Issue #10: Infrastructure Catches Up to Ambition

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The Hook

Enterprises are no longer asking whether to deploy AI agents — they’re asking who controls them. This week, the infrastructure layer caught up: identity management, sandboxing, and compliance gating all shipped on the same day.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

This Week’s Signal

Okta is treating AI agents like employees — with a universal kill switch. Their new ‘Okta for AI Agents’ platform (GA April 30) registers every agent as a first-class non-human identity, detects unauthorized ‘shadow agents’ running in your environment, and lets you revoke permissions across all connected systems in a single action. It integrates with Boomi and DataRobot out of the box. The real signal here isn’t the feature set — it’s that Okta built this at all. The IAM layer for agents is now a product category. Every enterprise running production agents without centralized access governance is one rogue workflow away from a serious incident.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

3 Operator Playbooks

1. Audit Your Shadow Agents Before Okta Does It for You

Okta’s platform detects ‘shadow agents’ — AI automations running in your stack without formal registration or access controls. Most teams have them already: a Zapier workflow hitting your CRM, a GPT integration a developer stood up in staging and forgot to take down. Your move: Before you buy governance tooling, do a manual audit. Pull every OAuth token, API key, and service account created in the last 90 days. Tag anything non-human. That’s your shadow agent inventory. Document what each one accesses. The audit takes a day. The liability of not doing it is unbounded.

2. Gate Your Agents with a Compliance Check Before They Negotiate

Pactum’s Requisition Alignment Agent does one thing before activating any negotiation agent: it screens the purchase request for compliance. The result — one deal closed in 87 seconds, 2-30% value uplift across 50+ enterprises including Walmart and Maersk. The lesson is the architecture, not the speed. Your move: Any agentic workflow that touches money, contracts, or external parties needs a pre-flight gate. Build a lightweight compliance agent that checks inputs against your approval rules before the action agent fires. A 5-second gate that catches a bad purchase order beats a 3-day approval process and a signed mistake.

3. Sandbox Every Agent — MicroVMs Are Now a One-Line Deploy

NanoClaw and Docker just shipped a joint integration that spins up a dedicated MicroVM with its own kernel for every agent execution. No shared kernel, no escape paths, no cross-contamination between agent runs. This is the architecture enterprises have been waiting for before they’ll let agents touch production systems. Your move: If you’re running agents that access live infrastructure, file systems, or external APIs, containerization alone isn’t enough. MicroVM-per-agent is the new baseline. Test the NanoClaw + Docker sandbox integration in your staging environment this week. The setup is minimal. The security posture improvement is not.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Steal This

The 5-Minute Agent Setup with Microsoft AI Toolkit (VS Code, March 2026 update):

1. Install AI Toolkit extension in VS Code
2. Hit "New Agent Workspace" — one click scaffolds a full Foundry-connected project
3. In Settings → Tool Calls, set approval mode: "auto" for read-only tools, "manual" for writes
4. Connect GitHub Copilot for inline agent code suggestions
5. Deploy to Azure Foundry from the sidebar — no YAML, no config files

What used to take a full afternoon now takes under 10 minutes. The MCP tool-call approval toggle alone eliminates the most common reason devs don’t ship agents to production: fear of unchecked side effects. Turn on manual approval. Ship it. Loosen the leash after you’ve watched it run.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Also on Our Radar

• Alibaba’s DingTalk is shipping a Qwen-powered enterprise agent that autonomously manages computers, browsers, and cloud infra — backed by $53B in AI investment. Triple-digit sector growth. If you’re building in the enterprise agent space, you now have a well-funded Chinese incumbent coming for the same buyers.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

If this issue saved you from a shadow agent incident, forward it to the person on your team who’s deploying automations without telling anyone. You know who it is. → insider.dforge.ca

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ AI Agent Insider is a weekly briefing for founders and operators who build with AI agents. No hype. No sponsored picks. Just signal.