Close

Zero Knowledge Authentication and the Agentic AI Trust Layer: How Badge Inc. Is Securing the Future

2026

There is, actually, a moment in most security conversations where someone’s eyes glaze over. That moment tends to arrive right around the word “cryptographic.” Dr. Tina Srivastava, co-founder of Badge Inc. and winner of the 2026 Business Intelligence Group Fortress Cybersecurity Award in the Agentic AI Security Platform category, has a real talent for preventing that moment from happening. She describes what her company does in about three sentences, and by the end you’re nodding along wondering why nobody just did this sooner.

[YOUTUBE VIDEO EMBED]

The short version is that Badge has figured out how to prove you are who you say you are without ever storing anything about you. No password hashes. No biometric templates sitting in a database somewhere waiting to be stolen. No security questions about your childhood pet. Just you, your factors, and a key that gets derived on the fly every single time. It is, in some ways, so simple it sounds like it probably should not work. It very much does.

A Breach That Became a Blueprint

The founding story of Badge is, honestly, one of the better origin stories in cybersecurity. Dr. Tina Srivastava came up through MIT and then went into national security work at Raytheon, focused on electronic warfare systems. That kind of career path requires a security clearance, which means your biometric data—your actual fingerprints—gets stored in the Office of Personnel Management database. In 2015, the OPM got breached. Six million people, including Srivastava and her co-founder Dr. Charles Herder, had their fingerprints permanently compromised.

That is the kind of thing that tends to clarify your thinking pretty quickly. “How do I prove that I’m Tina without giving up my private data, having it be stored in a central database waiting to be attacked?” Srivastava asked. The answer was Badge, and the guiding principle became what the company now calls “identity without secrets.”

The insight is fairly elegant once you hear it. The traditional approach to authentication basically involves collecting something about you—a password hash, a biometric template, a knowledge-based answer—and storing it somewhere. Then every authentication event is really just a comparison: does what you’re providing right now match what we already have stored? The stored data is, obviously, the attack surface. Badge removes the stored data entirely. There is nothing to breach because there is nothing sitting around.

What Zero Knowledge Authentication Actually Means in Practice

The technical mechanism behind this is something called biometric fuzzy extraction, which Srivastava describes as the core of the innovation. The challenge with using biometrics cryptographically has always been that human factors are, essentially, fuzzy. Your fingerprint scan today is not bit-for-bit identical to your fingerprint scan last Tuesday. Your face looks slightly different in different lighting. These are not cryptographically precise inputs, and traditional cryptography really does need precision.

Fuzzy extraction is, basically, the bridge between those two worlds. It takes analog, approximate human inputs—biometrics, behavior, context, device characteristics—and derives a precise cryptographic key from them. That key is never stored anywhere. It gets derived fresh every time you need it. “We’re able to marry these two worlds of the human, the fuzzy, and the cryptographic and precise,” Srivastava explained.

According to Verizon’s 2024 Data Breach Investigations Report, stolen credentials remain involved in nearly half of all breaches globally. Badge’s approach goes after that specific attack surface at its root: if no credentials are ever stored, there are no credentials to steal.

The system also supports what Srivastava calls N-out-of-M policies. You might configure a system to require two out of three available factors—face, fingerprint, and device context, for instance—which gives you real resilience in difficult scenarios. Lost your device? You can still authenticate on a new one because the key is rederived from you, not from what you have stored on any particular piece of hardware. It also means you never fall back to the phishable account recovery flows that tend to be the soft underbelly of even well-designed authentication systems.

The Agentic AI Problem Nobody Had a Real Answer For

Here is where the conversation gets genuinely interesting for anyone paying attention to what is actually happening in enterprise technology right now. Agentic AI—systems that don’t just answer questions but actually take actions on your behalf—has created an identity problem that the existing authentication stack was not built to handle.

The old model assumed that a human would be the one authenticating. The human types in their password, proves they are who they are, and then goes about their business. But increasingly, the entity that needs to act is an AI agent. That agent might be checking your calendar, querying a salary database, pushing code to production, or accessing a pricing system. Each of those actions, in theory, should happen only when a real human has actually authorized them. The question is how you verify that in a world where agents can impersonate each other and static API credentials are everywhere.

Srivastava describes a concept she calls zero standing privileges for agents. Instead of giving AI agents persistent access to everything they might ever need, Badge enables a model where an agent gets exactly the permissions it needs for a specific task, from a specific verified human, and then returns to zero privileges when done. She walked through a vivid example: an HR employee wants a calculator agent to run salary analysis. That agent gets access to the salary database only while that HR employee is actively invoking it. When the session ends, the agent goes back to zero. A procurement employee who wants pricing analysis can invoke the same agent with completely different permissions. The agent never accumulates standing access.

It is, frankly, the same principle behind least-privilege access in traditional security, just finally applied to AI agents in a way that actually scales. According to research from Gartner, agentic AI represents one of the top strategic technology trends for the next several years, with organizations increasingly needing to govern autonomous agents that act on their behalf. Srivastava sees Badge as the layer that makes that governance real rather than aspirational.

“We really want to make sure that these agents are enabled to do their tasks so that they can be useful to us,” she noted. “But at the same time, we don’t want super agents that are overprivileged or an agent that pretends to act on your behalf but you didn’t authorize those transactions.”

The Intel Inside Model: How Badge Gets Everywhere

Badge is not, typically, the product you purchase directly. It is the technology inside products you already use. Srivastava described the company’s go-to-market model with the “Intel Inside” analogy, and it fits well. Partners including CyberArk, Radiant Logic, Thales, and Cisco Duo have OEM’d Badge into their product lines. When those companies’ customers authenticate, they are using Badge’s zero-knowledge approach, often without knowing it by name.

This is actually a pretty smart way to solve the distribution problem in enterprise security. The companies that need strong authentication are already in relationship with CyberArk and Thales and Cisco Duo. Badge gets to ride those existing trust relationships into healthcare, financial services, manufacturing, and every other vertical where authentication matters. The technology is, as Srivastava put it, horizontal—the same core innovation applies whether you are a nurse clocking into a hospital system, a factory floor worker on a shared terminal, or a consumer trying to access your bank account.

The model also means Badge gets deployed in environments where it can do the most good. Healthcare and finance are, clearly, two sectors that can least afford credential-based breaches. IBM’s 2024 Cost of a Data Breach Report found that healthcare organizations faced the highest average breach costs of any industry, largely driven by the sensitivity of the data involved. Zero knowledge authentication takes direct aim at the stored-secrets problem that underlies most of those breaches.

Where the Trust Layer Goes Next

Ask Srivastava where Badge is in three to five years and she gets somewhat philosophical, which is actually the right move given what she’s describing. She frames it in terms of what happens if the trust layer does not exist: people will not be able to fully embrace AI-powered systems if they are constantly worried about fraud, unauthorized access, and agents doing things they never approved. There will be too much reluctance. The technology era stalls.

The vision is that Badge becomes so embedded and so seamless that authentication basically disappears as a user experience. “As long as you’re you, you can access your systems, your data, wherever you are, on whatever system you’re on,” she explained. That same promise extends to agents: anyone anywhere can use AI helpers confidently, without having to constantly wonder whether the agent leaked data it should not have or accessed something it had no right to.

It is a genuinely interesting product category to watch. Security companies tend to fall into two camps: the ones making things harder for attackers and the ones making things easier for users. Badge is actually making the argument that both happen simultaneously when you remove the stored secret entirely. The attack surface shrinks. The friction shrinks. The trust grows.

For an industry that has spent decades watching complexity compound, that is a fairly remarkable thing to be able to say out loud.

Enjoying insights from industry leaders? Subscribe to The Winners’ Circle podcast on your favorite podcast player and never miss an episode. Listen and subscribe at bintelligence.com/podcast.

Close

Stay Up To Date

Be in the know about upcoming industry award programs, nominees, winners, finalists, and judges

Submit
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.