Tigera introduces unified control plane for Kubernetes-based AI agent security

Tigera has announced the general availability of Tigera Lynx, a unified control plane for Kubernetes-native AI agents. Lynx gives enterprises a single place to find every agent in their Kubernetes estate, tighten security posture, assign sandboxes, provide each agent with a cryptographic identity, enforce policy on every action it takes, audit agent activity, and detect anomalous behavior, all without changing a line of agent code.

AI agents do not behave like the workloads enterprise security stacks were built to manage. They are autonomous and non-deterministic: acting on behalf of users, accessing tools, LLMs, and other agents, operating through delegation chains, and consuming untrusted input. As a result, three teams often view the same challenge from different perspectives. AI teams want to experiment with new technologies and move quickly.

Platform engineering teams are measured on deployment velocity but cannot easily prove the platform is under control. Security teams are asked to approve agents without being able to confidently assess their security posture. A valid credential does not guarantee safe behavior, and the blast radius can change every time a new agent, tool, or platform update is introduced.

Lynx sits in the path of every agent call, agent-to-agent, agent-to-tool, and agent-to-LLM, to authenticate, authorize, mediate, and audit each one. It plugs into the tools enterprises already run, including their identity provider (EntraID, Okta) or via SPIFFE/SPIRE, and existing observability systems, and is built on open standards rather than proprietary lock-in.

One control plane, five capabilities

• Discovery, registration, and observability. A central registry catalogs every agent with its owner, purpose, and version, while eBPF-powered auto-discovery finds agents nobody registered. Shadow agents are flagged and quarantined, and any agent’s actions can be reconstructed end-to-end through OpenTelemetry traces.
• Configuration and posture management. AI-CSPM continuously evaluates every agent against a baseline, surfacing drift and over-permissions the moment they happen, with per-agent sandboxing and pre-built compliance packs mapping to GDPR, HIPAA, SOC 2, and financial services requirements. A Red Team Agent continuously probes for weaknesses in posture and misconfigurations.
• Identity and authentication. Every agent gets a verifiable cryptographic identity through integration into an enterprise’s identity provider (EntraID, Okta) or through SPIFFE/SPIRE, with no shared secrets. Long-lived API keys are replaced by short-lived and tightly scoped, auto-rotated tokens. A JWT token is minted for every hop in a multi-agent workflow.
• Policy definition and enforcement. A single default-deny policy governs LLM, MCP, and agent access using the Cedar policy language, enforced at the gateway before any call executes — with no agent code changes. Misbehaving agents can be quarantined instantly and high-stakes calls routed to a human.
• Anomalous behavior detection. eBPF and LSM watch every syscall, network call, and file access at a layer agents can’t tamper with, catching credential theft and lateral movement even when an action passes policy. This provides a forensic audit trail. Guardian Agent detects anomalous behavior and quarantines suspicious agents.

“For over a decade, Tigera’s Calico platform has served Global 2000 companies running the largest Kubernetes platforms in the world, securing tens of millions of mission-critical transactions every day. AI agents are the next class of workloads: autonomous, distributed, and increasingly embedded in critical business processes. Lynx brings that same unified control and security rigor to AI agents. We’re building on our core competency — securing mission-critical workloads at scale on Kubernetes, in a highly performant way,” said Ratan Tipirneni, CEO of Tigera.

“Control only matters if it’s enforced uniformly. Lynx gives every agent a cryptographic identity, scopes credentials to a single hop, and evaluates every LLM, MCP, and tool call against a default-deny policy at the gateway — with no agent code changes. Because we watch behavior with eBPF and LSM at the kernel, we can detect an agent going wrong even when it carries a valid credential, and produce a reproducible audit trail to prove it,” said Peter Kelly, Chief Technology Officer of Tigera.