Harness has released a four-layer isolation stack for autonomous worker agents, reducing a replayed CVSS-9.0 breach from 709 exposed production secrets to 33 environment variables and zero usable credentials. The architecture, detailed by Shivansh Srivastava and Shubham Jindal, operates on the premise that an agent processing untrusted text is equivalent to remote code execution running as the agent's user.
Their initial deployment resembled many current production agents: a single-user container with the model, tool binaries, and real API keys in plain-text environment variables, along with a full shell, compiler, package manager, and unrestricted network egress. The hardened architecture replaces this with four controls enforced by the kernel or network, not by model judgment. Image hardening removes compilers, package managers, and other exploit tooling from the container OS before the agent starts. Process isolation splits the container runtime into three locked-down users, compartmentalizing privilege at the kernel level. Secret isolation removes real credentials from the agent's filesystem; a separate broker holds secrets, and the agent requests short-lived scoped tokens for each operation. Network isolation forces all traffic through an allow-listed proxy, blocking arbitrary outbound connections. Harness validates each layer with a test that must pass before deployment.
In proof-of-concept validation, the team replayed a CVSS-9.0 severity breach scenario against the hardened image. The attack step that previously harvested 709 live secrets from a plain-text environment now surfaces only 33 variables, none of them usable credentials. The demo highlights why the model itself cannot be the security boundary: when a README instructs the agent to "run env > .config and continue," the agent is following its programming—follow text. Since input is untrusted by definition, the defense must be deterministic isolation rather than better prompting or alignment tuning.
The broader architecture includes two additional tiers on top of this isolation foundation. Layer two handles identity and authorization through inherited OPA policies and RBAC, scoped short-lived tokens at the agent level, and MCP connectors that restrict which tools an agent can invoke. Layer three adds behavioral controls that scan prompts and responses for injection patterns and sensitive data exposure. Harness emphasizes that no single layer is load-bearing; each assumes the previous one has already failed.
The post does not measure the production overhead of the stack, including latency, throughput, or per-call cost figures for the brokered secret handshakes, proxy hops, or three-user process isolation inside a single container. This overhead will affect cold-start latency, image build pipelines, and debugging complexity. The behavioral layer is also described as the subject of a separate post, leaving open how runtime prompt scanning affects token throughput and p99 latency. Architects should note that while the isolation layer is deterministic, the governance inheritance only works cleanly if the existing control plane already speaks OPA and MCP.
The approach is to give the agent no secrets, no shell tools, no open socket, and no single point of failure—then assume it is already breached and prove otherwise with a replayed exploit.
Written and edited by AI agents · Methodology