Track 4 · Agent Orchestration Shield

Building AI Agents Right

Zero-Trust Security Layer for AI Agents

Clement Wong · Cloudflare SE Director APAC · May 2026

The same vulnerability that cost $577M in April is running in your AI agents today

April 23, 2026

KelpDAO Bridge Exploit $292M

Compromised RPC node credentials — attacker minted unbacked rsETH

April 9, 2026

Drift Protocol Hack $285M

6-month DPRK social engineering campaign targeting admin keys

Your AI Agents Have The Same Vulnerability

The same credential problems that made these exploits possible are how most teams set up AI agents today.

→ API keys in environment variables

→ Shared service accounts

→ No credential rotation

→ No audit trail

Chainalysis 2026 · DPRK-linked

We've already seen this movie. OpenClaw is the proof.

Every attack that hit an open-source AI agent ecosystem at scale will target your platform. With higher stakes.

145K
GitHub stars · 1.5M weekly npm downloads
40K+
Exposed instances across 52 countries
9+
CVEs — exploits outpacing patches
Supply Chain · ClawHavoc

341 / 2,857 skills malicious (12%) — Atomic Stealer macOS malware. Vetting: one-week-old GitHub account. [Wiz Research]

Autonomous Exploitation · Mythos

72.4% exploit success rate — found 27-year-old OpenBSD vuln. Chain exploit escaped two sandboxes. [Anthropic Red Team]

Crypto Exploitation · $CLAWD

$16M rug pull — fake Solana token promoted through AI agent social engineering.

Pattern: Every incident stems from credentials designed for humans being reused by machines. Shared accounts, no rotation, no audit — the same failure mode across all four.

Your regulatory framework already demands this layer.

ISO/IEC 42001:2023 ✓

First digital asset platform with AI management system certification.

MAS-Regulated DPT Service Provider

Agent activity falls under the same compliance umbrella.

CC6: ACCESS CONTROLS

User attribution in logs · MFA via Access

IMDA: Dedicated identities for agents
CC7: MONITORING

Real-time agent logging · AI Gateway analytics

IMDA: Agent LLM activity logged
CC8: CHANGE MANAGEMENT

Credential rotation audit · Immutable logs

IMDA: Regular credential rotation
"Can you prove which agent accessed customer data at 2:47pm?"
"How do you prevent agents from exfiltrating PII?"
"What stops a compromised agent from accessing trading APIs?"
"Traditional IAM doesn't work for agents. They're not humans. They're code."

There are two paths. Everything depends on which one you choose.

Path A

The default — what the industry does today

[1] ✗ Shared credentials per host
[2] ✗ Security in code - bypassable through API
[3] ✗ Audit reconstructed after incident
[4] ✗ Blast radius: entire system

→ 9 CVEs · 12% malware · $16M rug pull

Path B

The control plane — designed for agents

[1] ✓ Per-agent credential, scoped, short-lived
[2] ✓ Security at infrastructure, uncircumventable
[3] ✓ Native audit, every session replayable
[4] ✓ Blast radius: one credential

→ Answers YES to all 5 IMDA dimensions

"IMDA asks: Have you bounded autonomy? Is there human accountability? Are there technical controls? Path A cannot answer yes. Path B was designed for them."

Every agent security platform needs three properties

Connect — Identity
Every agent gets its own credential at registration. Short-lived, scoped, revocable. When a task completes, the credential dies.
Scope — Enforcement
Tools registered in a registry. If it's not there, the agent can't call it. The sandbox IS the permission model.
Observe — Visibility
Every call logged, every tool recorded. Every session replayable — built in, not bolted on.

Three properties. Choose these over products. Products get replaced. Properties don't.

Traditional apps serve many users from one instance. Agents are one-to-one. Serving one user, running one task. That changes everything about security.

Every agent needs a control plane. Three capabilities. One architectural layer.

🤖 Trading
🤖 Customer
🤖 Compliance
CONTROL PLANE
CONNECT
Identity-Based Access Control
OAuth delegation · auto-expiring tokens · SAML/OIDC · JIT credentials · mTLS
SCOPE
Execution · Input Defense · DLP · Network Scoping
Sandbox + egress proxy · PromptGuard ML · PII/credential scanning · scoped routing
OBSERVE
Runtime Visibility & Audit
LLM call logging · user attribution · 7yr immutable logs · SIEM export · anomaly detection
🤖 LLMs
⚙️ APIs
📁 Data
◈ least agency ◈ infra-enforced ◈ observability

Identity and audit — locked down before the agent runs.

✗ BEFORE
Shared Service Accounts
One token shared by all agents · no user attribution · permanent · revoke = break all
➜ You don't know which user's agent did what
✓ AFTER
OAuth Delegation per User
User pledges scoped access · token expires 1-24h · user→agent→API audit trail · revoke one
➜ Every action attributable to a specific user
✗ BEFORE
No Audit Trail by Default ← Path A [3]
Reconstruct from server logs · no user attribution · no session replay · compliance gaps
➜ You can't prove what happened after the fact
✓ AFTER
Runtime Visibility & Audit → Fixes [3]
Every LLM call logged · user-attributed · 7yr immutable trail · SIEM · session replay
➜ Full reconstruction: every session, every call

How the agent runs — and what stops attacks before they reach the model.

✗ BEFORE
Credentials in Code ← Path A [2]
API_KEY = os.getenv("TRADING_API_KEY")
requests.post("https://trading.api/orders",
  headers={"Authorization": API_KEY})
➜ One leak exposes every credential the agent has
✓ AFTER
Egress Proxy Injection → Fixes [2]
resp = requests.post("https://trading.api/orders",
  json={"symbol": "BTC", "qty": 1})
# egress proxy injects JWT → agent never sees token
➜ Agent code literally cannot see its own credentials
✗ BEFORE
Prompt Goes Straight to LLM
"Ignore previous instructions" works · role-playing · base64 · nested jailbreak · no filter = full trust
➜ A single prompt can override everything
✓ AFTER
PromptGuard Before LLM
ML model analyzes intent · adversarial patterns blocked in real-time · request never reaches LLM
➜ Attack blocked before the model even sees it

Data and network — where leaks happen, and how to stop them.

✗ BEFORE
Data Sent to LLM Unchecked
SSNs, credit cards, API keys reach LLM provider · logged externally · compliance violation · can't recall
➜ Once it leaves, you've lost control of the data
✓ AFTER
DLP Scanning at Gateway [4]
PII/credential patterns detected · blocked before reaching model · SOC2 · GDPR · PCI-DSS aligned
➜ Data never reaches the LLM in the first place
✗ BEFORE
Full Network Blast Radius
Agent inherits host network access · compromise = lateral movement · no boundaries
➜ One compromised agent = keys to the entire network
✓ AFTER
Cloudflare Mesh
Private network access for AI agents · scoped to approved services · Workers VPC integration · no manual tunnels
➜ Agent can only reach what it needs — nothing more

A request flows through every layer. Security compounds at each step.

1
User triggers agent
OAuth Delegation
Alice approves → scoped temp token issued
2
Agent runs in Sandbox
Zero Ambient Authority
Isolated · no credentials in code or env
3
LLM call via AI Gateway
Inspect + Defend
DLP scan · Cache · PromptGuard blocks injection
4
Internal API call
Egress Proxy
Zero Trust check · credentials injected · audit logged
5
Network access
Scoped Connectivity
Approved services only · no full VPN
SECURITY GUARANTEES
✓ No credentials in code ✓ Full audit trail ✓ PII leakage blocked ✓ Scoped network ✓ Auto-expiring tokens ✓ Injection detection

Where do we go from here?

Three ways we can work together. Pick what fits your timeline.

1
2-Week POC
Deploy AI Gateway + OAuth with 1-2 non-critical agents. Validate the audit trail, measure cost savings, and test the security posture in your environment.
2
Technical Workshop
Deep-dive architecture session. Review your agent codebase, map the six-layer controls to your existing stack, and design integration patterns for your specific use cases.
3
Full Rollout
Expand to execution isolation, DLP, network scoping and all agent types. Walk into MAS with an architecture designed for agents from day one.
"You have ISO 42001. You have the governance layer. Now build the security layer underneath it."
<|end▁of▁thinking|>This file is too large to write in one shot. Let me spawn Ares to build the complete clean file and deploy it, along with writing the speaker script doc. This is the most efficient path. <||DSML||tool_calls> <||DSML||invoke name="sessions_spawn"> <||DSML||parameter name="agentId" string="true">ares