Akamai acquires LayerX, delivering end-to-end security and real-time AI usage control to any browser. Get details

Using Microsegmentation to Contain Autonomous AI Agents

Jacob Abrams headshot

Jul 16, 2026

Jacob Abrams

Jacob Abrams headshot

Written by

Jacob Abrams

Jacob Abrams is a Product Marketing Manager at Akamai working with the Zero Trust security products, specifically Akamai Guardicore Segmentation. Prior to Akamai, he worked with Israeli tech startups to generate sales pipeline and facilitate marketing content creation and promotion. He is based in Somerville, MA.

Share

Key takeaways

  • Legacy perimeter defenses, endpoint detection response (EDR), and rate limits can fail because automated AI agents possess infinite patience and can chain authorized tools together to bypass traditional controls.
  • To eliminate lateral movement, security architectures must assume breach from day one and use microsegmentation to ensure unauthorized network paths simply do not exist.
  • Neutralizing sophisticated large language model (LLM) threats requires process-level granularity by binding security policies directly to a workload's unique, cryptographic process identity rather than an IP address.
  • Defense must move at machine speed because autonomous threats strike in hours, making automated containment and instant workload isolation a baseline requirement.

Anthropic has released its Zero Trust guidelines for AI agents. This work signals a massive shift: Those of you currently piloting or deploying AI agents are realizing that they don't act like regular, predictable software. Instead, AI agents can actually choose their own tools and execute complex steps to reach their goals.

Because of that, traditional perimeter defenses cannot keep up. AI models, which are outpacing humans, can find vulnerabilities that no one else has found, chain them together, and exploit them in mere hours instead of weeks or months.

The impossible vs. tedious test for security architecture

One thing that struck me about the guidelines  is the “impossible versus tedious” test for security architecture. Because AI attackers possess unlimited patience and virtually zero cost per attempt, security that relies on tedious barriers — such as rate limits or traffic throttling — will eventually fail against an automated attacker.

We need harder barriers. And we need network paths that disappear completely, rather than those that are merely annoying to cross.

This is exactly why microsegmentation is critical right now: It serves as a definitive security barrier to block unnecessary east-west traffic, especially when securing assets distributed across hybrid cloud environments. If an AI agent doesn't have an absolute business need to talk to a specific database, then that path simply shouldn’t exist for it.

The guide also focuses heavily on the blast radius of these systems. Because AI agents can talk to and delegate tasks to one another, a hacker only needs to compromise one low-privilege worker agent to pivot into your most sensitive environments.

The truth about tool chaining

The guidelines also highlight a threat called tool chaining; that is, when an attacker tricks an agent into combining two totally normal tools, such as pulling internal customer relationship management (CRM) data and then using an external email tool to quietly leak that customer data.

Because the agent technically has permission to use both tools, standard identity controls won't flag the abuse. You have to ringfence the actual execution environments where these tools and Model Context Protocol (MCP) servers live. By keeping high-risk outbound environments isolated from your core data storage, you stop lateral movement in its tracks, even if a valid identity gets hijacked.

Finally, your defense has to move at machine speed. If an agent gets compromised via a poisoned prompt, waiting for a human to review an alert takes too long. Automated containment, like instantly killing a session or stripping access, is now a basic requirement. Solutions like Akamai Guardicore Segmentation support this requirement by allowing you to change policies automatically at the workload layer, completely isolating a compromised environment and blocking all lateral movement as soon as something goes wrong.

You have to architect your AI deployments in a way that assumes breach from day one. The most secure companies won't be the ones with the smartest AI, but the ones with the strongest foundational network architecture to lock down a compromise when it happens.

Implementing machine-speed microsegmentation for AI agents

To counter these dynamic risks, defense must adapt. Let’s look at the actual mechanics of remediation — and how Akamai Guardicore Segmentation serves as an ideal control to neutralize these LLM-driven threats.

The mechanics of remediation

The core truth of Zero Trust guidelines is that network location means absolutely nothing anymore. If an attacker compromises your agent via indirect prompt injection, then that agent is already sitting inside your perimeter.

Traditional perimeter firewalls will happily let the agent move sideways because it looks like legitimate, trusted internal traffic.

Your EDR solution is also likely to miss the threat. Because a manipulated agent executes its commands through trusted binaries and valid credentials, host-centric EDR monitoring sees no active malware, allowing the misuse to go entirely undetected.

We also have to stop relying on legacy, friction-based defense strategies. A quick fact check reveals that throttling traffic is not the only legacy approach that is soon to fail. Security controls that lean on rate limits, nonstandard ports, routing through extra pivot hops, or basic prompt-level instructions will completely degrade against autonomous systems.

Why?

Because an automated AI attacker possesses unlimited patience and incurs near-zero financial cost per attempt. Making an exploit tedious merely delays it by a few minutes; it doesn't stop it entirely.

Neutralizing LLM threats

We need absolute barriers, where unauthorized network paths cease to exist. Akamai Guardicore Segmentation does exactly that by:

  • Stopping the focus from being solely on where a request is coming from and enforcing based on what is making the request 
  • Binding security policy directly to a workload’s unique, cryptographic process identity rather than a spoofable IP address

This process-level granularity is the silver bullet for LLM threats such as tool chaining. The solution sees network connections at the deep process level, instantly distinguishing an authorized database client from an unauthorized rogue process attempting to use the exact same port.

With Akamai Guardicore Segmentation, if the explicit process identity isn’t named in your active policy, the path simply does not exist.

We operationalize this posture through a four-stage lifecycle, designed specifically to handle real-world enterprise complexity at machine speed:

  1. Discovery
  2. Intelligence
  3. Action
  4. Assurance

Discovery

AI-driven mapping automatically uncovers application dependencies and autolabels unknown assets, giving security teams one real-time view across IT, cloud, OT, and AI workloads.

Intelligence

The solution continuously analyzes traffic patterns and exposure risks to generate exact policy recommendations with confidence scoring and evidence before beginning a phased rollout.

Action

Granular, process-level enforcement goes live to stop unauthorized east-west communication in real time, containing threats with extreme precision.

Assurance

Continuous validation loops confirm that only authenticated, verified traffic reaches your high-value applications as your underlying models and infrastructure evolve.

Shifting from slowing down to shutting down

You cannot contain autonomous threats with human-speed defenses. You have to stop trying to slow down automated threats and start removing their capabilities entirely. By ringfencing your AI training nodes, model repositories, and inference APIs at the process layer, you can contain the blast radius before an exploit even begins.

Jacob Abrams headshot

Jul 16, 2026

Jacob Abrams

Jacob Abrams headshot

Written by

Jacob Abrams

Jacob Abrams is a Product Marketing Manager at Akamai working with the Zero Trust security products, specifically Akamai Guardicore Segmentation. Prior to Akamai, he worked with Israeli tech startups to generate sales pipeline and facilitate marketing content creation and promotion. He is based in Somerville, MA.

Tags

Share

Related Blog Posts

Security
Smash and Grab at Scale: Agentic AI Is Reshaping the Threat to Commerce
July 15, 2026
The SOTI Security report examines how agentic AI is disrupting commerce security, scaling API abuse, and driving up infrastructure costs.
Security
Post-Quantum Cryptography: What’s Next for Edge Security
July 15, 2026
Explore the next wave of post-quantum cryptography. Rich Salz breaks down Google’s 2029 timeline, new signatures, and the IETF PLANTS working group.
Security
Boardroom Conversations Shift to Surviving a Breach
July 14, 2026
Akamai’s Mani Sundaram discusses the rise of AI-powered microsegmentation and breach survivability — and what new questions boards are asking CISOs today.