attackers.

Connections#

• Zero Trust for AI Agents — the framework that adopts this as a standing design-review question (hub)
• AI-Accelerated Offense — why per-attempt cost approaches zero, which is what breaks friction controls
• Blast Radius (Agentic) — containment plans that rely on friction fail the test
• LLM-Driven Vulnerability Research — independent, empirical statement of the same friction-degradation finding
• Least Agency — "remove a capability over throttling it" is least-agency phrased as a heuristic

Open Questions#

• Defense-in-depth traditionally stacks friction controls on the theory that enough of them sum to a barrier. Does this test invalidate layered friction, or just demote it below capability-removal?
• Some controls are friction for humans but barriers for agents (or vice versa). Is the test agent-relative, and how do you evaluate it for mixed human/agent threat models?

Sources#

• Zero Trust for AI Agents — "A design test: impossible, not tedious" (Part: principles); reprised in Phases 3 & 5 and the closing chapter