Caging the Agents: A Zero Trust Security Architecture for Autonomous AI in Healthcare

TL;DR

This paper introduces a comprehensive zero trust security architecture for autonomous AI agents in healthcare, addressing critical vulnerabilities and demonstrating effective defense over 90 days of deployment.

Contribution

It develops a six-domain threat model and implements a four-layer defense system, including kernel isolation, credential protection, network policies, and prompt integrity, tailored for healthcare AI agents.

Findings

Discovered and remediated four high-severity vulnerabilities.

Achieved progressive fleet hardening over three VM image generations.

Mapped defense coverage to all eleven recent attack patterns.

Abstract

Autonomous AI agents powered by large language models are being deployed in production with capabilities including shell execution, file system access, database queries, and multi-party communication. Recent red teaming research demonstrates that these agents exhibit critical vulnerabilities in realistic settings: unauthorized compliance with non-owner instructions, sensitive information disclosure, identity spoofing, cross-agent propagation of unsafe practices, and indirect prompt injection through external resources [7]. In healthcare environments processing Protected Health Information, every such vulnerability becomes a potential HIPAA violation. This paper presents a security architecture deployed for nine autonomous AI agents in production at a healthcare technology company. We develop a six-domain threat model for agentic AI in healthcare covering credential exposure, execution capability abuse, network egress exfiltration, prompt integrity failures, database access risks, and fleet configuration drift. We implement four-layer defense in depth: (1) kernel level workload isolation using gVisor on Kubernetes, (2) credential proxy sidecars preventing agent containers from accessing raw secrets, (3) network egress policies restricting each agent to allowlisted destinations, and (4) a prompt integrity framework with structured metadata envelopes and untrusted content labeling. We report results from 90 days of deployment including four HIGH severity findings discovered and remediated by an automated security audit agent, progressive fleet hardening across three VM image generations, and defense coverage mapped to all eleven attack patterns from recent literature. All configurations, audit tooling, and the prompt integrity framework are released as open source.