Aviatrix Inc. today announced the launch of a new platform designed to contain artificial intelligence agents and enforce security controls and communications across AI workloads without changing AI agents or code. 

The company said the launch comes in response to an increasing number of supply chain attacks that do not always come from outside the security perimeter, but can directly affect the operational security of agents, dependencies and code logic itself. 

The new platform extends the company’s Cloud Native Security Fabric with two new products: Zero Trust for AI Workloads, now generally available, and Aviatrix AgentGuard, now in early access. 

The era of containment

When most people think about cybersecurity, they think about shady hackers behind keyboards writing code and trying to break into computers from afar by looking for cracks in the armor of networks. However, that’s only one path to break through the security of enterprise systems. 

AI agents introduce a different kind of security problem because they do not need to be “broken into” in the traditional sense to become dangerous. An agent can be manipulated through prompt injection, where malicious instructions are hidden in content the agent reads, or through model poisoning, where the data or tools it depends on are corrupted.

If that agent has broad access to applications, files, credentials or external services, a successful compromise could allow it to move data, call tools or communicate with systems far beyond its intended role.

To combat this, Aviatrix argues, enterprises and developers need to do more than simply detect and react to anomalies. They must contain AI workloads and isolate them from other systems. That way, if they’re compromised, they cannot break out of their assigned roles and affect other parts of the network. 

“My argument for the containment era is the most important metric is blast radius,” Chief Executive Doug Merritt told SiliconANGLE in an interview. 

In this model, containment is less like building a taller wall around the castle and more like dividing the castle into many locked rooms. If one room is breached, the intruder does not automatically get the keys to the rest of the building. 

Merritt described it as creating “this beautiful honeycomb of things that communicate,” where each workload has carefully defined communication pathways and “when something goes wrong in one cell, it doesn’t affect the other cells.” 

That blast-radius thinking is especially important as AI agents begin to act across systems, call tools, access data and communicate with outside services. Even today, AI agents remain difficult to secure with identity controls alone, because they behave partly like users and partly like applications. As Merritt put it, “An agent is weird because it’s kind of half-human, half-workload.” 

Shrinking the blast radius of AI agents

With Zero Trust for AI Workloads, information technology teams can secure AI agents, large language model proxies and agentic frameworks without requiring application or infrastructure changes. It allows them to set policies that allow or deny access to external AI services, block shadow AI with allowlists and apply network-layer enforcement across workloads and regions. 

The product is designed to address one of the central problems of cloud and AI security: Workloads often need to communicate to do their jobs, but they should not be able to communicate with everything. For AI agents, that line can be difficult to draw because agents may behave like users in one moment and like applications or services in the next. 

Merritt argued that the economics of cyberattacks are also changing as AI models make sophisticated attack techniques easier to automate and scale. 

“We are democratizing capabilities for nefarious behavior at the same time that we are completely changing the economics of nefarious behavior,” he said. 

That makes containment more urgent. If attackers can move faster, more cheaply and with more automation, then security teams need a way to limit how far a compromised agent or workload can go before detection even happens. 

AgentGuard, now in early access, provides full containment: a safety zone where agents can live and work. It discovers every agent running across virtual machines, Kubernetes clusters and serverless functions. It maps LLMs, tools and the data each agent connects to, then builds an updating risk profile. 

Using that risk profile, AgentGuard monitors activity and automatically blocks behavior that does not match the agent’s baseline. Behaviors that match common exfiltration patterns, such as posting data to public code repositories or file-sharing services, are blocked by default. 

For companies deploying on AWS Bedrock AgentCore or Azure AI Foundry, AgentGuard is available immediately. Advanced capabilities for conversation-level detection and blocking of prompt injection and data loss are expected to become available during the third quarter of 2026. 

 Image: SiliconANGLE/Microsoft Designer