Zero-privilege agent sandbox · Kubernetes-native · Open-core
| Module | Community | Pro |
|---|---|---|
| WireGuard Tunnels | ✅ | ✅ |
| NAT Traversal (ICE/STUN/TURN) | ✅ | ✅ |
| LRP Relay (QUIC) | ✅ | ✅ |
| K8s CRD Operator | ✅ | ✅ |
| Dashboard UI | ✅ | ✅ |
| Agent Sandbox (gVisor) | ✅ | ✅ + EgressFilter |
| Sub-agent Delegate API | ✅ | ✅ |
| MCP Tool Tracing | ✅ | ✅ |
| Label-based ACLs | ✅ (iptables) | ✅ (eBPF) |
| Cluster Peering | ✅ | ✅ |
| Multi-Tenant Workspaces | ✅ | ✅ |
| MCP Server & ChatOps | ✅ | ✅ |
| Network Topology Map | ✅ | ✅ |
| NATS Flow Audit | — | ✅ |
| Policy Engine | Basic | Advanced |
| Time-Travel Debugging | — | ✅ |
| Compliance Reports | — | ✅ |
| Audit Logging | Basic | Advanced |
谷歌于 2023 年发布 Secure AI Framework (SAIF),将 AI 系统的网络隔离、访问管理和供应链安全明确列为企业 AI 部署的核心要求。随着企业开始落地 SAIF,AI agent 的网络边界从"可选项"变为合规要求。
| SAIF 要求 | Lattice 对应能力 |
|---|---|
| 网络 / 端点安全 | WireGuard 加密 mesh,所有 agent 流量端到端加密隔离 |
| 供应链攻击防护 | gVisor 用户态内核,被攻陷的 agent 无法逃逸到宿主机 |
| 访问管理 | Policy 层精确控制每个 agent 身份可访问的资源 |
| 统一平台管控 | 单一 K8s-native 控制面,统一管理 agent、隧道与网络策略 |
Google published the Secure AI Framework (SAIF) in 2023, explicitly identifying network isolation, access management, and supply chain security as core requirements for enterprise AI. As organizations implement SAIF, AI agent network boundaries shift from optional to a compliance requirement. Lattice provides the infrastructure layer to meet them — self-hosted, auditable, and open-core.