I recently wrote about why multi-agent systems need network isolation. The community response surprised me — not because people disagreed, but because the discussion revealed three fundamentally different ways people think about agent security. Each one is right. And together, they explain why this problem is so hard.
”Why would you trust a non-deterministic system?”
One commenter put it bluntly:
“Why would you let a non-deterministic artifact like an agent to do any tasks with elevated credentials? Why instead of improving the correctness of systems are we using the computing power to create a lousy version of computing itself?”
This is the engineer’s objection. Traditional software spent 50 years pursuing determinism and formal verification. Now we’re handing system privileges to something that might give a different answer every time you ask the same question.
And they’re right. LLMs are fundamentally non-deterministic. That’s not a bug — it’s the feature. It’s what lets them handle natural language, ambiguous tasks, and cross-system coordination that deterministic systems can’t touch.
But it also means every interaction is a roll of the dice with your production environment.
”We aren’t going back.”
Another commenter offered the market reality:
“Agents are being built as employees, not as tools. They’re going to make mistakes just like employees do… just much faster. Companies are lined up around the block to sign up for more agents. We aren’t going back, that’s not an option.”
This is the pragmatist’s view. Companies know agents are unreliable. They’re deploying them anyway. Not because they’re reckless, but because everyone else is. FOMO is a stronger force than risk management.
The autonomous AI agent market is projected to hit $8.5 billion in 2026 and $35 billion by 2030. Gartner says 40% of enterprise apps will feature task-specific agents by year-end. The train has left the station.
”The network stack is backwards.”
A CSA/IETF researcher cut through both positions with a structural argument:
“The structural problem is that the network stack still works like this: connect → then authenticate/authorize. For agent systems that’s a bad fit. What seems to work better is flipping the order so reachability becomes the outcome of identity + policy, not a prerequisite.”
Traditional networking assumes everything is reachable and tries to filter it. Microsegmentation, ZTNA, firewalls — they’re all variations of “let them connect, then check.” For human-initiated, predictable application flows, this works well enough.
For agents — cross-domain, high-frequency, short-lived, identity-driven — it’s a structural mismatch. A compromised agent in a “connect first” model can scan and laterally move across the entire network surface before any policy evaluation kicks in.
The same researcher later added a critical insight about where the real risk lives:
“My main concern is not server or datacenter side agents, where segmentation and enforcement is controlled by specialists, but user-side agents that can be used to manipulate the rest. User devices, even in enterprise environments, are not the most governable.”
Server-side agents live in managed environments — Kubernetes, service meshes, network segmentation maintained by specialists. User-side agents run on laptops and desktops with minimal governance. That’s where the attack surface is widest.
The Airbag Argument
These three perspectives aren’t contradictory. They’re describing the same reality from different angles:
- Agents are unreliable (the engineer is right)
- They’re getting deployed everywhere anyway (the pragmatist is right)
- The existing infrastructure can’t protect them (the researcher is right)
So what do we do?
You can’t make drivers never crash. But you can install airbags and lane departure warnings.
Agent security isn’t about making LLMs deterministic — that’s impossible. It’s about building runtime safety layers that intercept non-deterministic behavior before it causes damage.
This means:
- Monitor sequences, not single requests. Individual messages pass every content filter. Attack patterns emerge across turns. (We wrote about this in detail.)
- Shift from blocklist to allowlist. Don’t just detect bad tool calls — only permit explicitly declared ones.
- Contain at the agent level, not the request level. When an agent goes rogue, quarantine the identity across all sessions, not just block one request.
- Make audit tamper-evident. If you can’t prove what happened, compliance and forensics are meaningless.
The Question Isn’t IF, It’s WHEN
The debate about whether agents should have elevated credentials is already over. Companies have decided. The question now is: when an agent makes a mistake at machine speed, how fast can you detect it and how small can you keep the blast radius?
That’s the problem worth solving.
Bastion is an open-source local AI security runtime. It monitors LLM traffic for data leakage, prompt injection, and multi-step attack chains — running locally as a sidecar, not as a cloud gateway.