What Secure Agent Workspace Is Not#

Secure Agent Workspace should not be positioned as:

  • A platform for serving production applications or APIs to other users. This design gives a user a persistent environment to run their agent.

  • A way to bypass enterprise network controls — outbound allow listing is defined by Security teams.

  • A substitute for security review, code review, or change management.

  • A multi-user shared workspace.

  • An identity provider. Secure Agent Workspace consumes SSO; it does not own identity.

  • An architecture where the agent runs outside the workspace. The agent runs inside the workspace; the agent-outside-the-sandbox pattern is a separate design out of scope here, which may be added later.

The Limits of Tenancy on Kubernetes Today#

Each Secure Agent Workspace is a single-user VM.

Autonomous agents write files, execute shells, run scripts, install packages and invoke local tools. Even when the surface task looks like data processing — summarizing email, updating a wiki, drafting a ticket — the agent generates and executes code on its host. Arbitrary local code execution is the agent’s primary capability. It is also its threat surface.

The isolation level required depends on what the workload executes. A hosted LLM that only answers inference requests can run inside a namespaced container or pod. A workload that writes and executes arbitrary code on behalf of a delegated user requires VM-level isolation: single-tenant KVM-based VM at minimum (AWS / Azure / OpenShift Virtualization / KubeVirt), dedicated bare-metal host for stricter profiles. Container- and namespace-level isolation is insufficient because a sandbox escape from the agent’s runtime can reach neighbor workloads on the same kernel.

Multiple single-tenant VMs can share a Kubernetes node; the hypervisor is the isolation domain. IT already operates production workloads at this isolation level.

VM isolation is a precondition for Phase 1 and Phase 2 controls. An isolated VM with full tool access is still subject to those controls; without VM isolation, those controls are evaded by a sandbox escape from arbitrary code.

The pattern is not tied to a specific hypervisor: KVM-based VMs, Kata Containers or other micro-VM solutions, or dedicated bare-metal hosts for the strictest profiles.