Egress Control for AI Agents

Ingress control asks: what can reach the agent? Egress control asks: what can the agent reach? Most organizations invest heavily in ingress and neglect egress. This is exactly backward for AI agents. A compromised agent with unrestricted egress can exfiltrate data to any external endpoint, communicate with command-and-control infrastructure, and make API calls to services you do not control. Egress control is the containment layer that limits what a compromised agent can do with its access.

1. Allowlist External Destinations Define every external endpoint an agent legitimately needs to reach — specific API domains, specific IP ranges, specific ports. Block everything else. An agent that needs to call the OpenAI API should be able to reach api.openai.com on port 443 and nothing else externally.
2. DNS Filtering Route all agent DNS queries through a filtering resolver that blocks resolution for non-allowlisted domains. If the agent cannot resolve the domain, it cannot connect. DNS filtering catches exfiltration attempts that use dynamic domains or DNS tunneling.
3. TLS Inspection for Outbound Traffic Encrypted outbound connections can carry any payload. TLS inspection — decrypting, inspecting, and re-encrypting outbound traffic at the network boundary — reveals what data is actually leaving. This is the most invasive egress control and the most effective against sophisticated exfiltration.