Grab's security team built Palana, a Kubernetes-native platform that runs autonomous AI agents inside isolated namespaces with out-of-process control planes and proxy-mediated Vault-backed secrets.
Why Deterministic Security Breaks for Agentic Workloads
Traditional software executes along fixed paths. An agentic AI system writes code, calls tools, and chains prompts at runtime - behavior that looks like a supply chain attack to any existing security control. Prompt injection isn't just a text attack; it can trick the agent into reading secrets, modifying infrastructure, or exfiltrating data through tool invocations.
Grab's team faced this directly. Their ride-hailing and delivery platforms run on Kubernetes, and they wanted to deploy LLM agents that could query databases, schedule rides, and interact with internal APIs. Standard pod security policies couldn't distinguish between a legitimate code-writing agent and an exploited one. Palana was the answer.
Palana's Architecture: Isolate at Every Layer
Palana wraps each agent in its own isolated Kubernetes namespace. No two agents share a network boundary. Every API call from the agent goes through an out-of-process control plane that enforces permission policies before forwarding to internal services. Secrets never touch the agent's filesystem - Vault injects them into the proxy layer, and the agent calls them through a mediated interface.
That design kills two birds. Prompt injection can't directly access secrets because the agent has no secret material. Code-writing can't escape the namespace because the control plane blocks egress to anything not explicitly permitted. Grab's team published this approach at InfoQ, highlighting that model-driven unpredictability requires infrastructure-level containment, not just prompt filtering.
The Tradeoff in Practice
Palana adds latency. Every agent interaction goes through a proxy check, a Vault lookup, and a namespace traversal. For non-critical queries, that overhead is acceptable. For real-time ride dispatching, it might not be. Grab's engineers are reportedly tuning caching layers and read-replica Vault mounts to minimize the penalty.
What Palana enables is delegation at scale. You can give an agent write access to a production database without fearing a prompt injection cascade. That's the kind of trust boundary that lets teams move from demo agents to production workloads. Expect more organizations to adopt similar Kubernetes-native isolation patterns as agentic AI moves out of sandboxed notebooks and into live infrastructure.
Source: Grab Builds Secure Agentic AI Workload Platform
Domain: infoq.com
Comments load interactively on the live page.