For Platform Engineering, AI & Security Teams

AI Agent Security for Kubernetes

Your AI agents are making decisions. Do you know what they're authorized to do?

The unified control plane for AI agent discovery, identity, authorization, and runtime enforcement for every agent in your organization running on Kubernetes. Guardrails, not gates.

Introducing: Tigera Lynx – Security & Visibility for Kubernetes-Native AI

Unified control across teams

For AI & Platform Engineering Teams

  • Deploy agents faster with comprehensive observability

  • Runtime enforcement without blocking workflows
  • Identity and authentication for every agent

For Security Leaders

  • Complete visibility into every agent; shadow agents too

  • Zero-trust authorization enforced before every action
  • Full audit trail for compliance and incident response

Problem

AI agents don’t behave like the workloads enterprise security stacks were built for.

They are autonomous and non-deterministic: they act on behalf of a user, reach for any tool, LLM, or other agent, have a delegation chain, and read untrusted input.

What a control plane for agents must do:

One place that says what each agent can do

One place that says what each agent can do

Agents reach for any tool, LLM, or agent and read untrusted input

What you need: One place that says what each agent can do. Policy-driven, applied at every call.

Authentication & authorization on every hop

Authentication & authorization on every hop

Every action is a delegation chain: User->agent->agent->Tool.

What you need: JWT Tokens scoped, time-bound, carrying the chain.

A way to watch what agents actually do

A way to watch what agents actually do

A valid credential does not guarantee good behavior

What you need: Detect anomalies: quarantine the ones going wrong.

Continuous posture assessment and sandboxing

Continuous posture assessment and sandboxing

Blast radius moves as new agents and tools come online

What you need: Test the posture; sandbox new agents on the way in

Solution

Guardrails, not gates. Security and governance that enables your AI teams to move fast, safely.

Lynx is a cloud-native enforcement layer purpose-built for autonomous agents. It sits in the middle of all agentic traffic across Kubernetes clusters to discover, authenticate, authorize, and observe every agent action in real time.

Every agent is known. Every identity is verified.
Every action is authorized before it happens. Every interaction is traceable.

Capabilities

 Everything you need to govern AI agents at enterprise scale.

Know every agent before they do something they shouldn't.

Central Registry

A directory of every agent with owner, purpose, version, context. Full APIs for CI/CD registration at deploy time.

eBPF Auto-Discovery

Find every agent running, including ones nobody registered. Detected by behavior (library loads, MCP traffic, TLS SNI.

Shadow Agent Detection

Discovered agents are cross-referenced against the registry.

Observability

Reconstruct any agent's actions end-to-end: what it saw, what it decided, which tools it called. Open Telemetry traces.

DEPLOYMENT

One security and governance standard.

Lynx meets you where your agents are.

Self-hosted

Lynx is a Kubernetes-native gateway deployed in your cluster, sitting in the middle of all agentic traffic and enforcing policy at runtime. Control and data plane fully managed by you.

Ideal for: Kubernetes-native agent deployments requiring full control over data residency.
Why TIGERA?

Tigera's Kubernetes network and security expertise, now supporting AI agent security and enforcement

We’ve spent a decade enforcing policy for cloud-native workloads at the world’s most demanding organizations — 8 million+ nodes, 1 million+ clusters. The same enforcement rigor and policy framework powering the Calico platform is now available for AI agents.

Proven Policy Foundation icon

Proven Policy Foundation

The enforcement engine behind Lynx secures 8M+ Kubernetes nodes daily. Enterprise-proven at the most demanding scale.

Purpose-Built for Agents icon

Purpose-Built for Agents

Not IAM stretched to cover agents. Not CASB repurposed for a new problem. Built from the ground up for autonomous, non-deterministic, distributed AI agents.

Guardrails, Not Gates icon

Guardrails, Not Gates

Real-time enforcement that enables AI & Platform Engineering teams to move fast — not a bureaucratic control layer that creates bottlenecks and drives workarounds.

Enterprise Expertise icon

Enterprise Expertise

A decade alongside NVIDIA, RBC, Bloomberg, and many more. That accumulated knowledge ships with every product we build.

AI agents are already making decisions in your organization. Are they authorized to?

Lynx gives security, AI, and platform engineering teams the visibility, authorization, and enforcement controls to safely deploy AI agents, anywhere in your Kubernetes environment, at enterprise scale.

X