Network Automation Gets Its AI Agent Safety Playbook
Top 3 Highlights
1. Ivan Pepelnjak Endorses the Agentic AI Setup Every Network Automator Needs
McQuaid, the Homebrew project lead (a man who reviews more code PRs per year than most of us see in a career), built a two-layer defense for letting AI agents touch his GitHub repositories. The first layer is Sandvault: a macOS-native tool that runs the agent process under an unprivileged sandboxed OS user with no access to your GITHUB_TOKEN, no write access outside version-controlled directories, and no ability to exfiltrate code. The second layer is Git worktrees: a built-in Git feature that checks out a repo into multiple independent directories simultaneously, each on its own branch. McQuaid invokes each agent task with sv claude -- or sv codex -- (the sv prefix applies the sandboxed user context), one worktree per task, no cross-contamination between parallel agent sessions.
What makes this credible beyond the usual advice is the combination: Sandvault removes the need to babysit constant permission prompts for safe operations without removing the actual security boundary. Worktrees prevent the agent from corrupting your main working copy while enabling multiple tasks in parallel. Human review gates remain — McQuaid reviews generated diffs before any PR is merged. The sandbox does not replace review; it confines the damage radius if something goes wrong before you review.
The Sandvault tool is macOS-specific today, but the architectural pattern — restricted OS user + isolated working directory per session — is platform-agnostic. On Linux, you can approximate it with dedicated system users and tmpfs-backed worktree roots. The critical insight transfers: your CI/CD tokens and production credentials should never be in scope for an agent that is generating code you have not reviewed yet.
Ivan's specific endorsement note carries weight. He has been critical of network automation hype for two decades and rarely flags practitioner posts as "worth reading" unless they offer something he would actually use.
So What? Set up a dedicated Git worktree per agent session and run the agent under a restricted OS user with no access to your CI/CD credentials. Review the diff before merge. The pattern is available to you this week, not "when the tooling matures."
SourcesipSpace.net — https://blog.ipspace.net/2026/05/worth-reading-agentic-ai-sandboxes-worktrees/ | Mike McQuaid — https://mikemcquaid.com/sandboxed-agent-worktrees-my-coding-and-ai-setup-in-2026/
2. AI Agent Governance Is Graduating From Runtime Guardrails to Cryptographic Provenance
Two things happened this week that look unrelated but are the same story told at different layers. NVIDIA launched a formal verification pipeline for AI agent skills — cryptographic signing, automated security scanning, standardized skill cards. NIST's Center for AI Standards and Innovation launched its AI Agent Standards Initiative, the first US government program explicitly targeting interoperability and security standards for agentic systems.
Together they describe a single structural shift: AI agent governance is moving from runtime behavior monitoring to pre-deployment capability verification with auditable provenance.
The NVIDIA framework is the more immediately operational piece. Verified skills go through five stages: source review, security scanning via SkillSpector, standardized evaluation (trigger accuracy, task completion rate), cryptographic signing using OpenSSF Model Signing with detached signature files, and daily sync to a public skill catalog. SkillSpector checks both conventional supply-chain risks (vulnerable dependencies, suspicious scripts) and agentic-specific ones: hidden instructions, prompt injection patterns, tool poisoning — mapped directly to OWASP LLM Top 10 and MITRE ATLAS. The result is a skill card: machine-readable, documenting functionality scope, authorship, licensing, known limitations, and verification status.
This is software supply-chain discipline applied to the agent skill layer. Infrastructure engineers already know how to think about signed packages and verified firmware. The trust model is identical — the NVIDIA framework just formalizes it for the AI agent skill layer that is now sitting above your network configuration tooling.
The NIST initiative sets the longer-term trajectory. Finalized agent-specific standards are not expected before 2027, but the framework direction is clear: interoperability standards for agent-to-agent and agent-to-tool communication, and security evaluation practices aligned with OWASP Agentic Top 10 and the NIST AI RMF GenAI Profile. For regulated industries where network operations is a compliance function, "we run guardrails" is no longer sufficient as a security posture for AI agent deployments.
Both findings connect to last Monday's Open Agent Leaderboard result: agent architecture matters more than model selection, and failed agent runs cost twenty to fifty-four percent more than successful ones. The pattern this week is consistent: the industry is building the engineering discipline around AI agents that it built around software generally — but it took software twenty years and this is happening in eighteen months.
So What? Before deploying any AI agent skill in a NetOps context, require a skill card equivalent: documented functionality scope, explicit known limitations, licensing, and a cryptographic provenance record if the vendor supports it. Start enforcing this as a procurement requirement now. Pull the NIST AI RMF GenAI Profile and map your planned agent deployments against it before your first production incident.
SourcesNVIDIA Technical Blog — https://developer.nvidia.com/blog/nvidia-verified-agent-skills-provide-capability-governance-for-ai-agents/ | Pillsbury Law — https://www.pillsburylaw.com/en/news-and-insights/nist-ai-agent-standards.html | Cloud Security Alliance — https://labs.cloudsecurityalliance.org/research/csa-research-note-nist-ai-agent-standards-20260416-csa-style/
3. NetBox Asset Lifecycle Preview: Procurement Finally Joins the Infrastructure System of Record
NetBox has been the infrastructure system of record for thousands of network teams — documenting what exists, where it lives, how it connects. This week, NetBox Labs shipped Asset Lifecycle into public preview, and it changes the fundamental value proposition: NetBox now manages how infrastructure gets to production, not just what is in production.
Asset Lifecycle adds five new workflow stages as first-class NetBox objects: Bills of Materials, Purchase Orders, Shipments, Spares, and RMAs. All of them are generated from and reconciled against the same data model that already describes your devices, sites, and cables. The BOM is generated directly by scoping infrastructure objects in your existing NetBox model — the system deduplicates equipment by type and variant (including airflow direction and cable specifications) and auto-creates cable types as native NetBox entries.
The operational payoff is the Installation action: when hardware arrives, you record device status, serial number, and asset tag against the source shipment or spares pool in a single operation. The physical-to-logical handoff — the moment where a box on a loading dock becomes a node in your network model — is now one atomic action rather than a manual data-entry step that happens hours or days after delivery.
The practical consequence: a network engineer can generate a rack BOM from a NetBox site model, raise a Purchase Order, receive the shipment, and mark devices as installed, all without leaving the platform or reconciling a spreadsheet. Serial number mismatches between purchase orders and actual hardware — a perennial source of audit pain — get caught at delivery time rather than during a fault.
This continues the source-of-truth platform evolution arc that has been running since early 2026: NetBox 4.6 multi-writer concurrency in April, Nautobot 3.1 MCP integration and agentic queries in May, and now procurement lifecycle. The platforms are converging on being the operational control plane for network infrastructure, not just the documentation layer.
So What? If you manage hardware procurement in spreadsheets alongside NetBox, sign up for the Asset Lifecycle preview. The forcing function is the Installation action — it eliminates the gap between "what was ordered" and "what is actually racked."
SourcesNetBox Labs Blog — https://netboxlabs.com/blog/asset-lifecycle-public-preview/
Networking & Architecture
Ethernet Wins ~70% of New AI Fabric Deployments
Broadcom's recent earnings commentary puts the current split at roughly seventy percent of new AI infrastructure deployments selecting Ethernet and RoCEv2 over InfiniBand — up from a minority position two years ago [figure from Broadcom earnings, treat as directional rather than precise]. Nokia confirmed end-to-end Ultra Ethernet Consortium interoperability across its datacenter switch family this month.
The underlying driver is not that InfiniBand got worse. It is that the operational model of running RDMA on the same Ethernet fabric as everything else is proving out in production, and engineers who already know BGP, ECMP, and adaptive routing can design and operate these fabrics without a separate skill set. The UEC 1.0 specification — backed by AMD, Broadcom, Cisco, HPE, Intel, Meta, and Microsoft — formally addresses the four areas where InfiniBand historically held the edge: scale, bandwidth density, low latency, and multipath handling.
So What? If you are still sizing a new AI fabric as an InfiniBand deployment by default, revisit the decision against UEC 1.0 capabilities and current silicon availability. The operational advantage of a unified Ethernet fabric is real, not aspirational, in 2026.
SourcesAMD Engineering Blog — https://www.amd.com/en/blogs/2026/next-gen-networking-transport-for-large-scale-ai-training.html | Nokia — https://www.nokia.com/newsroom/nokia-strengthens-leadership-in-ai-ready-data-center-networks-with-successful-end-to-end-ultra-ethernet-test-across-data-center-switch-family/
Network Automation
Nautobot 3.1 Extends Into Multi-Vendor OS Upgrade Orchestration
Network to Code shipped Nautobot 3.1 in April 2026 with a capability expansion beyond source-of-truth documentation and into day-two operations. The release adds structured multi-vendor OS upgrade workflows with standardized pre-check, upgrade, and post-check phases across Cisco, Arista, Juniper, and other vendors. Operational compliance validation detects configuration drift over time and retains change evidence for audit readiness. Automated device discovery finds unknown and rogue devices and ingests them into the Nautobot model.
The MCP integration (the primary angle when this release shipped in April) enables Nautobot to participate as a tool-call target in broader agentic AI pipelines — natural-language queries against the live source-of-truth. Today's new angle is the OS upgrade orchestration: the move from "document your network" to "orchestrate changes to your network" within the same platform.
So What? Pull the Nautobot 3.1 release notes and assess whether the OS upgrade workflow covers your primary vendor stack. The pre/post-check operational compliance gates are the differentiating piece — most teams still run OS upgrades as manual procedures with informal verification steps.
SourcesNetwork to Code / Nautobot — https://networktocode.com/nautobot/nautobot-latest-release/
AI & Machine Learning
Cerebras Post-IPO: The WSE-3 Memory Problem and What WSE-4 Needs to Solve
Cerebras completed the largest US IPO of 2026 at five-point-five-five billion dollars and holds roughly eight-point-nine billion in cash. The OpenAI deal — twenty billion dollars for seven hundred fifty megawatts of waferscale compute installations through twenty twenty-eight — makes Cerebras a real procurement option for hyperscale inference. The technical challenge now in focus: the current WSE-3's SRAM-to-compute ratio is wrong for low-latency inference, requiring multiple machines ganged together purely to hold large model weights.
WSE-4 probable solutions: three-dimensional SRAM stacking on the wafer and dedicated memory fabrics to expand MemoryX capacity. For network engineers designing AI inference fabrics, the architectural implication is direct: if waferscale processors move toward on-chip weight storage, the east-west RDMA traffic pattern that drives RoCEv2 fabric sizing changes fundamentally. GPU clusters need high-bandwidth east-west for weight redistribution across devices; a waferscale architecture with weights fully on-chip does not. The failure domain assumptions also shift. This is worth tracking before you commit to a fabric design that assumes GPU-style east-west traffic as the dominant pattern.
So What? When speccing AI inference network fabrics, ask the accelerator vendor whether their architecture is memory-bandwidth-constrained (requiring high-bandwidth east-west for weight redistribution) or compute-bandwidth-constrained (weights on-chip). The answer changes your fabric topology and RoCEv2 configuration requirements.
SourcesNext Platform — https://www.nextplatform.com/compute/2026/05/15/with-its-ipo-done-cerebras-can-get-back-to-pushing-the-ai-envelope/5241317 | Network World — https://www.networkworld.com/article/4117296/openai-turns-to-cerebras-in-a-mega-deal-to-scale-ai-inference-infrastructure.html
DeepSeek V4 Pro: Open-Source 1M Context at Pricing That Changes the Economics
DeepSeek released V4 Pro and V4 Flash this week as open-source models with one-million-token context support. Pro is priced at two-forty per million input tokens, four-eighty per million output. Flash is twenty cents per million input, forty per million output. [Licensing not confirmed in available sources — verify before production use.]
The operational consequence: at twenty cents per million input tokens, running a full enterprise router configuration corpus through the model for anomaly detection, intent extraction, or compliance checking costs less than a cent per analysis pass. The cost objection for always-on AI configuration analysis has essentially collapsed. The remaining investments are structured data extraction from your source of truth and validation logic — both well within network automation tooling.
So What? If cost has been the reason your team deferred an AI-assisted configuration analysis pipeline, the economics have changed. Run a proof-of-concept with V4 Flash against your device configuration exports before citing cost as a blocker.
SourcesBuild Fast With AI — https://www.buildfastwithai.com/blogs/latest-best-ai-models-may-2026 | LLM Stats — https://llm-stats.com/llm-updates
Datacenter
Virginia Requires Tier 4 Generators at Datacenters Starting July 2026
Virginia DEQ is requiring Tier 4 emissions standards — with selective catalytic reduction and continuous monitoring — for new datacenter backup generator permits starting July first, twenty twenty-six. The revised guidance explicitly acknowledges that these generators are no longer "rarely used emergency systems": AI-driven load growth is pushing them into extended operation during ISO reliability events and demand response programs.
The cost impact is real: Tier 4 SCR systems add millions per campus for hyperscale operators running dozens or hundreds of generators. PJM Interconnection now formally incorporates datacenter backup generation into grid reliability planning following Winter Storm Fern — a strong signal that other grid regions are watching.
Community opposition in Northern Virginia's hyperscale corridor is concentrated enough that Virginia HB 507 passed, giving regulators authority to go stricter than Tier 4 if warranted. This is a replicable regulatory template. Georgia, Ohio, and Texas are the next states to watch.
So What? Any datacenter team planning generator expansions in Virginia after July twenty twenty-six needs to budget for SCR retrofit costs and factor continuous emissions monitoring into OpEx. If you operate in PJM-connected states or other hyperscale-dense markets, start tracking whether local DEQs are adopting the Virginia model.
SourcesData Center Knowledge — https://www.datacenterknowledge.com/build-design/virginia-deq-revises-data-center-generator-rules-as-community-pushback-builds
Gradiant Hits $2B Valuation — Water Is the New Power Constraint
Gradiant, a specialist in industrial water treatment, closed a Series E at a two-billion-dollar valuation, with AI datacenters explicitly named as the growth driver. The company expects datacenters to account for roughly twenty-five percent of its global business by twenty twenty-seven, up from a minority share today.
What Gradiant actually provides: zero liquid discharge systems, hypersaline brine treatment, and water recycling for high-purity manufacturing environments. In datacenter terms: cooling loops that concentrate minerals over repeated cycles, chiller systems that require treated water for scale prevention, and liquid-cooled server loops that need water quality management to protect direct-to-chip hardware.
A specialist water treatment company reaching two-billion-dollar valuation because datacenters need its services is the same signal the grid gave when power prices started showing datacenter premiums. Water is now a structurally constrained infrastructure input alongside power and grid interconnection capacity.
So What? Hyperscale and enterprise datacenter operators sourcing liquid cooling systems should audit water consumption per cooling ton and zero-liquid-discharge feasibility at each site now. Water constraints are beginning to drive site selection and permitting the way power interconnection delays already do.
SourcesDataCenter Dynamics — https://www.datacenterdynamics.com/en/news/gradiant-closes-series-e-funding-round-company-valued-at-2bn/ | BusinessWire — https://www.businesswire.com/news/home/20260518135237/en/Gradiant-Announces-Series-E-Financing-at-$2-Billion-Valuation-to-Accelerate-Expansion-in-AI-Semiconductors-and-Industrial-Water-Infrastructure
Science
Varda W-6 Lands in Australia: A Drug-Manufacturing Capsule Comes Home from Orbit
Varda Space Industries recovered its W-6 reentry capsule at Koonibba Test Range in South Australia on May nineteenth, after surviving atmospheric reentry above Mach twenty-five. This was the company's second successful reentry of twenty twenty-six, and it validated two new technologies: autonomous star-tracker and LEO satellite imagery-based navigation during hypersonic descent, and NASA/Sandia embedded thermal sensors measuring heatshield performance in actual reentry conditions for the first time.
The mission hardware: a C-PICA ablative heatshield developed at NASA Ames, with Sandia National Laboratory nose tiles carrying embedded sensors measuring actual surface temperatures during ablation — data that has historically existed only in computational models. The autonomous navigation payload used onboard imagery of stars and resident space objects to determine vehicle position without ground-based updates during the plasma blackout phase when radio contact is lost.
The business model underneath: launch a pharmaceutical reactor to orbit, grow drug crystals in microgravity (demonstrated on Varda's W-1 mission with an antiviral drug), return them via autonomous capsule. The economics depend entirely on reentry cost and cadence — Varda is targeting monthly recovery frequency. If that holds, orbital pharmaceutical manufacturing stops being a concept and becomes a supply chain constraint for a specific class of drugs that cannot be crystallized in Earth's gravity at commercial purity levels.
SourcesVarda Space Industries / PR Newswire — https://www.prnewswire.com/news-releases/varda-space-industries-successfully-reenters-w-6-validating-autonomous-navigation-and-advanced-thermal-protection-systems-302775804.html | The Register — https://www.theregister.com/science/2026/05/20/space-factories-edge-closer-after-experimental-capsule-survives-hypersonic-landing/5243140
IBM Claims 10x QEC Decoding Speedup, One Year Ahead of Schedule [unverified]
IBM is reporting a tenfold speedup in quantum error correction decoding, arriving approximately one year ahead of its projected timeline. QEC decoding — the classical computation bottleneck in fault-tolerant quantum systems — must keep pace with the quantum processor's error detection cycle (typically microsecond timescales) to prevent error accumulation. A ten-times throughput improvement in the decoder pipeline enables larger logical qubit arrays without falling behind the measurement cycle, directly enabling higher-distance error correcting codes. [Primary source paper not confirmed in available reporting — treat as a credible industry announcement pending peer-reviewed publication.]
The PQC migration calculus shifts when fault-tolerant quantum hardware timelines compress. If you have data with five-plus year confidentiality value, ML-KEM and ML-DSA migration should be an active engineering project, not a future-year roadmap item.
SourcesQuantum Zeitgeist — https://quantumzeitgeist.com/ibm-at-ces-2026-the-dawn-of-quantum-advantage/ | IBM Quantum — https://www.ibm.com/quantum/hardware
Security
No significant security architecture updates this cycle. The NVIDIA Verified Agent Skills framework (covered in Top 3 above) is the most relevant security-adjacent development — it addresses supply-chain risk at the AI agent capability layer, which matters for teams deploying AI agents in network operations workflows.
Quick Takes
-
SONiC 202505 DPU Integration: The May twenty-oh-five release (covered May fifteenth from the enterprise blocker angle) adds independent DPU firmware management without affecting the parent switch, in both dark mode and light mode deployment patterns. If you are evaluating SmartNIC integration with SONiC, the new lifecycle management capabilities are worth testing. Source: SONiC Foundation — https://sonicfoundation.dev/sonic-202505-powering-ai-fabrics-and-enterprise-networks-with-precision-and-insight/
-
Gemini 3.5 Flash GA: Google released Gemini 3.5 Flash directly to general availability at Google I/O (skipping the preview label), deploying it across Google products to billions of users. Priced above the previous Flash generation despite continued efficiency improvements — Google is capturing value at the API layer as open-weight competition drives costs down elsewhere. Source: Simon Willison — https://simonwillison.net/2026/May/19/gemini-35-flash/
-
Accelsius NeuCool IR150: Two-phase direct-to-chip liquid cooling at one hundred fifty kilowatts per rack is now generally available, with a hyperscale validation track (HyperStart program) for custom deployments. If your AI cluster planning assumes a future cooling infrastructure, this is a current product. Source: Accelsius — https://www.accelsius.com/blog/
Watch Today
-
Agentic AI safety stack consolidating: Three distinct layers — OS-level sandboxing (McQuaid/Sandvault), cryptographic skill signing (NVIDIA), and formal government standards (NIST) — all published or endorsed in one week. This is the agentic AI safety stack taking shape in real time.
-
Source-of-truth platforms becoming operational control planes: NetBox Asset Lifecycle (procurement), Nautobot 3.1 (OS upgrades, MCP), NetBox 4.6 multi-writer concurrency (April) — the progression this quarter has been consistent. Document → automate → orchestrate.
-
Infrastructure constraint trifecta: Power (Virginia generator permitting), water (Gradiant $2B), and land/permitting (grid interconnection queues) are three independent constraints now binding simultaneously on datacenter capacity. Any one of them is a site selection blocker. Site teams that track only power are running an incomplete analysis.
Pipeline: 12 primary items | 3 quick takes | 5 domains | Security: no updates | RSS digest: 79 articles, top score 10.2 | 2 cooldown enforcements (SONiC 202505 to quick take, Gemini 3.5 Flash to quick take) | Sources: 21
Get the briefing in your inbox.
One email per weekday morning. Same writing, same sources — no audio required.