Security And Governance Model#
The security posture has three layers: baseline managed-workspace controls (the workspace perimeter), runtime sandbox controls (kernel-level enforcement), and signed-policy governance (the regulator-acceptable control surface above the runtime). Each layer adds enforcement the layer beneath cannot provide on its own.
The three layers map to the Phase I / Phase II maturity model: baseline managed-workspace controls anchor Phase I; runtime sandbox controls and signed-policy governance are the additive Phase II step that turns the workspace from “managed VM” into “in-runtime policy-enforced agent platform.” The specific controls in each layer are summarized below:
Figure 6 Secure Agent Workspace Security Envelope: three layers, each necessary#
The Secure Agent Workspace security envelope. Each layer is necessary; strip any one and the others stop being sufficient. A published data-classification policy is a precondition to turning autonomous agents on.
Control Surface — Contracts, Implementation and Integration Boundaries#
The control surface decomposes into six areas, each with a named contract surface and an explicit boundary between what Secure Agent Workspace implements, what it consumes from enterprise IAM and platform layers, and what remains an integration dependency. The named contracts — signed policy bundle, runtime verifier, projection into runtime controls, credential mediation, and common audit — describe policy authoring, signing, and distribution to runtime-enforcement layers as a universal pattern, applicable across vendors and enterprises. Naming them explicitly lets partner contributions plug into the stack and lets Secure Agent Workspace deploy across runtimes, clouds, and partner implementations without redefining the contract surfaces.
Table 6: Control Surface Contracts
Control area |
Expected contracts |
Implemented in the reference design |
Consumed from enterprise IAM / platform |
Integration dependency |
|---|---|---|---|---|
Workspace control |
Workspace image manifest; workspace lifecycle API (create / stop / rebake / revoke); per-workspace kill switch |
Workspace VM provisioning pipeline; lifecycle API; perimeter detection; kill switch |
OS image base layer; access broker; enterprise PKI for image signing |
Platform management/virtualization; CMDB / provisioning portal |
OpenShell / runtime control |
Sandbox lifecycle API; per-call policy attestation API; in-runtime egress/write decision API; routed-inference broker contract |
OpenShell runtime layer — sandbox, policy engine, in-runtime egress enforcement, routed-inference broker |
— |
Host-kernel security primitives (LSM-level enforcement; namespace and process isolation); container or microVM runtime |
Signed-policy control |
Policy bundle format; verifier / decision API; signing key trust chain; rollback semantics |
Policy authoring + signing service; per-call decision evaluator; channel-based distribution |
Enterprise PKI for signing roots |
Policy distribution channel (Git, OCI registry); upstream signed-policy framework when adopted |
Identity / delegation control |
User/sponsor identity (SSO / OIDC); workspace identity (attested); logical-agent registration; short-lived runtime credential lifetime + binding |
Workspace identity binding; logical-agent registration; runtime credential minting and per-sandbox / per-call rotation |
Enterprise SSO / OIDC IdP; group membership; access-broker session |
ODIS as the spec stabilizes; identity broker; TPM / SEV-SNP / TDX attestation provider |
Credential mediation |
Credential proxy contract (Authorization-header rewrite, capability semantics); secret-store boundary; HSM trust chain |
Credential proxy in Plane 6 (capability issuance, header rewrite); regulated-profile out-of-VM hosting |
Enterprise secret store (Vault) |
Per-provider credential adapters; HSM-backed broker for the regulated profile |
Audit / revocation control |
OCSF audit event shape; revocation propagation semantics; rollback contract |
OCSF audit emission from all three security layers; revocation receiver wired to the workspace lifecycle API |
Enterprise SIEM; SSO revocation endpoint |
OCSF schema version alignment; SIEM correlation rule pack |
Baseline Managed-Workspace Controls#
Separate elevated-autonomy entitlement from standard developer access.
Require enterprise SSO and access-broker login. No alternative path. The broker is the trust boundary.
Use short-lived sessions with browser-driven re-auth. Re-auth is the model.
Run agent tools inside the managed workspace. Approved unattended-agent modes are explicitly permitted in Secure Agent Workspace and explicitly not approved on the local laptop.
Use approved workspace images and profiles only. Provisioned through the portal; no user-owned images, no out-of-band VM creation.
Allowlist enterprise-service access at the network boundary. Default-deny for non-allowlisted destinations.
Endpoint Detection & Response (EDR) on the workspace VM. Standard enterprise workload protection — anti-malware, anomalous-behavior detection, in-VM telemetry to the SOC. This is the VM-management baseline that complements, but does not substitute for, Phase II’s in-runtime policy enforcement against autonomous agents.
Require human review before writing to systems of record.
Log workspace lifecycle, access and session activity.
The customer needs a published data-classification policy before turning autonomous agents on.
Production Autonomous-Runtime Controls#
OpenShell or equivalent runtime sandbox.
Deny-by-default egress, enforced at the platform network boundary (Phase I) and in the runtime sandbox (Phase II).
Credential proxy and isolation.
Routed inference.
Filesystem and process controls.
Signed policies and controlled release channels.
OCSF-compatible audit logs to SIEM.
Incident response runbook.
Rollback path for runtime, connector and policy releases.
Identity / delegation enforcement. Per-engagement delegation record defining task, scope, tools, duration, and approval mode; runtime credential minting and per-sandbox / per-call rotation; delegation-record revocation. The agent operates with a policy-defined subset of the end-user’s permissions, enforced at the runtime layer — not as a separate authority.
Threat Model — What If the In-VM OS Is Compromised?#
A specific question CISOs ask: if a Linux kernel privilege-escalation vulnerability (Copy-Fail-class CVE; LPE primitives that yield root on the workspace OS) is chained inside the workspace, what stays standing? The threat model treats the in-VM OS as partially trusted — hardened, patched, monitored, but not assumed unbreakable — and stages defenses accordingly.
Table 7: Threat Model — Residual Controls by Compromise Level
Compromise level |
Phase I residual control |
Phase II residual control |
|---|---|---|
Agent-level compromise — prompt injection, scope creep, or other lethal-trifecta vectors |
Network-boundary allowlist; human review of writes; OCSF audit |
All Phase I controls + runtime sandbox in-runtime deny-by-default + credential proxy + per-call policy attestation |
Unprivileged user-space exploit inside the agent process |
Workspace process limits; network-boundary allowlist |
Sandbox process and syscall scoping; credential proxy still holds secrets |
Root-on-OS inside the workspace (LPE / kernel CVE) |
Workspace-perimeter detection (anomalous egress, anomalous lifecycle calls); kill-switch via the workspace lifecycle API; image rebake; centralized SSO revocation of the affected user; SIEM correlation across the fleet |
Above plus: signed-policy attestation prevents tampering with the policy bundle the runtime enforces; the credential proxy and routed-inference broker can be hosted such that the in-VM root does not yield the secrets they hold; OCSF telemetry continues to flow from the trust-boundary endpoints |
Hypervisor / control-plane compromise |
Out of Secure Agent Workspace’s scope — handled by the IaaS / on-prem virtualization provider’s own controls |
Same |
Confidential compute (optional Phase II additive layer). Hardware-attested runtime trust boundaries — sit above the threat model in the table by protecting the workload from an untrusted host. They are particularly valuable in two cases: regulated-profile / sovereign-cloud deployments where the host operator is outside the workload’s trust boundary, and as additional containment if a sandbox escape compromises neighboring sandboxes on the same host.
DPU / SmartNIC acceleration (optional, future). NVIDIA BlueField DPUs and ConnectX SmartNICs can offload several Phase II runtime-layer controls from the host CPU — network egress firewall (as a DOCA service), filesystem security (DOCA Vault), container security (DOCA Argus), and TLS / transport acceleration (BlueField). The hardware-accelerated path implements the same Phase II contracts — signed policy bundle, OCSF audit emission, deny-by-default egress, the control-surface decomposition in the table above — but executes on a separate compute domain, freeing host CPU and creating an additional trust-domain barrier between the agent workspace and the network-enforcement plane. Optional for any tier; particularly relevant on shared hosts where the host CPU is contended.
Operational responses for the in-VM-rooted case:
Per-workspace kill switch. Exposed via the workspace lifecycle API. Triggering stops the VM and invalidates the active broker session.
Periodic image refresh. The baseline image is periodically refreshed, resetting any in-VM OS persistence.
Centralized SSO revocation. SSO entitlement for the affected user can be revoked at the identity broker layer.
Telemetry. Independent OCSF events from platform outside-VM and from sandbox runtime in-VM layers.