You built an AI agent this weekend.
It writes code.
Browses the web.
Uses MCP tools.
Maybe even touches production data.
Now ask yourself:
What isolates it from the host?
What stops credential leaks?
Who controls tool permissions?
What happens after prompt injection?
Where is the audit trail?
Most AI engineers answer these questions after the first incident.
Meanwhile, open source quietly built an entire infrastructure and security stack for AI agents.
Here are 11 repos every AI infra engineer should bookmark:
Each one covers a gap that frameworks don’t.
What it does: Curated, maintained index of the AI agent security ecosystem, organized by security lifecycle: red teaming, runtime protection, sandboxing, governance, middleware.
Everything categorized, linked, and kept current. The starting point when you need to understand the full landscape or find tools for a specific security problem.
Why it matters for AI infra: This space moves faster than any single article. This repo is the durable index. Watch it. The delta between its last commit and today is your reading list.
🔗: https://github.com/ProjectRecon/awesome-ai-agents-security
What it does: The standard framework for automated LLM red teaming, security testing, and model evaluation.
Covers prompt injection, jailbreaks, PII leakage, model regression, and multi-model performance comparison across GPT, Claude, Gemini, Llama, and more. Declarative YAML configs. Native CI/CD integration. Used internally by OpenAI and Anthropic. MIT licensed, fully open source.
Why it matters for AI infra: You test your code before shipping. You should test your prompts and agent security boundaries too. Promptfoo makes red teaming systematic, scriptable, and integrated into your existing CI pipeline. Shipping agent features without automated security evals is the equivalent of shipping code without tests.
🔗: https://github.com/promptfoo/promptfoo
What it does: All-in-one vulnerability scanner for container images, git repos, and filesystems.
One tool catches: vulnerable base images, misconfigured Terraform, insecure Kubernetes manifests, leaked secrets in git history, vulnerable application dependencies. SARIF output feeds directly into the GitHub Security tab. 10 lines of YAML for GitHub Actions integration.
Why it matters for AI infra: You can write perfect agent code and still ship a vulnerable base image or misconfigured infrastructure module. Supply chain attacks are the dominant attack vector now. Trivy catches them in CI before they reach production. It’s automated, with zero manual review overhead.
🔗: https://github.com/aquasecurity/trivy
What it does: Universal policy engine for your entire stack. Express security policy as readable, testable Rego code.
Kubernetes admission control, API authorization, infrastructure configuration validation, one engine. Decouple security policy from application code. Write once, enforce everywhere. When your AI agent calls a tool, hits an API, or requests a resource and OPA decides whether it’s allowed.
Why it matters for AI infra: OPA isn’t agent-specific, which is exactly why it belongs here. Your agent infrastructure sits inside your existing cloud stack. OPA gives you a consistent, auditable policy layer that spans both traditional infrastructure and agentic workloads without maintaining two separate security systems.
🔗: https://github.com/open-policy-agent/opa
What it does: AI-native proxy for A2A and MCP protocol traffic. RBAC, observability, and policy enforcement on agent-to-tool interactions.
Donated to the Linux Foundation. Sits between your agents and their tools. Only the right agents can call the right tools with the right permissions. Full observability on the protocol layer.
Why it matters for AI infra: MCP is the emerging standard for agent-tool connectivity. Most teams wire MCP directly with no access control layer, a significant and growing attack surface. AgentGateway is the purpose-built solution. Linux Foundation stewardship means production-grade stability and long-term maintenance.
🔗: https://github.com/agentgateway/agentgateway
What it does: Runtime policy engine mapped directly to the OWASP Agentic AI Top 10.
When OWASP published the first formal taxonomy of agentic AI risks listing goal hijacking, tool misuse, identity abuse, rogue agents Microsoft shipped a toolkit that addresses every single one. Sub-millisecond governance latency (<0.1ms p99). Deploys as a sidecar container or middleware layer.
Goal hijacking → semantic intent classifier
Tool misuse → capability sandboxing + MCP security gateway
Memory poisoning → Cross-Model Verification Kernel with majority voting
Rogue agents → ring isolation, trust decay, automated kill switch
Why it matters for AI infra: The EU AI Act’s high-risk AI obligations take effect August 2026. The Colorado AI Act enforces January 2027. Agentic AI governance is moving from best practice to legal requirement. This is the most comprehensive open source implementation aligned with the formal risk taxonomy.
🔗: https://github.com/microsoft/agent-governance-toolkit
What it does: GitHub Action that runs Claude Code on every pull request and posts security findings as inline review comments.
Diff-aware: only analyzes changed files. Semantic reasoning, not pattern matching, to identify high-confidence, exploitable vulnerabilities. Calibrated false positive filtering: no theoretical issues, no rate-limiting noise. Just vulnerabilities a senior security engineer would flag in review.
One YAML file to add to any repository.
Why it matters for AI infra: Security review is the step most teams skip because it’s expensive and slow. This makes it automatic and free on every PR. The semantic analysis quality using actual LLM reasoning rather than regex, catches logic-level security issues that static analysis tools miss entirely.
🔗: github.com/anthropics/claude-code-security-review
What it does: An AI agent that scans your entire codebase for vulnerabilities that have been sitting there for years.
Fast regex matchers find candidates, the Claude/Codex investigates at maximum thinking levels. Work fans out across parallel workers for large single repos. You can interrupt or restart the jobs, it picks up where it left off.
Why it matters for AI infra: Every other tool on this list protects agents at runtime. Deepsec goes one layer earlier. It clears the vulnerabilities already living in the codebase your agents will read, modify, and deploy.
🔗: https://github.com/vercel-labs/deepsec
What it does: Persistent, isolated container environments for coding agents.
From the Dagger team. Each coding agent gets its own container. Multiple agents run in parallel without conflict. Environments persist across sessions. Resume any task mid-flight with an existing env ID.
The differentiator: full OpenTelemetry instrumentation on every agent run. Every LLM decision, tool call, error, and retry appears in the build trace. When something goes wrong, you don’t guess, you see it.
Why it matters for AI infra: “It works on my machine” is not a deployment model. Container Use brings the isolation and reproducibility guarantees that containerization gave to software builds to agent execution. The observability layer alone makes debugging agentic systems tractable.
🔗: https://github.com/dagger/container-use
What it does: Meta’s open source guardrail system for LLM agents. Blocks prompt injection, scans LLM-generated code for vulnerabilities, detects misaligned reasoning.
A single prompt injection can flip an agent’s intent cause it to leak private data, execute unauthorized commands, operate far outside scope. LlamaFirewall sits at the application layer and intercepts this before it reaches execution. It also scans code the agent generates for critical vulnerabilities before shipping to production, a gap most guardrail systems ignore entirely.
Open-weight guardrail models on HuggingFace. Run on your own infrastructure at 50–100ms latency. No API calls. No data leaving your environment.
Why it matters for AI infra: Prompt injection is the SQL injection of the agentic era. It’s being exploited in production systems today. LlamaFirewall is the most rigorous open source defense available, built by a security team that has worked through the actual LLM agent threat model.
🔗: https://github.com/meta-llama/PurpleLlama/tree/main/LlamaFirewall
What it does: Open source, self-hostable alternative to E2B for AI agent code execution. Multi-language SDKs. Hardware-level isolation.
Docker and Kubernetes runtimes. gVisor, Kata Containers, and Firecracker isolation layers, pick the isolation level that matches your threat model. Multi-language SDK support. CNCF Landscape project.
Why it matters for AI infra: Not every team wants an external SaaS dependency in their agent execution path. Microsandbox gives you the same isolation guarantees inside your own infrastructure, with no external API in the hot path, and with full control over your data residency.
🔗: https://github.com/superradcompany/microsandbox
Most teams still think of AI agents as applications.
The infrastructure ecosystem increasingly treats them as autonomous systems that require isolation, observability, security, and governance.
That shift is changing how AI systems get deployed in production.
And increasingly, it is becoming mandatory.
The EU AI Act enters full enforcement on August 2, 2026 with high-risk AI system obligations, transparency requirements, penalties up to €35M or 7% of global turnover
Colorado’s replacement AI law is heading to the Governor’s desk now, with a January 2027 effective date. Every version of every bill, in every jurisdiction, requires the same things: documentation, audit trails, risk management, human oversight. The exact same artifacts this infrastructure stack produces.
The teams building this layer now will not only ship safer systems. When the compliance conversation arrives from customers, auditors, regulators, or enterprise buyers, they will have artifacts to show instead of promises to make.
The next generation of AI companies will not only build better models or better prompts.
They will build the infrastructure required to operate autonomous systems safely at scale.
Thanks for reading!
Follow @AlphaSignalAI for more content like this.
Check out AlphaSignal.ai to get a daily summary of top models, repos, and papers in AI. Read by 300,000+ devs.