Subscribe to the Non-Human & AI Identity Journal

How should teams secure AI agents running inside virtual machines?

Treat the VM as a place to run the workload, not a trust boundary. Secure the agent with identity-based authorisation, discrete credentials, and continuous policy evaluation for every API, data source, and outbound endpoint it can reach. If the VM can access more than the task requires, the environment is overexposed.

Why This Matters for Security Teams

Running an AI agent inside a VM can reduce blast radius, but it does not make the VM a trust boundary. The real risk is the agent’s autonomy: it can chain tools, reuse tokens, reach data it should not see, and take actions that were never explicitly scripted. Current guidance suggests treating the agent as a workload with its own identity and policy envelope, not as a process that becomes safe because it is virtualized.

That distinction matters because static IAM assumptions break quickly when the workload is goal-driven. A VM may look contained, yet the agent inside can still exfiltrate secrets, call external APIs, or pivot across internal services if its credentials are overbroad. NHIMG research on AI agents as the new attack surface shows how often agents act outside intended scope, which is why the security model has to start with identity, not infrastructure. In practice, many security teams encounter lateral movement from an “isolated” VM only after the agent has already chained access into systems no human operator intended.

How It Works in Practice

The practical control set is simple in concept and demanding in execution: give the agent only the permissions required for the current task, issue those permissions just in time, and revoke them when the task ends. That means short-lived secrets, runtime authorization checks, and workload identity instead of shared static credentials. For many teams, the most durable pattern is to bind the agent to a cryptographic workload identity, then evaluate each action against policy at request time using policy-as-code.

In agentic environments, this is closer to NIST AI Risk Management Framework governance than traditional server hardening. It also aligns with the OWASP Agentic AI Top 10 and the CSA MAESTRO agentic AI threat modeling framework, both of which emphasize runtime risk rather than static trust assumptions. A secure VM deployment usually includes:

  • Per-task credentials with tight TTLs, not reusable long-lived tokens.
  • Workload identity for the agent, such as SPIFFE-aligned identity or OIDC-backed service identity.
  • Policy checks on every API call, file access, and outbound network request.
  • Network egress controls so the VM cannot freely reach arbitrary endpoints.
  • Separate identities for the orchestrator, the agent, and any tool runner.

NHIMG research on CoPhish OAuth Token Theft via Copilot Studio is a reminder that token scope and token lifetime matter as much as the VM boundary itself. These controls tend to break down when the VM image is reused across tasks with shared secrets, because the agent can accumulate access faster than administrators can review it.

Common Variations and Edge Cases

Tighter agent isolation often increases operational overhead, requiring organisations to balance stronger containment against faster task execution and lower administrative friction. There is no universal standard for this yet, especially in multi-agent or delegated-workflow environments where one agent spawns another and hands off partial context. In those cases, the safest pattern is not to trust the VM chain at all, but to enforce identity and policy at each hop.

Edge cases usually appear when teams mix human admin access, automated orchestration, and agent credentials in the same environment. Shared build runners, long-lived bastion sessions, or “temporary” exceptions for debugging quickly erode the model. The practical lesson from NHIMG reporting such as LLMjacking: How Attackers Hijack AI Using Compromised NHIs is that exposed credentials are often weaponised within minutes, not days. That is why dynamic secrets, separate identities, and continuous authorisation are more important than the VM’s tenant boundary. For teams that need deeper threat mapping, MITRE ATLAS adversarial AI threat matrix can help model abuse paths, but current guidance suggests treating any model that grants the agent broad outbound reach as overexposed by default.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A01 Agent autonomy makes static trust boundaries and overbroad access especially risky.
CSA MAESTRO TA-2 MAESTRO focuses on agentic threat modeling and runtime control of tool use.
NIST AI RMF AI RMF governs risk, accountability, and monitoring for autonomous agent behaviour.
OWASP Non-Human Identity Top 10 NHI-03 Short-lived credentials reduce the blast radius of compromised agent identities.
NIST Zero Trust (SP 800-207) SC-7 Zero trust requires explicit verification for every agent request and endpoint.

Replace long-lived secrets with ephemeral credentials and automate rotation and revocation.