By AI agents that can build their own tools, authenticate to internal systems, and interact with production environments create a governance problem that traditional container security and identity management were not designed to solve. When an agent is compromised, it can exfiltrate secrets, install malicious libraries, and reach systems it was never supposed to touch, all at machine speed. The controls enterprises apply to human operators and conventional software pipelines do not transfer cleanly to autonomous agents.
In this interview on TFiR, Miska Kaipiainen, Head of Product, Lens at Mirantis, breaks down the architectural decisions behind Lens Agents, covering supervised sandbox isolation, policy-managed data traffic, secrets injection without credential exposure, and centralized governance for agents running across on-prem and hyperscaler environments.
Guest: Miska Kaipiainen, Head of Product, Lens at Mirantis
Show: TFiR
Here is what every platform engineer and enterprise security team needs to know.
Technical Deep Dive
Q: Why is balancing AI agent autonomy with safety controls so difficult in enterprise environments?
Miska Kaipiainen, Head of Product, Lens at Mirantis, explains that agents require two foundational elements: connectivity to relevant data sources (Salesforce, financial systems, source code repositories, production monitoring environments) and a defined toolbox for acting on those connections. The problem is that highly capable modern agents can build the tools they need themselves when none are provided, which removes the predictability that governance depends on. Because agent behavior is non-deterministic, organizations cannot rely on pre-approved tool lists alone once agents can generate new tools dynamically.
“It’s a very complex topic, this whole governance topic for the agents.” — Miska Kaipiainen, Head of Product, Lens, Mirantis
Q: How does restricting software repository access reduce AI agent security risk?
When agents build internal tools dynamically to accomplish tasks, they pull libraries and dependencies from software repositories. Kaipiainen points out that controlling which repositories an agent can access is one of the primary levers for reducing the chance that an agent installs packages with security vulnerabilities or malicious payloads. Without this constraint, an agent completing a legitimate task could inadvertently introduce attack vectors directly into production-connected tooling. Repository allowlisting is therefore a foundational governance control, not an optional hardening step.
“You need to start restricting what kind of tools you can actually build and how you can do that.” — Miska Kaipiainen, Head of Product, Lens, Mirantis
Q: What is the secrets management problem specific to AI agents and how is it different from standard credential management?
Every internal system an agent interacts with requires authentication, which means agents need access to secrets. Kaipiainen identifies a compounding risk: if an agent is compromised, it may forward those credentials to external destinations before any detection occurs. The solution is secrets injection, a model where secrets are made available to an agent at the moment of use without the agent ever holding them in memory or state. Several strategies exist for implementing this, but the core requirement is that the agent should never possess a secret it could exfiltrate.
“You need to develop a system where the secrets can be exposed to an agent while the agent actually doesn’t have any secrets at any moment in time.” — Miska Kaipiainen, Head of Product, Lens, Mirantis
Q: Why did Mirantis build Micro VM-based sandboxing instead of using container technology for Lens Agents?
Kaipiainen states that the Lens Agents sandboxing layer is deliberately not built on traditional container technology. Instead, it uses Micro VM technology, which provides a stronger isolation boundary appropriate for the non-deterministic behavior of autonomous agents. Alongside the Micro VM sandbox, a supervisor component monitors all activity inside the sandbox continuously, and all data traffic entering or leaving the sandbox is policy-managed. This combination of isolation and real-time traffic governance is described as one of the core components of the Lens Agents technology stack.
“We have been building our own sandboxing technology that is not based on this traditional container technology. It’s based on the Micro VM technology.” — Miska Kaipiainen, Head of Product, Lens, Mirantis
Q: How does the Lens Agents control plane provide centralized governance across on-prem and cloud environments?
The Lens Agents platform is designed to run tens, hundreds, or thousands of supervised sandboxes across any target environment, including on-premises deployments and hyperscaler infrastructure on AWS, Azure, and Google Cloud. A central control plane aggregates visibility, audit trails, and governance data from all running sandboxes into a single location. This gives IT and security teams a unified view of agent activity regardless of where those agents are deployed. Kaipiainen frames this centralized visibility as the platform piece of the Lens Agents architecture.
“We provide that control plane for centralized visibility and all the audit trails and everything that the agents are doing basically comes to our central location for central IT governance.” — Miska Kaipiainen, Head of Product, Lens, Mirantis
Q: Can organizations run their own existing AI agents on Lens Agents, or does it require adopting Mirantis-built agents?
Kaipiainen is explicit that the Lens Agents platform is designed to run any agent, not only the agent Mirantis ships. Mirantis does offer its own agent for organizations still evaluating what to deploy in their enterprise setting, but teams that have already built or deployed agents can run those on top of the Lens Agents platform and gain the full governance, visibility, and control layer without re-architecting their agents. The platform and the Mirantis-built agent are separate offerings that can be adopted independently.
“Any agent, if you already have developed some agents or anything like that, they run on top of this platform just fine, but you will gain all this visibility, governance and control for all your agents.” — Miska Kaipiainen, Head of Product, Lens, Mirantis
Resources & Documentation
- Mirantis, enterprise Kubernetes and AI infrastructure platform, home of Lens Agents
- Lens, Kubernetes IDE and developer platform by Mirantis
***
👇 Click to Read Full Raw Transcript
Swapnil Bhartiya: Now there is also a real tension between letting agents be autonomous enough to be useful and keeping enough control to stay safe. Check and balances. How do organizations even like Mirantis, actually balance that? Allowing agents to do what they are capable of, doing what you want them to do, but also ensuring they only do what you want them to do. Especially as agents are becoming more capable over time, especially because organizations want them to do more.
Miska Kaipiainen: Well, I think it’s kind of easy. So in order for us to have a good agent, so hallucination is still happening. So it has not disappeared. And of course it’s getting better and better and it’s becoming better because the models themselves are just becoming so much more amazing all the time. If you compare the models, what we had a year ago to the models that what we have today, it’s like a night and day, the difference on their kind of quality of the responses and capabilities. But in essence what the agents need, they need two things. They need connectivity to relevant data sources. So whether it’s your salesforce data, it’s your financial data, it’s your maybe some internal knowledge based systems, whether it’s a source code system, whether it’s some production environment that you need to be monitoring or you want these agents to be interacting with. So it’s all about, about managing connections. And then it’s at the same time it’s managing that what is the available toolbox that the agents are having at their disposal for actually doing something with those connections. So now a very capable agents, you basically give them full freedom to basically even build those tools that they need themselves. If you give them a challenge. And they can pretty much they can create the tools that they need to accomplish the task even if they don’t have the tools. They can be pretty good at figuring out how to solve different problems. And for that of course then you need to start restricting, okay, what kind of tools you can actually build and how can you do that? It’s a very kind of, it’s not the deterministic system agents might do whatever. And for that the only way basically you have to do it is that you need to control, for example, that what kind of software repositories you are giving these tools or agents rather access to go and install maybe some tools and libraries and et cetera. So when they are building their internal tools to accomplish a task so they are less likely to have all kind of security vulnerabilities that might be trying to then do something bad with your production environments, for example. Another thing is that how do you manage then the secrets? Because every place in your internal systems, each one of the place needs to have the authentication. So you need to either you need to grant identities for your agents and then they need to be authenticating to this external systems with their own identities. But in there as well it’s not so easy because if you think about that the agent is compromised. It might be sending these secrets already to the third party places where you don’t want any information to be sent. So you need to develop a system where the secrets can be exposed to an agent while agent actually doesn’t have any secrets at any moment in time. And we are talking about the secret injections and there are different strategies how this can be accomplished. So it’s very difficult. Agents are fast, they are doing all kind of stuff all the time. We have to trust them. They are not malicious by nature. But you just need to put in checks and balances so that you as a human are still kind of on top of things and you have all the controls in place so that the agents just don’t go wild and do all kind of, you know, things that you don’t want. So it’s a very, very complex topic, this whole governance topic for the agents.
Swapnil Bhartiya: Now let’s talk about LENS Agents, because that is the problem it’s trying to solve. Yes, as you rightly mentioned, it is complex. So talk a bit about when we look at LENS Agent. It’s a unified platform that brings policy driven governance to AI agents running anywhere across your environment. Talk a bit about how does it work under the hood.
Miska Kaipiainen: Right. So basically we have two kind of major components in there. So first of all we have been building our own sandboxing technology that is not based on this traditional container technology. So it’s based on the Micro VM technology. And we have also a supervisor basically component that is watching all the time what is happening inside this sandbox and every kind of data traffic that goes in or out from this sandbox. It’s basically policy managed and that’s the kind of the one of the core components of this technology stack. So it’s the sandbox that is a supervised sandbox technology and the supervised sandbox technology we are providing as a platform so enterprise can run multiple tens or hundreds or thousands of these type of supervised sandboxes on their target environment. So whether they want to deploy these on PREM environments or whether they want to deploy this on AWS or Azure or Google Cloud, so they can leverage their hyperscaler capacity to run these sandboxes from there. So what we do is that we provide that control plane for centralized visibility and all the audit trails and everything. That what the agents are doing basically comes to our kind of central location for central IT governance. And that’s the platform piece of the story. Kind of a side story to that is that we also do our own agent for those parties that might be still trying to figure out so what kind of agent we should be running in our enterprise setting. So we make life. And this isn’t kind of slightly easier for those guys, they can take our agent, but at the same time, basically any agent, if you already have developed some agents or anything like that, so they run on top of this platform just fine, but you will gain all this visibility, governance and control for all your agents.
