Aviatrix Launches AI Agent Containment Platform for Cloud Workloads

Aviatrix announced a new containment platform for artificial intelligence agents on April 29, 2026, extending its Cloud Native Security Fabric to enforce communication governance across AI workloads without modifying agents or code. The launch includes two products: Zero Trust for AI Workloads, now generally available, and Aviatrix AgentGuard, currently in early access.

The announcement marks what the company calls the "Containment Era" — a fundamental shift from detection-focused security to blast-radius containment. Official documentation from Aviatrix states the platform addresses supply chain attacks that affect operational security of agents, dependencies, and code logic directly.

Chief Executive Doug Merritt told SiliconANGLE that the most important metric in this era is blast radius. "My argument for the containment era is the most important metric is blast radius," Merritt said. The analogy he uses is less like building a taller wall around a castle and more like dividing the castle into many locked rooms. If one room is breached, the intruder does not automatically get the keys to the rest of the building.

AI agents introduce a different security problem than traditional workloads. They do not need to be "broken into" in the traditional sense to become dangerous. An agent can be manipulated through prompt injection, where malicious instructions are hidden in content the agent reads, or through model poisoning, where the data or tools it depends on are corrupted. If that agent has broad access to applications, files, credentials or external services, a successful compromise could allow it to move data, call tools or communicate with systems far beyond its intended role.

Zero Trust for AI Workloads allows IT teams to secure AI agents, large language model proxies and agentic frameworks without requiring application or infrastructure changes. It enables teams to set policies that allow or deny access to external AI services, block shadow AI with allowlists and apply network-layer enforcement across workloads and regions. The product addresses a central problem of cloud and AI security: workloads often need to communicate to do their jobs, but they should not be able to communicate with everything.

For AI agents, that line is difficult to draw because agents may behave like users in one moment and like applications or services in the next. As Merritt put it, "An agent is weird because it's kind of half-human, half-workload." (This hybrid nature makes traditional identity controls insufficient, frankly.)

AgentGuard, now in early access, provides full containment: a safety zone where agents can live and work. It discovers every agent running across virtual machines, Kubernetes clusters and serverless functions. It maps LLMs, tools and the data each agent connects to, then builds an updating risk profile. Using that risk profile, AgentGuard monitors activity and automatically blocks behavior that does not match the agent's baseline.

Behaviors that match common exfiltration patterns, such as posting data to public code repositories or file-sharing services, are blocked by default. For companies deploying on AWS Bedrock AgentCore or Azure AI Foundry, AgentGuard is available immediately. Advanced capabilities for conversation-level detection and blocking of prompt injection and data loss are expected to become available during the third quarter of 2026.

CRN reported that Merritt sees a significant services revenue stream about to be unleashed for channel partners that understand the dynamics AI is bringing. "There is a significant services revenue stream about to be unleashed for channel partners that understand the dynamics that AI is bringing," he said. Many enterprise IT teams still need help mapping their environment and understanding their full attack surface, including where their perimeters and egress points are.

The launch coincides with reference architectures for the three largest AI platforms in enterprise production: AWS Bedrock Agents, Zero Trust for Azure AI Foundry Agents, and Zero Trust for Enterprise MCP. The Model Context Protocol architecture was developed with Obot and Microsoft. Shannon Williams, President of Obot AI, noted that "Obot governs which MCP servers an agent can call. Aviatrix governs where those servers can reach. That two-layer control is what enterprise agentic AI actually requires."

According to IBM's 2025 Cost of a Data Breach Report, shadow AI adds an average of $670,000 in additional breach costs per incident, and 97 percent of organizations that experienced an AI-related breach lacked proper access controls. The Cascade, a 2026 supply chain attack campaign attributed to TeamPCP that affected 36 percent of enterprise cloud environments at the time of compromise, demonstrated what happens when an attack is indistinguishable from legitimate activity and the network architecture does not constrain where compromised code can reach.

Aviatrix Cloud Native Security Fabric is shipping infrastructure already running in production at Fortune Global 500 enterprises. One such enterprise was running a compromised component when the Cascade supply chain attack campaign hit. Same payload, same vulnerability, but the containment architecture prevented the incident from becoming a breach.

The physical reality of this technology matters. Security teams no longer just watch dashboards for alerts. They configure policies that physically restrict which network endpoints an agent can reach. When an agent tries to call an unauthorized service, the connection fails at the network layer. The agent doesn't even know it tried to go somewhere forbidden. This is less about catching bad actors and more about building guardrails that make compromise less catastrophic.

Whether enterprises actually adopt this containment-first approach remains the real question. Many organizations have invested heavily in detection and response tools. Shifting to containment requires architectural changes and a different mindset about security. The technology exists. The question is whether security teams will reconfigure their networks to limit blast radius before the next major incident forces their hand.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn