Aviatrix has integrated its Cloud Native Security Fabric with Microsoft’s Agent Control Specification, giving enterprise security teams the ability to enforce granular AI agent policies at the network layer across multicloud and Kubernetes environments. The integration, announced from Aviatrix’s San Jose headquarters on June 4, 2026, marks one of the first implementations of Microsoft’s nascent specification in a commercial networking platform.

The move arrives as organizations increasingly deploy autonomous AI agents—software entities that interact with APIs, databases, and other services on behalf of users. Without network-level controls, these agents can become shadow IT, executing unauthorized actions, exfiltrating data, or spiraling into costly infinite loops. By mapping Microsoft’s declarative agent control syntax directly into cloud-native firewall rules, Aviatrix lets operators define and enforce what agents can access, when, and at what rate.

The Security Blind Spot of Autonomous AI Agents

AI agents are rapidly evolving from simple chatbots into context-aware, multi-step executors. They plan, retrieve, and act across distributed systems, often with minimal human oversight. While identity and API-level controls exist, these are insufficient for preventing lateral movement or detecting anomalous traffic patterns once an agent is compromised.

Traditional network segmentation focuses on IP addresses, port numbers, and static workloads. AI agents, however, are ephemeral and context-dependent. They might spawn across different cloud regions, Kubernetes pods, or third-party SaaS APIs. Without the ability to interpret agent identity and intent, network security tools are blind to the risk.

Microsoft’s Agent Control Specification directly addresses this gap. It provides a standardized way to describe an agent’s expected behavior—its allowed actions, data sensitivity levels, resource consumption limits, and chaining dependencies—in a machine-readable format. Network policy engines that support the specification can then automatically translate these descriptions into enforcement points at the edge.

What is Microsoft Agent Control Specification?

Unveiled at Microsoft Build 2026, the Agent Control Specification is an open schema and set of APIs for declaring and enforcing guardrails around AI agents. Built on the same design principles as the Identity Network Protocol and Azure Policy language, it defines a hierarchical control plane:

  • Agent Identity – Cryptographic binding of an agent instance to a known service principal or managed identity.
  • Action Taxonomy – A registry of permissible operations (e.g., read:sql, publish:queue, invoke:function).
  • Resource Limits – Quotas on API calls, data throughput, and execution time.
  • Sensitivity Tags – Inheritance of data classification from sources, with automatic enforcement of PII, PCI, or HIPAA boundaries.
  • Policy Inheritance – Propagation of rules from parent applications, tenants, and regulatory frameworks.

Microsoft positioned the specification as a foundation for secure multi-agent collaboration, noting that as agents from different vendors begin negotiating workflows autonomously, a common control vocabulary is essential.

Aviatrix Cloud Native Security Fabric: A Brief Background

Aviatrix, founded in 2014, has evolved from a pure multicloud networking vendor into a full-stack cloud network security platform. Its Cloud Native Security Fabric (CNSF) provides a software-defined architecture that spans AWS, Azure, GCP, Oracle Cloud, and on-premises data centers. Key components include:

  • Distributed Cloud Firewall – Enforces Layer 3/4 and next-generation Layer 7 policies.
  • ThreatIQ with IDS/IPS – Signature-based and behavioral threat detection.
  • CostIQ – Visibility into cloud egress costs and network spending.
  • FQDN Filtering and Web Filtering – Domain and URL-level access control.
  • Egress FQDN Filtering – Controls outbound traffic to SaaS and public endpoints.

CNSF operates at the cloud network edge, typically inside the VPC or VNet, providing high throughput and deep integration with cloud-native constructs. In 2025, Aviatrix expanded into Kubernetes networking with a Container Network Interface (CNI) plugin that extends its firewall capabilities to pod-level traffic. This groundwork made the integration with the Microsoft Agent Control Specification a natural next step.

How the Integration Works

Under the new integration, administrators craft agent policies using Microsoft’s declarative language—either through Azure Policy, GitHub repositories, or an Aviatrix-provided UI—and then push them to the CNSF controller. The controller parses the specification and dynamically generates distributed firewall rules.

For each agent instance, the system performs three steps:

  1. Agent Registration – When an agent is instantiated (e.g., a GitHub Copilot agent in VS Code, or an Azure AI Agent), it receives a signed token containing its action taxonomy and constraints. This token is registered with the CNSF via an API call or a sidecar proxy.

  2. Rule Compilation – The CNSF translates the token’s contents into concrete firewall rules. For example, an action like read:sql for database orders-prod becomes an allow rule from the agent’s Kubernetes pod IP to the database endpoint on port 1433, with deep packet inspection to validate SQL queries.

  3. Inline Enforcement – Traffic from the agent that matches the allow rules flows normally. Any attempt to access an unlisted resource, exceed a rate limit, or transmit data tagged as PII to an unauthorized external service is blocked, with detailed logging and alerting routed to SIEM.

The entire process is transparent to the agent and does not require changes to the agent’s code. It leverages Aviatrix’s existing high-performance data plane, which can handle millions of concurrent flows with microsecond latency.

Policy Examples and Real-World Use Cases

Consider a typical enterprise deployment: a support AI agent that can query Salesforce CRM, generate Jira tickets, and send Slack messages. With the integrated solution, an admin defines:

  • The agent can only read from Salesforce objects within the “support” scope.
  • It can create Jira tickets only in the “customer-success” project and limited to 50 per hour.
  • Outbound Slack messages must be routed through an approved webhook, and may not contain strings matching credit card numbers or SSN patterns.

The policy is written once in Microsoft’s specification and enforced across all environments—whether the agent runs in Azure AKS, AWS EKS, or an on-premises Kubernetes cluster connected via Aviatrix Edge. Any policy violation immediately generates a security incident, preventing data leakage or overspend.

In financial services, a trading algorithm agent might be constrained to only access market data APIs during trading hours and to never connect to any IP outside a predefined list of approved data providers. The network enforcement prevents rogue connections even if the agent’s internal logic is compromised through a prompt injection attack.

For healthcare, an agent summarizing patient records can be locked down so that any attempt to send data to an unapproved cloud storage bucket—even if the agent is tricked by a malicious prompt—is blocked at the IP layer. The sensitivity tags from the specification align with HIPAA data classifications, making compliance auditing straightforward.

Multicloud Kubernetes at Scale

One of the integration’s standout features is native Kubernetes support. Aviatrix’s CNI plugin extends the agent policy enforcement to individual pods, meaning that if an AI agent is deployed as a set of microservices, each microservice inherits the appropriate policy. The specification’s hierarchical inheritance model flows naturally: a namespace-level policy might allow “agent:read:database” for a fleet of pods, while a pod-specific label further restricts it to a specific customer tenant.

This granularity is essential for SaaS providers who host multiple tenants on shared clusters. A tenant’s AI agent should only access that tenant’s data, even if the underlying pods share a node. Aviatrix and Microsoft demonstrated this capability at the announcement, showing a live demo where a misconfigured agent in tenant A attempting to cross-read tenant B’s database was blocked within 3 milliseconds, with the violation traced back to the exact line in the policy specification.

Industry Reactions and Analyst Insight

“We view the convergence of agent identity and network enforcement as inevitable,” said Gartner VP Analyst Sarah Manning in a recent note. “Organizations that treat agents as just another workload will quickly find themselves exposed. Aviatrix’s implementation of Microsoft’s spec bridges the gap between developer velocity and security governance.”

Early adopters in the Aviatrix customer council have expressed enthusiasm. John Hargrove, CISO of a Fortune 500 retailer, commented, “Before this, we had no way to guarantee that our customer service bot wouldn’t accidentally start ordering stock from our ERP. Now we can define exactly what it can touch, and sleep at night.”

Microsoft emphasized that the specification is open and not tied to Azure. “We designed Agent Control to be a cross-cloud standard,” said Microsoft Corporate Vice President for AI Platform, Erin Chapple, in a blog post accompanying the announcement. “By partnering with Aviatrix, we’re showing how the spec can be implemented by any network vendor to bring tangible security benefits to enterprises, regardless of their cloud mix.”

Implementation and Compatibility

Deploying the integration requires Aviatrix CNSF version 7.2 or later, available through the Aviatrix Controller and Gateway software. It works with the Azure, AWS, and GCP transit networking solutions, as well as with Aviatrix Edge for branch and data center connectivity. For Kubernetes, the Aviatrix Kubernetes Operator version 2.4+ is required.

Administrators manage policies either directly through the CNSF UI, which provides a point-and-click interface for building Microsoft-spec-compliant policies, or via Infrastructure-as-Code using Terraform providers that Aviatrix has updated. Microsoft also offers a Policy Validator toolkit to test policies against the specification before deployment.

Looking Ahead

The Aviatrix-Microsoft partnership signals a shift in how the industry thinks about AI security. As AI agents become more autonomous and interconnected, the attack surface grows exponentially. Static allow-list approaches will not scale. By dynamically interpreting intent from standardized specification documents, network infrastructure can become a programmable control point that adapts in real time.

Aviatrix plans to extend the integration to support additional control dimensions, such as cost enforcement (automatically blocking agents that exceed budget thresholds) and carbon-aware policies (restricting high-energy workloads to renewable-powered regions). Meanwhile, Microsoft is working on integrating the Agent Control Specification with its Semantic Kernel and AutoGen frameworks, making it simpler for developers to ship agents that come with built-in policy manifests.

The broader implication is a move toward self-describing, auditable AI workloads. Just as containers brought with them Dockerfiles and Kubernetes manifests, AI agents will bring their own control specifications, allowing network infrastructure to understand and enforce guardrails without manual rule writing. Aviatrix’s early implementation demonstrates that this vision is technically feasible and operationally practical today.