AI Capabilities Overview
Lattice provides a five-layer AI capability model spanning developer productivity to enterprise compliance. All AI features are accessible through the built-in dashboard, the MCP protocol (Claude Desktop / Claude Code / Cursor), and REST APIs.
+-----------------------------------------------------------------+
| Layer 5: Compliance-as-Conversation |
| SOC2/PCI-DSS/HIPAA compliance report generation |
+-----------------------------------------------------------------+
| Layer 4: Time-Travel Network Debugging |
| Network state snapshots + AI root cause analysis |
+-----------------------------------------------------------------+
| Layer 3: Network Intent Engine (Pro) |
| Natural language intent → CRD change plans |
+-----------------------------------------------------------------+
| Layer 2: Zero-Trust for AI Agent Fleets |
| Agent identity, TTL, network isolation — two methods: |
| • HTTP API (agent-enroll) → policy preset + SDK |
| • CLI sandbox (lattice sandbox start) → gVisor zero-priv |
+-----------------------------------------------------------------+
| Layer 1: MCP Server + AI ChatOps Write Tools |
| Entry point and execution engine for all upper layers |
+-----------------------------------------------------------------+Layer 1 — MCP Server + ChatOps (Details)
The foundation layer. Exposes Lattice's full network management capability via the Model Context Protocol (MCP).
- Read tools: list peers, policies, networks, check connectivity
- Write tools: create/delete peers, manage policies (with human-in-the-loop approval)
- Works with Claude Desktop, Claude Code, Cursor, and any MCP client
- All write operations go through
WorkflowServicefor approval by default - MCP tool spans are traced and persisted to
la_tool_spanstable
Layer 2 — Zero-Trust AI Agent Networking (Details)
AI agents get their own WireGuard identity with time-bound enrollment and network isolation. Two access methods:
HTTP Enrollment API — agents self-register via POST /api/v1/agent-enroll:
- Policy presets:
sandboxed,coordinator,isolated - TTL-based auto-destruction via Manager reconciler
- Python SDK (
lattice-sdk-python) for LangGraph, AutoGen, Claude Agent SDK
CLI Sandbox — lattice sandbox start provides a gVisor zero-privilege sandbox:
- No root or
CAP_NET_ADMINrequired - Full Lattice network identity via NATS + ICE/LRP
- See Agent Platform docs for complete reference
Layer 3 — Network Intent Engine (Pro) (Details)
Describe network changes in natural language. Lattice produces a structured CRD change plan for review.
- Two-stage LLM pipeline: structured intent extraction → human-readable diff
POST /api/v1/ai/intent/plan— preview changes without applyingPOST /api/v1/ai/intent/apply— execute approved plans through WorkflowService- Risk level assessment before any change is applied
Layer 4 — Time-Travel Network Debugging (Pro) (Details)
Automatic network state snapshots let you debug any past state with AI assistance.
- Snapshots triggered by policy changes, peer online/offline, manual, or scheduled
- Diff any two snapshots to see exactly what changed
- AI-powered root cause analysis: ask questions about past state
- Get/snapshot/diff MCP tools for Claude-assisted debugging
Layer 5 — Compliance-as-Conversation (Pro) (Details)
Generate compliance reports and evidence packages from your Lattice network state.
- Framework support: SOC2 Type II, PCI-DSS, HIPAA
- Automated control verification against network policies and change history
- Downloadable evidence packages (ZIP) with SHA256 attestation
- Executive summaries generated by AI for CISO review
Getting Started
- Enable the AI module in your
lattice.yaml - Configure your LLM provider (Anthropic or OpenAI-compatible)
- Connect via the MCP Server or use the built-in dashboard Chat interface
See the MCP Server setup guide for Claude Desktop / Claude Code integration.