Tailscale's Aperture Moves AI Agent Security to the Network Layer
Tailscale's Remy Guercio argues that sandboxing conflates execution isolation with access control—and that the network itself can solve the harder problem.
Written by AI. Samira Barnes

Photo: AI. Wren Sugimoto
The standard mental model for AI agent security goes something like this: put the agent in a box, lock the box, monitor the box. Containers and VMs handle the "box" part well enough. What they do not handle is what you put inside the box with the agent — namely, the credentials it needs to do anything useful.
Remy Guercio, a developer at Tailscale, presented a talk at the AI Engineer conference arguing that this is where most sandboxing approaches quietly fail. The sandbox creates a boundary. It does not solve the permissions problem. Those are two different problems, and conflating them is why an isolated agent can still cause damage: it is isolated from your infrastructure, but it is holding a live API key that it can use, misuse, or — given enough autonomous runtime — find creative ways to leverage beyond its intended scope.
The distinction Guercio draws is between authentication (proving who you are) and authorization (determining what you can do). An API key, he points out, collapses these into one object. "It just: here's an API key. It lets you have access to all of the models or some of the models." You either have it or you don't. The key doesn't know who's holding it, and crucially, neither does the service on the other end.
OAuth and OIDC handle the separation more cleanly, but Guercio's deeper objection is architectural: both approaches put the credential inside the sandbox. The agent is in the box, and so is the thing that gives it permissions. If the agent misbehaves — or is manipulated via prompt injection, or simply runs in a loop long enough — it has everything it needs to operate beyond its intended boundaries.
His proposed alternative: move identity and access control to the network layer itself.
What Tailscale's architecture actually does
Tailscale is built on WireGuard, a modern VPN protocol that establishes encrypted direct connections between nodes — containers, laptops, GPU servers, GitHub Actions runners, whatever. What Tailscale adds on top of WireGuard is identity: every connection on a Tailscale network (a "tailnet") carries verified metadata about who or what is connecting. A logged-in user gets their identity attached to every packet. A CI runner gets a tag. A PR review bot gets a tag that identifies it as that specific bot for that specific project. This identity is cryptographically guaranteed by the Tailscale control plane — it's not something the agent can spoof or manipulate.
Aperture is the LLM gateway Tailscale built on top of these primitives. The operational model is straightforward: an organization stores its real API keys — Anthropic, OpenAI, Gemini, Bedrock, Vertex, whatever — in Aperture, which sits as a node on the tailnet. Agents connecting through the tailnet get a placeholder credential, not a real key. "That runner connecting from the sandbox has no key to accidentally exfil or share or do something with," Guercio explained during the demo. "It's just no key whatsoever in that sandbox."
Every LLM call the agent makes has to route through Aperture. Because Aperture can read the identity of anything talking to it — user, tag, group — it can enforce granular access policies: which models this agent can call, what spending limits apply, which MCP tools it's allowed to invoke. And because all traffic passes through the gateway, Aperture sees everything: every tool call, every bash command, every MCP request, without any instrumentation inside the container itself.
That last part is worth pausing on. The observability is a structural consequence of the architecture, not a monitoring layer bolted on afterward. Guercio is explicit about why this matters: "If it had to make a tool call, it had to go through Aperture and we would extract it here and you would see it. This is not happening from inside the container. This is not happening from the harness."
Revocation is equally clean. When you want to cut off an agent's access, there's no key to invalidate on the agent's side. There's nothing on the agent's side. The connection simply stops. As Guercio put it: "It literally is like, 'Oh, the key no longer works.' It's just — it's just a dash."
What the demo revealed
The live demonstration surfaced a detail that, policy-wise, I find more interesting than the security pitch itself. When Guercio showed Aperture's internal logs from Tailscale's own production instance, he noted that bash commands dominate over structured MCP tool calls. "I can tell you internally, bash dominates everything else."
This is significant because most of the industry conversation around AI agent governance has focused on MCP — the structured tool-calling protocol that's supposed to make agent actions legible and controllable. If organizations are actually using agents that primarily execute bash, then governance frameworks built around MCP tool call interception are missing most of the action. Aperture catches both because it operates at the LLM layer, extracting tool use from the request and response bodies regardless of whether it's structured as an MCP call or a raw shell command.
There's a hard limit to this, acknowledged in the Q&A. An audience member asked how permissioning works as agents increasingly move away from tool calls altogether — writing and executing code directly rather than invoking named tools. Guercio's answer was candid: that's more complicated, and it's partly why Tailscale chose to work at the LLM layer rather than the MCP layer alone. You can still see the code being written and executed; you can intercept the commands. But if an agent writes obfuscated code, executes it, and the effects happen at the network level before Aperture can inspect them — that's a gap the current architecture doesn't fully close.
This is not a reason to dismiss the approach. It's a reason to understand what layer of the problem it actually solves.
The policy configuration question
Permission management in Aperture currently operates at the level of model and provider access, plus spending quotas. The ability to permit or deny specific tools by identity group — "the engineering team can use this MCP tool, the contractor accounts cannot" — is on the roadmap but not yet shipped. Guercio confirmed this in response to a direct question from the audience.
For organizations evaluating the tool right now, that's a meaningful gap if fine-grained tool-level governance is a compliance requirement. For most teams, the current feature set — per-identity model access, cross-provider budget controls, full request logging, guaranteed webhook delivery for every tool call — is likely more than what they have today.
Configuration can be handled either through Aperture's visual interface or in JSON, and Guercio noted that enterprise teams tend toward the latter because it integrates into GitOps workflows. Permissions can also be embedded directly in Tailscale's network policy (ACL) file as "application capabilities" — arbitrary metadata that travels with the identity on every connection, verified by the control plane. This means an org's access policy for AI agents can live in the same place as the rest of its network access policy, versioned and auditable in the same way.
What this is and what it isn't
Aperture is not a general solution to AI agent safety. It does not prevent an agent from generating harmful content, making bad decisions, or producing outputs that cause downstream harm. It addresses a specific and real problem: credential exposure in sandboxed environments, combined with the organizational visibility problem of not knowing what your agents are actually doing.
The architecture is also not Tailscale-proprietary in its conceptual design — the underlying logic of using network identity to gate resource access is an extension of zero-trust networking principles that predate AI agents by years. What Tailscale has done is apply those principles specifically to LLM access control and built a product around them. Organizations running their own infrastructure could theoretically build something equivalent using TSnet, Tailscale's open-source Go library for embedding tailnet identity into custom applications. Guercio mentioned this explicitly, noting that Aperture itself was built this way — entirely on public Tailscale primitives, no private APIs.
What that means practically: the design philosophy is extensible, not just the product. If you need an identity-aware MCP server for internal tooling, or an internal API endpoint that reads group membership from the tailnet without standing up an OAuth flow, the same building blocks are available.
The question Guercio posed at the start — what if the network was the sandbox? — turns out to be less a rhetorical provocation than a design requirement. If your agent's access to everything it needs flows through a network you control, and that network enforces identity on every connection, then the sandbox boundary and the permissions layer finally become the same thing. Whether that's sufficient, as agents grow more capable of operating outside any single network path, is the question the next version of this problem will have to answer.
Samira Barnes covers technology policy and regulation for Buzzrag.
AI Moves Fast. We Keep You Current.
Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.
More Like This
OpenAI's Workspace Agents: The Governance Question No One Asked
OpenAI's new Workspace Agents automate team workflows—but the real product isn't the AI. It's the permission model enterprises can actually live with.
GitHub's ACE Tool Tackles AI Development's Alignment Problem
GitHub Next unveils ACE, a collaborative environment for AI-assisted coding that addresses the coordination chaos of individual agents working in isolation.
Claude Managed Agents: What the Infra Layer Reveals
Anthropic's Claude Managed Agents shifts the bottleneck from model intelligence to infrastructure. Here's what the technical architecture actually means for developers.
AI Harnesses Run the World. Nobody Regulates Them.
IBM's Tejas Kumar explains AI harnesses at the AI Engineer conference—and accidentally maps an accountability gap that regulators haven't noticed yet.
Why Vertical AI Is an Org Problem, Not a Model Problem
Chris Lovejoy's oracle-evaluator-architect framework reframes vertical AI failure as an organizational design problem. Here's what that means in practice.
Building AI Agents Without the Plumbing Nightmare
Anthropic's Isabella He walked developers through shipping a production incident-response agent in six functions. Here's what the architecture actually reveals.
Linux 7.0 Ships While AI Bug Hunters Reshape Security
Linux kernel 7.0 brings major file system improvements as Anthropic's AI bug-finding tool discovers decades-old vulnerabilities, changing cybersecurity forever.
YouTube Lets Users Finally Kill Shorts Feed—With Caveats
YouTube now allows users to set a zero-minute daily limit on Shorts, effectively removing them from feeds. Here's what the feature actually does—and doesn't—do.
RAG·vector embedding
2026-06-03This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.