AI EngineerJune 1, 202624m

What if the network was the sandbox? — Remy Guercio, Tailscale

TL;DR

The network can be the sandbox: Guercio reduces a sandbox to two essentials, a boundary and permissions, then asks what happens if authN and authZ live at the network layer instead of inside a VM or container.
API keys are the weak point: He says today's common patterns, raw provider keys or OAuth inside the sandbox, still hand the agent the thing that grants access, which means it can be exfiltrated or misused.
Aperture replaces per-agent keys with Tailscale identity: Built on WireGuard and Tailscale tags, groups, and users, the gateway takes one upstream key for providers like OpenAI, Anthropic, Gemini, Vertex, and Bedrock while sandboxed agents connect with no usable key of their own.
Every request becomes attributable and inspectable: In the demo, Guercio shows per-user and per-bot logs with token counts, model usage, request and response bodies, costs, and even extracted bash and MCP tool calls from a PR review bot.
The control point is harder for agents to route around: Because enforcement happens at the network layer, shutting off access is not a matter of revoking a leaked key, it is simply a denied connection, which removes the agent's chance to try another endpoint with the same credential.
This is meant to be built on, not just bought: Guercio says the same Tailscale identity primitives are available through the open source tsnet library, so teams can build internal MCP servers or APIs with tailnet-native identity and policy, plus JSON, API, and GitOps-friendly permissioning.

The Breakdown

Tailscale's Remy Guercio argues that the safest sandbox for agents might be the network itself, not the container, and demos an AI gateway where agents get no API key at all. By pushing identity and permissions into the WireGuard-based network layer, Aperture can log every model call, tool call, token, and dollar spent, then cut access off cleanly with no secret left for the agent to steal.