LLM integration and the zero trust perimeter: A systematic review of trust enforcement failures and defensive architectures

Objective: This systematic review examines how large language model (LLM) integration into enterprise systems exposes implementation-level gaps in Zero Trust Architecture (ZTA), catalogs defensive architectures proposed to close these gaps, and presents a taxonomy mapping ZTA principles to LLM-induced failure modes. 

Methods: Following PRISMA guidelines, 68 sources published between 2020 and 2026 were synthesized from six databases, standards bodies (NIST, OWASP, MITRE), and industry analyses, appraised using a three-tier quality framework distinguishing peer-reviewed, standards, and industry evidence.

Results: The review identifies trust enforcement failures across four dimensions: non-deterministic delegation collapsing identity verification; context and memory exploitation through prompt injection and memory poisoning; policy enforcement bypass via agentic automation; and microsegmentation weakening through RAG data aggregation. Defensive architectures range from production-ready guardrails to theoretical proposals for decentralized agent identity and semantic data flow controls. No existing standard comprehensively addresses the LLM–ZTA intersection. 

Conclusion: ZTA principles remain sound but their implementation mechanisms require extension to account for probabilistic, context-dependent, and autonomously acting LLM components. Critical open problems include bounded trust models for agentic LLMs, verifiable AI identity, and standardized evaluation metrics for ZTA resilience under AI integration.