The Thesis
Your AI agent can access your SSH keys, client files, and network—even with enterprise SSO enabled. This is the security gap that no mainstream AI solution currently solves. Application-level tenant isolation protects your data from other customers. It does nothing to contain what happens when your own agent is compromised.
The Agent drafts, you approve—but what happens when that agent is hijacked? Prompt injection now ranks as the #1 vulnerability in OWASP's 2025 Top 10 for LLM Applications. When a compromised agent operates with your full permissions, the attacker inherits everything you can access.
SSO protects the door. But once inside, the agent has the run of the house.
We built Agentised to solve this. Our architecture enforces dual isolation at the operating system level—not application permissions that can be bypassed. This article explains why this matters and how it works.
"Effective sandboxing requires both filesystem and network isolation. Each layer compensates for the other's failure modes."
The Regulatory Storm
UK professional services firms face converging regulatory pressures that demand demonstrable AI controls—not aspirational policies.
For Law Firms
The SRA's November 2023 Risk Outlook explicitly requires firms to "treat AI systems similarly to trainees—train, supervise, and review outputs." Your COLP is personally responsible for regulatory compliance when adopting new technology.
The June 2025 Ayinde/Al-Haroun judgment made this concrete: barristers who cited 18 fictitious cases from AI-generated research faced wasted costs orders and regulatory referral.
For Accounting Firms
ICAEW's updated Code of Ethics (effective July 2025) introduces new technology provisions requiring members to exercise professional judgement in determining whether reliance on technology output is reasonable.
The FRC's June 2025 thematic review found that even Big Four firms had embedded AI without formally assessing audit quality impact.
What this means for your firm: Human-in-the-loop architecture removes AI processing from GDPR Article 22's "solely automated" prohibition—but only when properly implemented with competent reviewers, adequate time, documented override capability, and audit trails.
The Threat Landscape
The LAA Breach: A Cautionary Tale
Attackers entered Legal Aid Agency systems on 31 December 2024—and weren't discovered until April 2025. That four-month window enabled exfiltration of over 2.1 million data points including criminal records and court proceedings dating back to 2007.
The AI-Specific Attack Surface
Researchers demonstrated "ZombAI" attacks hijacking GitHub Copilot to download malware. Microsoft 365 Copilot's zero-click attack chain—estimated at $200M impact across 160+ incidents—shows that even enterprise platforms remain vulnerable.
DPP Law received a £60,000 ICO fine after attackers brute-forced an administrator account lacking MFA, accessing 32GB of sensitive case files.
Why Application Security Fails
Generic AI tools rely on identity-based security (SSO, RBAC) rather than execution containment. This creates a fundamental gap.
The Permission Inheritance Problem
When a Copilot agent is compromised through prompt injection, it operates with the user's full permissions. Harvey AI and Luminance focus on model-level isolation—but don't constrain what a compromised agent can do at runtime.
Zapier acknowledges this directly: "Agents integrated with sensitive systems like CRMs could accidentally share private data" and "malicious actors can insert hidden instructions to hijack an agent's logic."
| Security Layer | What It Protects | What It Doesn't |
|---|---|---|
| SSO/RBAC | Who can access the system | What they do once inside |
| Tenant Isolation | Your data from other customers | What happens to your own data |
| Encryption | Data in transit and at rest | Data being processed by agents |
| Permission Prompts | User awareness of actions | Approval fatigue; users click through |
| OS-Level Sandboxing | Execution containment | — |
The common thread: Every layer except OS-level sandboxing protects the perimeter or the data—not the execution environment.
The Dual Isolation Architecture
Dual isolation provides deterministic guarantees that application-level controls cannot match. Security enforced by the operating system itself—not just application permissions.
This is how Agentised protects your client data. Every agent runs inside dual isolation— filesystem and network—enforced at the operating system level.
Filesystem Isolation: The Vault
The agent operates in a secure vault—completely isolated from your system files. It cannot access SSH keys, cloud credentials, shell configurations, or client data directories. Even if compromised, it cannot reach what it cannot see.
Critically, all child processes inherit these restrictions. This closes the escape vector where malicious code could spawn an unrestricted subprocess.
Network Isolation: The Checkpoint
All network requests route through a checkpoint that only allows whitelisted connections. A compromised agent cannot send credentials anywhere—there's no path to external servers except approved domains.
Why Both Are Required
- Without network isolation, a filesystem-compromised agent exfiltrates SSH keys to attacker servers.
- Without filesystem isolation, a network-compromised agent backdoors shell configuration files, escaping the sandbox on the next terminal session.
This is why moving from permission prompts to OS-level enforcement reduced permission fatigue by 84% while increasing security.
"The agent operates in a vault. Even if compromised, it cannot reach your client files or phone home to attackers."
Certification Mapping
The 31 October 2025 deadline for ISO 27001:2022 transition makes certification urgency acute—ISO 27001:2013 certificates become invalid.
| Framework | Key Controls | How Dual Isolation Maps |
|---|---|---|
| Cyber Essentials v3.2 | Network segmentation, least privilege access, secure configuration | Network isolation enforces default-deny; filesystem isolation restricts write paths to working directory only |
| ISO 27001:2022 | A.8.20 Network Security, A.8.22 Segregation of Networks, A.8.3 Access Controls | Proxy-mediated network filtering maps to network segregation controls; sandboxed processes inherit identity context |
| ISO 42001 | Human oversight, bias mitigation, data governance | HITL workflow satisfies human oversight controls; isolated execution prevents model contamination |
| GDPR Article 22 | Meaningful human involvement in automated decisions | Supervised autonomy architecture enables genuine review before execution |
What this means for your firm: ISO 42001 adoption is accelerating, with 76% of compliance professionals planning to use it as their AI governance backbone. Architecture that maps to these frameworks now creates competitive advantage.
The Competitive Gap
No mainstream AI solution for UK professional services provides OS-level sandboxed architecture with filesystem and network isolation. This is the gap Agentised was built to fill.
| Solution | Isolation Approach | Gap |
|---|---|---|
| ChatGPT Enterprise | Application-level tenant separation; AES-256 encryption; UK data residency available | No filesystem or network sandboxing for agent execution; multi-tenant shared infrastructure |
| Microsoft Copilot | Tenant-scoped semantic indexing; Purview DLP integration; Code Interpreter in sandboxed VMs | Permission amplification risk—agents inherit all user permissions; web search outside EU Data Boundary |
| Harvey AI | Custom-trained firm models; BYOK encryption; Azure UK region | Model-level isolation only; no execution sandboxing; relies on Azure enterprise controls |
| Luminance | Proprietary Legal LLM; ISO 27001 certified | Application-level isolation within platform; no OS-level sandboxing specified |
| Robin AI | Private AWS instance; Cyber Essentials certified; Anthropic via Bedrock | Multi-tenant with logical separation; no filesystem/network isolation documented |
| Zapier Agents | OAuth-based authentication; audit logs; HITL checkpoints available | "Giving any AI tool full access to all your company's data is still risky"—their own documentation |
| Power Automate | Azure tenant isolation; DLP policies | 71% of monitored accounts showed suspicious activity (Vectra); desktop flows run with full user credentials |
Questions to Ask Your Vendor
Q1."Is our data used to train or improve your AI models?"
Why it matters: Verbal assurances are insufficient; require DPA language explicitly prohibiting training.
Q2."What OS-level isolation mechanisms contain AI agent execution?"
Why it matters: Application-level controls and permission prompts are inadequate; require explanation of kernel-enforced containment.
Q3."Where is data processed and stored?"
Why it matters: EU Data Boundary is not equivalent to UK data residency; verify UK region is explicitly available.
Q4."Can you provide SOC 2 Type II, ISO 27001, and ISO 42001 reports?"
Why it matters: ISO 42001 adoption signals mature AI governance; ISO 27001:2022 transition deadline is 31 October 2025.
Q5."How do audit logs demonstrate what agents attempted versus what they executed?"
Why it matters: Execution-layer logging captures blocked actions; application logs only record successful operations.
Red Flags
Warning signs during vendor evaluation:
- Refusal to share certification reports
- Vague data retention policies
- "We don't train on your data" without contractual backing
- Inability to explain model limitations
- AI features auto-enabled without consent-based adoption
Agentised closes this gap. Our architecture provides kernel-level containment, zero data retention, and compliant human oversight—the combination that competitors relying on application-level controls cannot match. Every agent runs inside the dual isolation framework shown above.
Frequently Asked Questions
Why isn't enterprise SSO enough to protect AI agents?
SSO protects the door—it controls who can access the system. But once an AI agent is authenticated, it typically operates with full user permissions. If that agent is compromised through prompt injection, the attacker inherits everything the user can access: files, credentials, network connections. OS-level isolation contains the blast radius regardless of how the agent was compromised.
What is the difference between tenant isolation and execution containment?
Tenant isolation keeps your data separate from other customers' data in a shared platform—essential for multi-tenant SaaS. Execution containment restricts what a running process can do on your system: which files it can read, which network connections it can make, which credentials it can access. Most enterprise AI tools provide tenant isolation but not execution containment.
How does dual isolation prevent data exfiltration?
Filesystem isolation prevents the agent from accessing sensitive files (SSH keys, cloud credentials, client data). Network isolation ensures that even if an attacker somehow accesses data, they cannot send it anywhere—all network traffic routes through a proxy that only allows whitelisted connections. Both layers are required: without network isolation, stolen data can be exfiltrated; without filesystem isolation, attackers can backdoor your system.
Is this architecture compliant with UK regulations?
Yes. The architecture maps directly to requirements in Cyber Essentials v3.2 (network segmentation, least privilege), ISO 27001:2022 (access controls, network security), and GDPR Article 22 (human oversight for automated decisions). The human-in-the-loop workflow satisfies SRA and ICAEW requirements for demonstrable human supervision of AI tools.
What happens when the AI agent encounters something it cannot handle?
It asks. Unlike traditional automation that fails silently or proceeds incorrectly, supervised autonomy detects uncertainty and escalates to human reviewers. The agent proposes a next step and waits for approval. This is why the architecture works for regulated environments: exceptions surface rather than hide.
Agentised is built on this architecture
Every Agentised agent runs inside dual filesystem and network isolation—enforced at the OS level. We built this because UK professional services firms deserve security that actually works. See it in action.