Security models built for a pre-agentic world break down when workloads transition from interactive human queries to autonomous agents executing code at silicon speed. For AI cloud providers and AI-forward enterprises, traditional RBAC and perimeter defense cannot contain the failures of misconfigured permissions exploited ten thousand times in seconds. Securing agentic AI requires Zero Trust to be architected into your data foundation, inclusive of software operating system, compute and data fabric.
To solve this, VAST and NVIDIA have co-engineered a secure-by-design, zero-trust data architecture for multi-tenant AI infrastructure. The VAST Data AI Operating System provides a proven, secure, zero-trust foundation with observability and a policy engine required to manage risk at agentic scale. By combining VAST’s native agent observability and inline policy enforcement with NVIDIA Vera BlueField-4 STX, and the NVIDIA DOCA software platform, this architecture establishes a hardware-isolated secure boundary across the entire pipeline - safeguarding underlying datasets, active inference models, and autonomous agents.
A Secure, Zero-Trust Foundation
When software agents join humans as first-class users of infrastructure, user-centric security models are insufficient.
Unlike human users, agents operate at machine speed with programmatic credentials, and a misconfigured permission that a human might exercise once can be exercised thousands of times before anyone notices. The VAST AI OS addresses this through a zero-trust model where every agent interaction operates under delegated permissions, bounded by policies that are continuously enforced across every request. If access to a file is revoked, the MCP tools that may serve its contents immediately lose access as well, stopping it from affecting future agent reasoning.
The same zero-trust posture applies at the tenant boundary. When multiple teams share a cluster, cryptographic isolation keeps their data, agents, tools, and interactions separate from each other and from infrastructure operators. By encrypting each tenant with customer-held keys stored with an external key manager (EKM), teams have exclusive control over their data without the loss of resource utilization that comes with physically partitioned tenants.
By themselves, these features provide a secure foundation for the data that power agentic systems. However, agents themselves also generate and exchange data as they interact with MCP tools and other services. If an agent loses access to a file after it has already been read, that agent may still reason using that data, pass it on to other agents, and propagate it throughout the workflow. This demands a new layer of data governance capabilities that go beyond authentication and authorization.
To address these new governance challenges within agentic systems, VAST Data is developing the VAST PolicyEngine, an inline policy enforcement engine that inspects and limits the information that flows between agents, tools, and data sources as agentic systems execute. NVIDIA Vera BlueField-4 STX, with its ability to perform in-silicon memory analysis with DOCA Argus and line-rate policy enforcement of agentic interactions with DOCA Flow and DOCA Vault, enables PolicyEngine to not only enforce policies on agentic systems in real-time, but adapt these policies in response to agent behavior.
Observability of Agentic Pipelines and AI Tools
To determine if an agent or tool is trying to operate using data it shouldn’t be using requires deep observability into agents, tools, and how they interact. The VAST AgentEngine, the agent runtime within the VAST AI OS, provides this observability as a core capability. It retains detailed traces of the interactions between agents, tools, and data, and as a byproduct, provides the VAST PolicyEngine with visibility into the data and actions that propagate as agents interact. This allows PolicyEngine to stop agents from communicating with each other if they are passing data that they shouldn’t.
NVIDIA DOCA Argus adds a new dimension to AgentEngine by providing in-silicon memory analysis of what individual agents and tools are doing. With this level of observability, PolicyEngine gains the ability to take action on agents that are observed to be reasoning about data that they already have. For example, if a long-running reasoning agent picked up personally identifiable information (PII) that was subsequently deleted from the VAST DataStore, the agent may still have that PII in its context memory and inappropriately continue to use it. DOCA Argus gives AgentEngine the visibility needed to determine that PII is being misused, and AgentEngine can then terminate that agent and effectively erase its memory.
Real-Time Policy Enforcement and Cyber Security Integration
The AI workload telemetry provided by the VAST AgentEngine’s built-in observability and NVIDIA DOCA Argus’ in-silicon memory analysis provide PolicyEngine with a broad set of ways in which it can detect and prevent agents and tools from misbehaving. However, developing policies that cover all of the ways in which complex agentic systems may misbehave is itself a complex and constantly evolving challenge. To address this challenge, VAST is integrating PolicyEngine’s real-time policy enforcement with external cybersecurity systems like the CrowdStrike Falcon® platform to ensure that policies adapt as workloads, users, and the environment changes.
The VAST AgentEngine and NVIDIA DOCA Argus both provide the telemetry feeds that detection and correlation engines use to identify threats like basic prompt injection (e.g., “ignore all previous instructions and…”). However, neither AgentEngine nor DOCA Argus know what the response to these threats should be when they happen.
Bidirectional integrations between the VAST AI OS and platforms such as the Falcon platform allow these observations to be turned into action. When a cybersecurity platform identifies a threat, it can trigger an automated response workflow that generates a policy update in PolicyEngine to specifically mitigate the threat. Continuing the earlier example, a prompt injection attack identified by CrowdStrike would result in a PolicyEngine update that blocks that prompt from ever being issued to an LLM by an agent. PolicyEngine would then enforce that policy below the application trust domain, or offload that policy directly to NVIDIA DOCA Flow running in the BlueField-4 silicon.
By integrating the VAST AI OS with NVIDIA Vera BlueField-4 STX and an external cybersecurity platform such as CrowdStrike Falcon, all interactions between agents, tools, and data become governable in real-time and responsive to changes in workloads, environments, and policies without compromising on performance or efficiency.
AI Cloud Provider and Enterprise Data Protection
VAST AI OS provides built-in multi-tenancy and network isolation capabilities designed for secure, large-scale AI factories and AI-native environments. Each tenant operates with isolated data paths, dedicated or policy-bound virtual IP pools, tenant-aware access controls, and independent authorization domains, enabling secure separation between AI agents, inference pipelines, users, and datasets on shared infrastructure. VAST supports tenant-level isolation across NFS, S3, Kafka, and Block services while maintaining consistent security and operational policies across the entire AI data platform. When network isolation capabilities are enhanced by DOCA HBN and DOCA Flow running within Vera BlueField-4 STX, isolation becomes even more air-tight, ensuring infrastructure-level authorization and policy enforcement with tenant-aware isolation across agents, tools, services, and data.
The Point
Building a secure enterprise AI factory or multi-tenant AI cloud requires a tight coupling of software intelligence and hardware enforcement. Software-layer abstractions are vital for policy governance and agent observability. Protecting autonomous pipelines at machine speed requires granular authorization policies on every access request in silicon. By unifying VAST’s AI OS, telemetry and inline data governance with NVIDIA Vera BlueField-4 STX in-silicon security and NVIDIA DOCA security innovations, AI infra and security leaders can minimize agentic risks and isolates multi-tenant workloads at line rate speeds.
For CISOs and AI architects, this hardware-software convergence isn't a secondary security layer; it represents state of the art architecture required to deploy governed, performant, and autonomous AI infrastructure at scale.
Learn more
To learn more about how VAST and NVIDIA are advancing secure infrastructure for agentic AI, join us this week at NVIDIA GTC Taipei at COMPUTEX 2026, where we’ll be discussing the architectural foundations required to secure autonomous AI systems at enterprise scale. From zero-trust data pipelines to hardware-enforced isolation and real-time agent observability, VAST is helping define the next generation of AI infrastructure security alongside NVIDIA.
We look forward to connecting with customers, partners, and the broader AI ecosystem at GTC Taipei.
