By Your AI agents are running inside production infrastructure with access to credentials, filesystems, and external tools. For most teams, the only thing standing between them and a compromised agent session is application-level code — guardrails written in the agent’s own runtime, easily bypassed if a tool gets poisoned or a config file gets read the wrong way. On May 12, Docker shipped an answer that operates at a layer below all of that: Docker AI Governance, combining microVM isolation, centralized policy enforcement, and credential injection that never exposes secrets to the agent process itself.
MicroVM Isolation: Not Just Another Container
Most “containerized” agent setups use standard Docker namespacing. The agent runs in a container, but it shares the host kernel. With enough privilege or a kernel exploit, the boundary is softer than it looks. Docker Sandboxes take a different approach: each session runs in a microVM with its own Docker daemon, its own filesystem, and its own network stack.
The practical difference matters. An agent can install packages, run subprocesses, build other containers, and make arbitrary network calls — and none of it can reach the host. Enforcement happens at the hardware virtualization layer, not as a software policy the agent runtime can reason around. If your team has ever asked “but what stops the agent from doing X inside the container,” the answer is now the hypervisor.
Four Control Surfaces, One Policy Console
Docker AI Governance manages four enforcement surfaces from a single admin console:
- Network: Allow and deny rules for domains, IPs, and CIDRs. Agents can only reach what you explicitly permit.
- Filesystem: Mount paths with read-only or read-write scope. No implicit access to host paths.
- Credentials: Injected by a host-side proxy that intercepts outbound HTTP and adds authentication headers. The raw secret values never enter the microVM — the agent authenticates without ever seeing what it is authenticating with.
- MCP tools: An approved server list, centrally managed. Agents can only call tools that have been explicitly added.
Admins define these policies once in the Docker Admin Console. They push to developer machines at authentication time and propagate across the organization within five minutes. For immediate application, sbx policy reset forces the update without waiting.
Why This Landed in May 2026
The timing is not accidental. MCP hit 97 million monthly SDK downloads by March 2026. The public MCP ecosystem now hosts over 13,000 servers, most unreviewed for security. The MCPTox benchmark found tool poisoning success rates above 60 percent against real-world MCP servers. Check Point Research disclosed remote code execution in Claude Code through poisoned repository config files in February. Antiy CERT found 1,184 malicious skills across the OpenClaw AI agent marketplace.
Teams running AI agents in staging and production have been discovering the hard way that application-level guardrails do not hold when the tool surface itself is compromised. Docker AI Governance is the infrastructure response to a problem that application code cannot fully solve.
Fits Into Existing Workflows
The practical adoption pitch is that this does not require a new toolchain. Docker added a models: block to the open-source Compose specification. Teams can define their full agentic stack — models, MCP servers, agent runtime, governance policies — in a single compose.yaml and bring it up with docker compose up. The same stack scales to cloud with docker offload up.
Framework support is broad: LangGraph, CrewAI, Spring AI, Google ADK, and Vercel AI SDK all work with the Compose integration. If your agent stack already runs on Docker, the governance layer plugs in without changing your deployment model.
The Catch
Individual developers get sandbox policy via sbx policy locally — available across Docker Desktop tiers. The centralized admin console, where IT sets org-wide policies that propagate to every developer machine, requires a Docker Business subscription. Pricing is not publicly disclosed.
There is also a gap Docker is honest about: the MCP Gateway provides building blocks — signed images, container isolation, secrets management — but audit logging, tool-level RBAC, and identity management remain team responsibilities. This is infrastructure, not a complete agent security product.
What to Do Now
If you are running AI agents connected to real credentials or production data: check your Docker Desktop tier, update to the latest release (MCP Gateway is available now for all tiers), and start with network egress policies — restrict outbound traffic to the minimum your agents actually need. The credential injection feature alone eliminates a class of config-file exfiltration attacks that have appeared in incident reports throughout 2026.
The shift from application-layer to infrastructure-layer agent security has been coming since MCP turned AI agents into first-class participants in production systems. Docker just made it practical to deploy without building it from scratch.
