AKIOS — Blog

AKIOS is minimal by design, but you still need a few guardrails to keep agents contained in real environments. Use this checklist before you ship to production.

Why Hardening Matters

AKIOS provides kernel-level isolation out of the box. But the runtime is only one layer. The host, the CI/CD pipeline, the policy management process, and the audit storage all need to be hardened too. A Security Cage is only as strong as the weakest layer in the stack.

This checklist covers the five hardening domains:

graph TB
    subgraph STACK["Hardening Stack"]
        HOST["1. Host Hardening\nKernel, capabilities, mounts"]
        POLICY["2. Policy Discipline\nSign, deny-default, budget"]
        AUDIT["3. Audit + Observability\nImmutable sinks, alerts"]
        PII["4. PII & Secrets\nRedaction, vault, env"]
        CICD["5. CI/CD Safety\nDry-run, namespace, hash gates"]
    end

    HOST --> POLICY --> AUDIT --> PII --> CICD

The Checklist

Domain	Check	Command / Action	Priority
Host	Recent Linux kernel with `seccomp`, `userns`, `cgroups v2`	`uname -r` → 5.15+	🔴 Critical
	Drop unneeded capabilities (`NET_ADMIN`, `SYS_ADMIN`)	`capsh --print`	🔴 Critical
	Mount `/tmp` as `noexec`	`mount -o remount,noexec /tmp`	🟡 Recommended
Policy	Sign policies; load only signed artifacts in CI/CD	`akios policy sign policy.yml`	🔴 Critical
	Default-deny network and filesystem; allowlist exact hosts and paths	Verify `network: isolated` in policy	🔴 Critical
	Per-tool budgets tight; fail closed on budget overflow	`budget.max_cost_per_run: 0.50`	🟡 Recommended
Audit	Ship audit logs to immutable sink (append-only bucket)	`akios audit export --format jsonl`	🔴 Critical
	Enable Merkle proofs export; validate in CI smoke tests	`akios audit verify`	🔴 Critical
	Alert on sandbox escapes, policy denials, kill-switch activations	Configure alerting in monitoring stack	🟡 Recommended
PII	Keep PII redaction on for all agents; treat opt-outs as exceptions	`pii_redaction: { enabled: true, mode: aggressive }`	🔴 Critical
PII	Store secrets in vault; inject via env with least privilege	Never put secrets in prompts or policy files	🔴 Critical
CI/CD	Gate PRs on `akios run --dry-run`	Add to CI pipeline before merge	🟡 Recommended
	Run sample workflows in throwaway namespace/VM per PR	Ephemeral runners in CI	🟡 Recommended
	Block merges if audit output deviates from expected hash chain	`akios audit verify --expected-hash $HASH`	🟡 Recommended

Example: Hardened Policy

Here's a production-ready policy with all hardening applied:

# hardened-production.yml
version: 1
name: "hardened-production"

security:
  sandbox: strict
  network: isolated
  allowed_endpoints: []  # default-deny

filesystem:
  allow:
    - path: "/workspace/input"
      mode: "r"
    - path: "/workspace/output"
      mode: "w"
  deny_writes: true  # everywhere else

http:
  allow: []  # no HTTP access
  redact_headers: ["authorization", "cookie", "x-api-key"]

llm:
  provider: "openai"
  model: "gpt-4.1"
  max_tokens: 500
  budget_usd: 0.50
  redact_prompts: true
  redact_responses: true

tools:
  allow:
    - name: "jq"
    - name: "grep"
  timeout_sec: 20
  working_dir: "/workspace"

audit:
  merkle: true
  pii_redaction: true
  export_format: jsonl
  retention_days: 2555  # 7 years

pii_redaction:
  enabled: true
  mode: aggressive
  patterns: [ssn, ein, credit_card, bank_account, email, phone, api_key]

Verifying Your Hardening

Run the built-in diagnostics to check your hardening posture:

# Check system readiness
akios doctor

# Validate policy before deployment
akios run --dry-run templates/my-workflow.yml

# Verify audit chain integrity
akios audit verify

# Generate compliance report
akios compliance report --format detailed

Expected output from akios doctor:

[akios] System Diagnostics
  ✅ Kernel: 6.1.0 (seccomp-bpf supported)
  ✅ cgroups: v2 enabled
  ✅ User namespaces: enabled
  ✅ /tmp: noexec mount
  ✅ Capabilities: minimal set
  ⚠️  Docker: available (fallback mode)
  ✅ PII redaction: enabled (aggressive mode)
  ✅ Audit: Merkle chain initialized

Common Mistakes

Running with --no-sandbox — Never disable the sandbox in production. If you need debugging, use --dry-run instead.
Allowing * in network policies — This defeats the purpose. Allowlist specific hosts.
Storing API keys in policy files — Use environment variables or a secrets vault.
Ignoring audit chain breaks — A broken chain means something was tampered with. Investigate immediately.
Setting budget to unlimited — Always set a budget, even if generous. The kill-switch is your last line of defense.

Try It Yourself

pip install akios
akios doctor
akios run --dry-run templates/hello-workflow.yml

Ship with these basics and you'll keep your security tight while you iterate.

Secure your AI. Build with AKIOS.