✨ 2026 Futuriom 50: Key Findings and Highlights →2026 Futuriom 50: Highlights →2026 Futuriom 50: Highlights →Explore ✨
Blast radius is determined
by architecture.
Not detection speed.
The network is the only place you can govern all of it.
Detection cannot distinguish a compromised AI agent from a legitimate one. The Cascade proved it. The only defense that works when detection misses is to govern what every workload can reach — before the breach, not after. Aviatrix Zero Trust for AI Workloads enforces containment at the network layer for every AI workload: the LLM API calls your apps make, the RAG pipelines querying your vector databases, the MCP servers your agents depend on, and the shadow AI your security team hasn't discovered yet. A compromised workload cannot reach a destination that was not explicitly permitted. Across every cloud. Without touching a line of code.
41
MCP & LLM gateways analyzed
0
With network-layer security
144:1
Machine-to-human identity ratio
$670K
Avg shadow AI breach premium
"Stopped The Cascade — the March 2026 Trust Chain attack — at a Fortune Global 500. Four IP addresses. One engineer. "
WebGroups define the containment boundary
Aviatrix-managed, auto-updated destination lists for every major LLM, MCP, vector database, and embedding provider. The permitted perimeter for every AI workload.
SmartGroups identify what needs containing
K8s pod labels, namespace, cloud tags, Lambda ARNs — resolved to workload identity in near-real-time. Covers LLM apps, RAG pipelines, MCP servers, and autonomous agents across every compute type.
DCF enforces containment at the VPC boundary
One rule: allow / deny / log, per workload, per destination. Enforced where egress actually happens — before a compromised workload can reach anything it shouldn't.
Every AI call traverses the network.
Now you can govern every one.
Universal egress control for the AI era
The containment architecture
for AI workload infrastructure.
In the Containment Era, blast radius is determined by architecture — not by how fast you detect. WebGroups define where AI workloads are permitted to reach. SmartGroups identify which workloads the policy targets. DCF enforces the boundary at every VPC egress point across every cloud.
Aviatrix-managed and auto-updated centrally— you don't track domain changes, TLS SNI updates, or new endpoints. When a provider rotates IPs or launches a new model API, the WebGroup updates. Your policies stay current without a ticket.
avx-ai-llm-providers
All major LLM providers
avx-ai-llm-openai
OpenAI + Azure OpenAI
avx-ai-llm-aws
AWS Bedrock
avx-ai-llm-anthropic
Anthropic Claude
avx-ai-llm-google
Vertex AI + Gemini
avx-ai-vector-databases
Pinecone, Weaviate, pgvector
avx-ai-agent-platforms
MCP gateways + agent frameworks
avx-ai-guardrail-providers
Guardrail provider endpoints · Q3 2026
SmartGroups
Containment policy follows the workload, not the IP.
SmartGroups resolve workload metadata to identity in near-real-time. As workloads scale, move, or are replaced, the containment boundary follows automatically.
Technical Scope
- Kubernetes pod labels, namespaces, service accounts
- AWS/Azure/GCP cloud tags and resource groups
- Lambda ARNs and serverless function identity
- Bedrock Agents, Azure AI Foundry projects via Cloud Asset Inventory
- Unified avx:ai-* and avx:mcp-* tagging taxonomy across compute types
Distributed Cloud Firewall
Containment enforced at every workload — not a chokepoint.
DCF combines SmartGroups and WebGroups into permit/deny rules enforced at the VPC boundary — where Kubernetes egress actually happens, not at a centralized proxy containers bypass.
Technical Scope
- No TLS decryption required — SNI-based filtering for all enforcement
- No code changes, no SDK, no proxy reconfiguration
- Default-deny: every AI workload starts denied, approved providers explicitly allowed
- Log-only mode to observe before enforcing — normal DCF rollout pattern
- Continuous CoPilot telemetry — every AI egress decision logged and attributable
Three outcomes. One policy layer.
A financial services firm mandates production uses only Bedrock, dev can experiment freely, and everything else is denied. Two SmartGroup tags. Two DCF rules. Shadow AI contained before it reaches anything sensitive.
The attacks that bypass
every other layer.
AI gateways only govern traffic routed through them. Detection only catches what it recognizes. Network-layer containment governs reachability — making the attack path structurally impossible regardless of what the code does or who signed it.
Backend services calling unapproved LLMs without security's knowledge
Network containment sees every AI egress call regardless of whether it's instrumented. Shadow AI that bypasses every Layer 7 control is contained at the VPC boundary.
Compromised containers attempting to reach attacker-controlled endpoints
Default-deny means the egress path to unapproved destinations does not exist. A compromised workload is contained — it cannot reach what it was never permitted to reach.
Trusted code moving through trusted pipelines — invisible to detection
The Cascade proved detection cannot catch this. Containment architecture governs reachability regardless of what the code is doing or who signed it.
Agents and workloads that skip the sanctioned MCP or LLM gateway
AI gateways only contain traffic routed through them. Aviatrix containment operates at the network layer — bypassing the gateway doesn't bypass enforcement.
MCP servers with blast radius extending to unauthorized external APIs
Per-MCP-server FirewallPolicy CRDs contain each server to only the destinations it declared. A compromised MCP server cannot exfiltrate — the path does not exist.
Developers switching AI providers outside the approved containment boundary
SmartGroup-keyed policies define the containment boundary per environment. Unapproved providers are outside that boundary by default — no manual enforcement required.
How enterprises contain
their AI attack surface.
Contain shadow AI across the enterprise
A healthcare provider discovers six internal applications sending PHI to unauthorized LLM providers. A single DCF rule — permit only avx-ai-llm-aws from prod-workloads, deny all AI WebGroups from everything else — makes the exfiltration path structurally impossible. Existing leakage visible in CoPilot for remediation.
Contain RAG pipeline data residency
A financial services firm runs production RAG pipelines that must only reach Bedrock for data residency while dev teams experiment freely with OpenAI and Anthropic. Two DCF rules keyed on SmartGroup environment tags enforce the boundary. No developer tooling changes. No application rewrites.
Contain MCP server blast radius
A retailer deploying Obot on EKS contains each MCP server to only the external APIs it declared. A GitHub MCP server reaches api.github.com and nothing else. A compromised MCP server cannot exfiltrate data because the egress path does not exist.
Continuous EU AI Act compliance evidence
A SaaS vendor subject to EU AI Act generates continuous audit-ready evidence from CoPilot: every AI egress decision attributable to a SmartGroup, WebGroup, and DCF rule with timestamps. Covers LLM apps, RAG pipelines, and agentic workloads equally — containment architecture is the compliance infrastructure.
Not ready for a demo?
Start with the deployment blueprints or read the solution brief.
The enforcement layer for
AI workload infrastructure.
AgentGuard · Early Access
Shadow AI Discovery
Find every AI workload in your environment in 15 minutes — no gateway, no SDK, no code changes. Network flow + DNS + Cloud Asset Inventory. Zero Trust for AI Workloads is the enforcement layer for every workload AgentGuard discovers.
Network Enforcement · VCA Program
Validated Containment Architectures
Lab-tested, partner-validated deployment blueprints for Bedrock Agents, Azure AI Foundry, Obot, GitHub Actions, and more. Each VCA ships with insertion pattern, SmartGroup model, and baseline policy pack. First cohort ships May 27.
The only defense that works
when detection misses.
Every AI workload your company runs — every LLM call, every RAG pipeline, every MCP server — traverses the network. Aviatrix is already there. Default-deny AI egress, across every cloud, on infrastructure you already operate. No code changes required.