Descriptions:
Remy Guercio, an engineer at Tailscale, proposes a fundamentally different model for sandboxing AI agents: moving authentication and authorization out of the container and into the network layer itself. The talk opens by questioning how most teams handle agent permissions today — either via API keys stored inside the sandbox (where a sufficiently persistent agent could misuse them) or OAuth flows that still live inside the execution environment. Neither approach, Guercio argues, provides a true boundary.
The alternative Guercio demonstrates uses Tailscale’s WireGuard-based mesh network, which attaches cryptographic identity to every connection at the protocol level. A proxy called Aperture sits between the agent and the outside world, intercepting every outbound request. Because all traffic must traverse Aperture to leave the tailnet, there is no mechanism for an agent to bypass it — revoking a key or blocking an endpoint takes effect immediately, not after the agent has had a chance to probe alternatives. The demo shows Claude Code running in this configuration, with a live audit log of every tool call, bash command, and MCP action the agent made, along with per-run cost breakdowns (a PR review bot spent four cents and ran three commands in parallel).
The approach works across Claude Code, OpenAI Codex, and Gemini CLI with a one-line configuration change pointing the agent at a custom base URL. Guercio frames this as particularly important for long-running autonomous agents where the risk of unintended actions compounds over time.
📺 Source: AI Engineer · Published June 01, 2026
🏷️ Format: Deep Dive
