MODULE 8 · DAY 2
Securing & Governing AI Workloads
Harden and ship the crew — the open-source way
Gourav Shah · School of DevOps & AI · Hands-on
M8·01
What you'll learn
Six controls that make a containerized agent safe to ship to production.
By the end: the M7 crew shipped through a pipeline that gates on security before it signs.
M8·02
An agent is a security surface
It runs tools, may execute generated code, reads credentials, and reaches the network.
Every exposure above is untrusted by default. Left unguarded, one compromised tool call becomes host access.
M8·03
Three things every shipped product needs
Ship an AI image like a food manufacturer ships a ready-meal — label, inspection, seal.
Together they make the image trustworthy, auditable, and verifiable at every hop — laptop to registry to host.
M8·04
The supply-chain pipeline
Every agent, model, or code image passes through this before it deploys.
The scan must run before the sign — and the sign must not run if the scan fails.
M8·05
Two scanners disagree — that's the feature
Different advisory feeds catch different CVEs. Run both; triage by fixable + severity.
Fixable Critical/High → rebuild on a patched base. No fix → mitigate & log. Medium → track, don't block CI.
M8·06
Cosign: the tamper-evident seal
Key-based locally so you see the mechanics; keyless OIDC in CI so there's no key to leak.
A policy engine (Kyverno, OPA, or a pre-deploy script) refuses any image without a valid signature.
M8·07
Sandbox: a box with no blast radius
Run tool and generated code in an ephemeral, locked-down container — then throw it away.
Deeper isolation: gVisor intercepts syscalls in user space; ToolHive runs each MCP tool in its own box.
M8·08
Hardening the agent image
The sandbox is for untrusted code. The agent image itself still needs a small attack surface.
These controls are additive — even an exploited dependency finds almost nothing to work with.
M8·09
Guardrails at the model boundary
Supply chain protects the infra; guardrails protect what goes in and comes out.
Reuse M6's guardrail: a cheap classification call in front, and a reviewer that blocks destructive actions.
M8·10
Lightweight eval — smoke test for behavior
A handful of labeled cases, run in CI on every push, catches regressions before production.
You don't ship what you can't measure — evals plus tracing tell you the guardrails still work.
M8·11
Governance without a vendor
Governance is four documented, enforced answers — written in YAML, enforced by open tools.
The SBOM → scan → sign pipeline is the evidence trail that makes "who approved it?" auditable.
M8·12
SHIP IT SAFELY
Trust is a pipeline, not a promise
In the lab: run Syft, Trivy, Grype & Cosign on the crew image; prove sandbox isolation; wire a guardrail + eval; read the CI pipeline.
Head to Module 8 · Lab. · Gourav Shah · School of DevOps & AI
M8·13