TL;DR: Enterprises are using virtual machines to isolate AI agents, but Appgate argues that VM boundaries do not solve identity exposure when agents still rely on static credentials, broad network trust, and weak visibility into access. Isolation without identity controls leaves lateral movement and data leakage paths open.
NHIMG editorial — based on content published by Appgate: AI agents in virtual machines need identity-based access controls
Questions worth separating out
Q: How should teams secure AI agents running inside virtual machines?
A: Treat the VM as a place to run the workload, not a trust boundary.
Q: Why do virtual machines not solve AI agent access risk on their own?
A: Because isolation does not remove the need for credentials, tokens, or service permissions.
Q: What breaks when AI workloads rely on network segmentation instead of identity controls?
A: Network segmentation can hide the access problem until the VM is already trusted internally.
Practitioner guidance
- Map AI agent access paths inside every VM Inventory each API, data source, model repository, and dashboard the workload can reach, then remove any entitlement that is not essential to the agent’s task scope.
- Replace static trust with identity-bound policy Enforce authorisation at the workload level so the VM is not treated as trusted by default.
- Eliminate shared credentials from AI sandboxes Move away from shared secrets and broad permissions for automated workloads.
What's in the full article
Appgate's full post covers the operational detail this post intentionally leaves for the source:
- How the Linux Headless Client is positioned for non-interactive AI workloads inside servers and VMs.
- Which identity-centric enforcement points are used for inbound and outbound AI agent traffic.
- How entitlement-based access is applied dynamically across role, posture, and context.
- Why Appgate links this model to auditability and compliance across hybrid environments.
👉 Read Appgate's analysis of Zero Trust controls for AI agents in virtual machines →
AI agents in virtual machines: is isolation enough anymore?
Explore further
VM isolation is a containment model, not an identity model. The article is right to separate separation from security, because AI agents inside VMs still authenticate to tools, data, and management planes. Once those connections depend on shared credentials or broad trust, the sandbox starts behaving like a disguised flat network. Practitioners should stop treating virtualization as the control and start treating it as the host for the control.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 39% of security leaders say they do not know how often their AI systems are making autonomous changes to infrastructure, showing that visibility gaps are already operational rather than theoretical.
A question worth separating out:
Q: What should security teams do first when hardening AI agents in VMs?
A: Start with entitlement review. Identify every service account, token, and API path the workload can use, remove unnecessary access, and then require continuous enforcement for both inbound and outbound connections.
👉 Read our full editorial: Zero trust for AI agents in VMs: why identity must follow