1. Code Sandboxing
Secure execution runtimes
2. Network Perimeters
Private model integrations
3. Key Protection
Envelope encryption models
4. Input Guardrails
Prompt injection shields
Pillar 1: Compute Sandboxing & Code Execution
Isolating dynamically generated code loops using virtualized execution layers.
Fargate Read-Only Tasks
Run agent loops inside AWS ECS Fargate. Fargate tasks run in virtualized micro-VM partitions using **AWS Firecracker** under the hood, providing strict kernel-level boundaries.
- Set `readonlyRootFilesystem` to `true` inside task definitions.
- Mount temporary storage via `tmpfs` for ephemeral files.
- Enforce task memory allocation ceilings to prevent CPU starvation.
Cloud Run & gVisor
Deploy agent runtimes as containers in GCP Cloud Run. Cloud Run automatically isolates containers using **gVisor**, a user-space kernel that intercepts and filters system calls.
- Intercepts raw calls to block access to host resources.
- Enforce max concurrency scaling to avoid running out of memory.
- Limit memory footprint by setting hard container request scopes.
Azure Container Apps
Host Python agent workers on Azure Container Apps (ACA) in dedicated Environments, isolating the task behind virtualization borders.
- Isolates the container inside a hypervisor boundary.
- Configure KEDA scaling rules to shut down instances when queue triggers are empty.
- Define container limits using Azure Resource Manager configurations.
Pillar 2: Network Perimeters & Private Model Access
Routing prompt payloads privately to prevent exfiltration and internet sniffing.
Bedrock & PrivateLink
Do not route LLM requests over public IP subnets. Create a VPC Interface Endpoint (powered by **AWS PrivateLink**) for Bedrock.
- Direct all API traffic through the endpoint’s local private IP addresses.
- Enforce DNS resolution inside the VPC to override standard API routes automatically.
Vertex AI VPC-SC
Construct a **VPC Service Controls (VPC-SC)** security perimeter around your projects. Wrap the Vertex AI API inside the perimeter.
- Blocks API calls coming from outside the perimeter boundary.
- Restricts data export routes to target storage resources.
Azure OpenAI Private Link
Disable all public network access on the Azure OpenAI resource. Map the service into the private Virtual Network subnet.
- Create a Private Endpoint linking Azure OpenAI.
- Integrate Private DNS Zones for direct hostname resolution (`*.openai.azure.com`).
Pillar 3: Envelope Encryption & Key Management
Securing model API tokens, databases, and client credentials in production key stores.
Secrets Manager & KMS
Encrypt agent variables inside AWS Secrets Manager. Restrict access using strict IAM policies that require a specific KMS Customer Managed Key (CMK) for decryption.
Secret Manager & IAM
Bind the `secretAccessor` role directly to the Compute or Cloud Run Service Account. Disable broad service-wide viewer permissions on the secret resource.
Key Vault & Identities
Deploy Azure Key Vault with Role-Based Access Control (RBAC) authorization models. Bind Key Vault Secrets User permissions solely to system-assigned Managed Identities on Azure compute.
Pillar 4: Guardrails, Prompt Defense & Auditing
Intercepting malicious input sequences and validating model outputs before execution commits.
Bedrock Guardrails
Configure **Amazon Bedrock Guardrails** to intercept prompt inputs. Set thresholds for toxic classifications and configure custom regex patterns to detect and block prompt injection patterns.
- Redact PII automatically (e.g. email, SSH keys).
- Enforce strict filters to stop instructions override.
LlamaGuard sidecar
Deploy a lightweight **LlamaGuard** container as a sidecar inside your Cloud Run service or GKE task pod. Run incoming prompts through this container to analyze user intent before passing requests to the model.
- Performs sub-millisecond local policy evaluations.
- Prevents unsafe outputs from executing system shell APIs.
Azure Content Safety
Enable **Azure AI Content Safety** diagnostics. Route both incoming user questions and outgoing model JSON outputs to the validation API.
- Intercepts prompt injection attacks dynamically.
- Evaluates JSON structures to verify schema conformity.