DEV Community

Robert Pelloni
Robert Pelloni

Posted on • Originally published at tormentnexus.site

Zero-Trust AI Architecture: Authenticating Every Tool Call, Memory Access, and Model Request

Zero-Trust AI Architecture: Authenticating Every Tool Call, Memory Access, and Model Request

Self-hosted AI systems face a unique threat surface: every tool call, memory retrieval, and model inference can be an attack vector. Learn how to implement TLS, per-request authentication, and network isolation to achieve a true zero-trust AI architecture on HyperNexus.

When you self-host an AI agent, you're not just running a language model — you're deploying a distributed system with multiple attack surfaces. Each tool call to a database or API, each memory retrieval from a vector store, and each model request to an inference endpoint can be exploited if left unprotected. Traditional perimeter-based security assumes internal traffic is safe, but in a zero-trust AI architecture, every single interaction must be authenticated, authorized, and encrypted.

At HyperNexus, we enforce this principle by default: TLS for all communications, per-request auth tokens for tool calls, and network isolation between model servers and memory stores. This isn't just about compliance — it's about preventing a single compromised plugin from pivoting to your entire AI stack. Here's exactly how you can build this with concrete implementations.

Why Zero Trust Matters for AI Agents

An AI agent orchestrates multiple components: an inference engine (e.g., vLLM, llama.cpp), a vector database for memory (e.g., Qdrant, Chroma), and external tool integrations (e.g., file systems, APIs, web browsers). In a typical deployment, the agent's runtime has direct network access to all of these. If a tool call — like a web search or a file read — is exploited via prompt injection, the attacker can side-channel steal memory data or manipulate model outputs.

With zero-trust AI, we apply three layers:

  • No implicit trust: Every component must authenticate before communication. The agent runtime cannot talk to the memory store unless it presents a valid JWT scoped to specific memory collections.
  • Least privilege tooling: Each tool receives a short-lived, read-only or write-only auth token, not the agent's primary credentials.
  • Encryption everywhere: TLS 1.3 with mutual TLS (mTLS) ensures that even if an attacker intercepts traffic, they cannot replay it.

This architecture stops attacks like "prompt injection to exfiltrate memory" because the memory store sees a token that only allows reading a specific user's memories — and that token is issued per request, not per session.

TLS 1.3 with mTLS for Every AI Service

The foundation of zero-trust AI is encrypting all in-transit data, including between microservices running on the same host. Standard TLS prevents eavesdropping, but mutual TLS (mTLS) adds bidirectional certificate verification. The model server (e.g., vLLM) and the agent runtime both present certificates signed by an internal CA.

Here's a concrete mTLS setup using HyperNexus's embedded Envoy proxy:

# Envoy config for the agent runtime to connect to vLLM over mTLS
static_resources:
  listeners:
  - name: agent_to_model_tls
    address:
      socket_address: { address: 127.0.0.1, port_value: 10443 }
    filter_chains:
    - transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificates:
            - certificate_chain: { filename: "/etc/ai-certs/agent.pem" }
              private_key: { filename: "/etc/ai-certs/agent-key.pem" }
            validation_context:
              trusted_ca: { filename: "/etc/ai-certs/ca.pem" }
              match_subject_alt_names:
                - exact: "model.internal.hypernexus"
    filters:
    - name: envoy.filters.network.http_connection_manager
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
        codec_type: AUTO
        route_config:
          virtual_hosts:
          - name: model_vhost
            domains: ["*"]
            routes:
            - match: { prefix: "/v1/chat/completions" }
              route: { cluster: model_cluster }
        http_filters:
        - name: envoy.filters.http.router

This ensures that no unauthenticated process can send inference requests. Even a compromised container cannot talk to the model without a valid certificate. The CA is kept offline and rotated weekly.

Per-Request JWT Authentication for Memory Access

Memory retrieval — often a vector database query — is a high-risk operation because it touches potentially sensitive user data. In zero-trust AI, the agent runtime should not have a static API key that grants full access to the memory store. Instead, we issue per-request JWTs with fine-grained scopes.

HyperNexus's auth layer generates a JWT for each tool call, containing the user ID, the session ID, and a "read-only" scope for the vector collection. The memory store validates the token before any query:

# Example JWT payload for a memory query
{
  "sub": "user_abc123",
  "session": "session_def456",
  "scope": "memory:read:user_abc123",
  "iat": 1700000000,
  "exp": 1700000360,
  "permissions": ["collections:memories:read"]
}

When the agent needs to retrieve memories, it sends this JWT to the Qdrant cluster. Qdrant's access control list checks the token's scope, and if it doesn't match the requested collection, the request is denied. This prevents a cross-user memory leak — even if the agent is tricked into querying another user's index, the token simply doesn't have the scope.

Because JWTs expire in 60 seconds, a leaked token is only valid for a brief window. We also implement token revocation using a server-side blocklist checked on every request, adding another layer of defense.

Network Isolation with eBPF and Sidecar Proxies

Network isolation is the third pillar: the model server, memory store, and tool runtime must be on separate network segments with strict ingress/egress rules. In a containerized deployment, we use eBPF-based Cilium to enforce network policies at the kernel level, ensuring that only explicitly allowed traffic flows between AI components.

For example, the agent runtime can only talk to the model server on port 10443 (mTLS), and only to the memory store on port 6333 (mTLS). The model server itself has no outbound access — it cannot initiate connections back to the agent or to the internet. This prevents lateral movement if a model vulnerability is exploited.

HyperNexus deploys a sidecar proxy (Envoy) alongside each AI service. The sidecar handles mTLS termination, request authentication, and rate limiting. The main service process sees only plain HTTP on localhost, while the sidecar enforces all security policies. This decoupling means even if a component is compromised, the attacker cannot bypass the sidecar's rules.

Here's a sample Cilium network policy isolating the memory store:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: memory-store-isolation
spec:
  endpointSelector:
    matchLabels:
      app: memory-store
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: agent-runtime
    - matchLabels:
        app: admin-tool
    toPorts:
    - ports:
      - port: "6333"
        protocol: TCP
  egress:
  - toEndpoints:
    - matchLabels:
        app: internal-ca
    toPorts:
    - ports:
      - port: "443"
        protocol: TCP
  - toCIDR:
    - 10.0.0.0/8
    except:
    - 0.0.0.0/0

This policy ensures the memory store can only accept connections from the agent runtime and internal admin tools, and can only reach the internal CA for certificate renewal. All other traffic is dropped.

Practical Implementation: End-to-End Flow with HyperNexus

Let's walk through a realistic scenario: a user asks the AI agent to "read my notes from last week and summarize them." Under zero-trust AI, this triggers:

  1. Agent runtime authenticates to the model server via mTLS certificate. The model server verifies the certificate's SAN matches "agent.internal.hypernexus".
  2. Agent retrieves user context by sending a memory query to Qdrant. The request includes a JWT scoped to read-only for the user's collection. Qdrant validates the JWT signature and checks the scope.
  3. Agent calls a file-read tool to access the user's notes directory. The tool receives a separate JWT with a "file:read:/home/user/notes" scope. The tool's sidecar validates this token and enforces that the path is within the allowed directory.
  4. Model response is generated over an mTLS channel. The response itself contains a signed integrity check (HMAC) so the agent can verify it hasn't been tampered with.

Every step is logged to an immutable audit trail. If an attack occurs, we have a complete chain of authentication events, sorted by timestamp, to reconstruct what happened.

HyperNexus automates this entire flow. You define your AI services in a declarative YAML configuration, and the platform generates the necessary TLS certificates, JWT signing keys, and Cilium policies automatically. The result is a zero-trust AI deployment that requires zero manual security configuration — just define your architecture and let the system enforce the principle of least privilege.

Ready to secure your self-hosted AI with zero trust? Deploy on HyperNexus today — start at hypernexus.site for a free trial with built-in AI security, TLS, and network isolation.


Originally published at tormentnexus.site

Top comments (0)