East-West Service Isolation Governance

2. Summary

East-West Service Isolation Governance requires that lateral communication between internal services — the "east-west" traffic within a network perimeter — is explicitly authorised, policy-enforced, and monitored for AI agent environments. In traditional network security, organisations invest heavily in north-south controls (traffic entering and leaving the network) while treating east-west traffic (service-to-service communication within the network) as implicitly trusted. For AI agent deployments, this implicit trust is dangerous: a compromised agent with unrestricted east-west access can move laterally to any internal service, escalating a single-point compromise into an organisation-wide breach. AG-307 requires that internal service-to-service communication for AI agents is governed with the same rigour as external boundary controls — every internal connection must be explicitly permitted, authenticated, and monitored.

3. Example

Scenario A — Lateral Movement From Compromised Agent to Payment System: An AI customer service agent is compromised through a prompt injection attack that exploits a vulnerability in the agent's web interface. The attacker gains control of the agent's runtime environment. Inside the network, the agent has unrestricted east-west connectivity — it can reach any internal service. The attacker discovers the internal payment processing API, which accepts requests from any internal IP address without additional authentication (it trusts the network perimeter). The attacker uses the compromised agent to submit 847 fraudulent payment transactions totalling £1.9 million before the anomalous pattern is detected by the payment system's fraud monitoring.

What went wrong: East-west traffic within the internal network was implicitly trusted. The payment API accepted requests from any internal source without service-level authentication. The compromised customer service agent had network access to the payment API despite having no legitimate need for that access. Consequence: £1.9 million in fraudulent payments (£430,000 unrecoverable), PCI DSS compliance failure, payment processor relationship review, 6-month remediation programme.

Scenario B — Agent-to-Agent Lateral Contamination Through Shared Message Queue: An organisation operates 8 AI agents connected through a shared internal message queue. Agent 1 (customer onboarding) publishes events that Agent 3 (compliance checking) consumes. However, because all 8 agents connect to the same queue with full publish/subscribe permissions, any agent can publish messages that any other agent will consume. A reasoning error in Agent 5 (inventory management) causes it to publish malformed messages to the queue. Agent 7 (financial reporting) consumes these malformed messages, interprets them as financial data updates, and generates a corrupted financial report. The corruption propagates through 3 downstream systems before detection.

What went wrong: The message queue provided unrestricted east-west communication — any agent could publish to any topic and any agent could subscribe to any topic. No service isolation governed which agents could communicate with which other agents. A malfunction in one agent contaminated another agent through the shared communication channel. Consequence: Corrupted financial report, 3 downstream systems affected, 2-week data reconciliation, external audit escalation.

Scenario C — Microsegmentation Prevents Lateral Movement: An AI agent is compromised through the same prompt injection vector as Scenario A. The attacker gains control of the agent's runtime environment and scans for internal services. The agent's network segment is microsegmented: the agent can communicate only with its designated backend API (customer data service) and the secrets broker. All other internal services — including the payment API, the message queue, the HR database, and the infrastructure management API — are unreachable from the agent's network segment. The attacker finds no lateral movement path and abandons the attempt. The compromise is detected through the agent's anomalous behaviour and remediated within 45 minutes.

What went right: East-west service isolation prevented lateral movement. The compromised agent could not reach any internal service beyond its explicitly authorised connections. The blast radius of the compromise was limited to the agent's own environment and its designated backend API.

4. Requirement Statement

Scope: This dimension applies to any AI agent deployed within a network environment that contains other services, agents, databases, APIs, or systems accessible through internal networking. The dimension addresses east-west traffic: communication between services within the same network perimeter, data centre, cloud VPC, or trust boundary. It applies to all forms of internal communication: direct TCP/UDP connections, HTTP/HTTPS API calls, message queue publish/subscribe, shared database access, shared file system access, service mesh communication, and any other mechanism through which one service can communicate with another inside the network boundary. Single-agent deployments with no internal services are excluded. The dimension is particularly critical for microservices architectures, Kubernetes deployments, and multi-agent systems where numerous services share network infrastructure.

4.1. A conforming system MUST define an explicit service communication policy for each AI agent, specifying which internal services the agent is authorised to communicate with, the permitted direction of communication (initiate, receive, or both), and the permitted operations.

4.2. A conforming system MUST enforce the service communication policy at the network layer — through microsegmentation, network policies, service mesh authorisation, or equivalent structural controls — such that the agent cannot establish connections to services not in its policy.

4.3. A conforming system MUST implement mutual authentication for all east-west service communication involving AI agents — both the calling agent and the receiving service verify each other's identity before exchanging data.

4.4. A conforming system MUST default to deny for east-west communication — an agent with no service communication policy defined cannot communicate with any internal service.

4.5. A conforming system MUST log all east-west communication attempts (successful and blocked) involving AI agents, with source, destination, timestamp, protocol, and outcome.

4.6. A conforming system SHOULD implement east-west traffic encryption (mutual TLS or equivalent) for all AI agent service communication, protecting against network-layer eavesdropping within the internal network.

4.7. A conforming system SHOULD implement service mesh policies (e.g., Istio, Linkerd, Consul Connect) or equivalent L7 policy enforcement that can restrict not just which services communicate but which API endpoints and methods are permitted.

4.8. A conforming system SHOULD implement east-west traffic anomaly detection that baselines normal communication patterns and alerts on deviations — unusual destinations, unusual volumes, unusual protocols.

4.9. A conforming system MAY implement automated service communication policy generation based on observed agent communication patterns during a supervised learning period, with human review and approval before enforcement.

5. Rationale

The traditional network security model — a hardened perimeter protecting an implicitly trusted internal network — fails catastrophically when applied to AI agent deployments. The perimeter model assumes that anything inside the network is legitimate. AI agents invalidate this assumption because they are programmable, susceptible to instruction manipulation, and capable of being directed to perform actions their operators did not intend.

When an AI agent is compromised — through prompt injection, dependency vulnerability, supply chain attack, or reasoning failure — the attacker's reach is determined by the agent's east-west connectivity. If the agent can reach every internal service, the attacker can reach every internal service. The compromise of a low-value customer service agent becomes a pathway to the payment system, the HR database, the infrastructure management API, and every other internal service.

Microsegmentation — the practice of creating fine-grained network segments that restrict communication to only explicitly authorised paths — is the established solution to lateral movement. AG-307 applies microsegmentation principles specifically to AI agent deployments, recognising that AI agents pose a heightened lateral movement risk because of their susceptibility to compromise through instruction manipulation (a risk vector that traditional servers do not have).

The requirement for mutual authentication addresses a common east-west weakness: internal services that trust any request from an internal IP address. When services authenticate only the network source (trusted internal network = trusted request), any compromised host on the internal network can impersonate any service. Mutual authentication ensures that even within the internal network, services verify each other's identity cryptographically.

6. Implementation Guidance

East-west service isolation for AI agents should be implemented through a combination of network-layer microsegmentation, application-layer service mesh policies, and mutual authentication.

Recommended patterns:

• Kubernetes network policies. In Kubernetes deployments, implement NetworkPolicy resources that restrict pod-to-pod communication. Each agent pod's NetworkPolicy specifies which services it can communicate with (egress rules) and which services can communicate with it (ingress rules). All other traffic is denied by default. Example: an agent pod in the customer-service namespace is permitted to communicate with pods in the customer-data service on port 443 and the secrets-broker service on port 8200. All other egress is denied. This provides L3/L4 microsegmentation within the cluster.
• Service mesh L7 policy enforcement. Deploy a service mesh (Istio, Linkerd, Consul Connect) that provides L7 (application-layer) policy enforcement. The service mesh can restrict not just which services communicate but which HTTP methods and paths are permitted. Example: the customer service agent is permitted to call GET /api/v1/customers/{id} on the customer data service but is denied DELETE /api/v1/customers/{id}. This provides fine-grained operation-level east-west control beyond what network policies can achieve.
• Mutual TLS (mTLS) for all east-west traffic. Configure the service mesh or application infrastructure to require mutual TLS for all east-west communication. Each service (including each agent) has a unique TLS certificate. Both sides of every connection verify the other's certificate. This provides authentication, encryption, and cryptographic identity verification for every internal connection.
• Zero-trust service architecture. Implement a zero-trust model for internal services: no service trusts any other service based on network location. Every request is authenticated, authorised, and encrypted regardless of whether it originates from inside or outside the network perimeter. This eliminates the implicit trust that enables lateral movement.
• East-west traffic baselining. During initial deployment, operate in monitor mode (log but don't block) to baseline the agent's legitimate east-west communication patterns. Use the baseline to generate the service communication policy. Review the generated policy with the agent's operating team and security team. Switch to enforce mode. This approach avoids disrupting legitimate communication while establishing the policy.

Anti-patterns to avoid:

• Flat internal networks. Deploying agents on flat networks where every host can reach every other host. This maximises the blast radius of any single compromise.
• Implicit trust based on network location. Internal services that accept requests from any internal IP address without service-level authentication. This means any compromised internal host can access any internal service.
• Overly broad service communication policies. Permitting an agent to communicate with "all services in the production namespace" when it only needs to communicate with 2 specific services. Broad policies reduce the containment benefit of microsegmentation.
• East-west controls without monitoring. Implementing microsegmentation but not monitoring east-west traffic for anomalies. Microsegmentation prevents known-bad paths; monitoring detects novel attack patterns that exploit permitted paths.
• Service mesh bypass paths. If the service mesh can be bypassed (e.g., by directly connecting to a pod's IP address instead of through the mesh), the L7 policies are ineffective. Ensure that all traffic routes through the policy enforcement layer.

Industry Considerations

Financial Services. East-west isolation is critical for preventing lateral movement from customer-facing systems to trading systems, payment systems, and market data systems. PCI DSS Requirement 1 expects network segmentation to isolate cardholder data environments from other internal systems. FCA expectations for operational resilience require that a compromise of one system does not cascade to critical services.

Healthcare. HIPAA requires access controls that restrict access to ePHI to authorised persons and systems. East-west isolation ensures that a compromised AI agent in the billing system cannot laterally move to the clinical records system. The principle of minimum necessary extends to service-to-service communication.

Government. NIST Zero Trust Architecture (SP 800-207) provides the conceptual framework for east-west service isolation. The principle that "no implicit trust is granted to assets or user accounts based solely on their physical or network location" maps directly to AG-307's requirements.

Maturity Model

Basic Implementation — East-west communication for AI agents is controlled through basic network segmentation (VLANs or subnet-level firewall rules). Agent environments are in separate network segments from sensitive internal systems. Basic firewall rules restrict communication between segments. Limitations: segmentation is coarse-grained (subnet-level, not service-level); no mutual authentication; limited east-west traffic monitoring.

Intermediate Implementation — Microsegmentation implemented through Kubernetes network policies or equivalent, restricting communication to explicitly authorised service pairs. Mutual TLS enabled for all east-west agent communication. Service communication policies are documented and reviewed quarterly. East-west traffic is logged and monitored for anomalies. L7 service mesh policies restrict permitted operations beyond network-level controls.

Advanced Implementation — All intermediate capabilities plus: east-west isolation has been verified through independent adversarial testing including lateral movement attempts from compromised agent containers, service mesh bypass attacks, and mTLS certificate exploitation. Zero-trust architecture eliminates implicit trust for all internal services. Automated policy generation from observed communication patterns, with human review and approval. Real-time lateral movement detection triggers automated containment (e.g., network isolation of the compromised agent). The organisation can demonstrate that a compromised agent cannot reach any internal service beyond its explicitly authorised communication partners.

7. Evidence Requirements

Required artefacts:

• Service communication policy register. The explicit policy for each agent specifying authorised communication partners, permitted directions, permitted operations, and the enforcement mechanism.
• Network segmentation evidence. Network policy configurations, firewall rules, or service mesh configurations demonstrating east-west communication restrictions for agent environments.
• Mutual authentication evidence. Configuration demonstrating mutual TLS or equivalent authentication for all east-west agent communication.
• East-west traffic logs. Logs of all east-west communication attempts involving agents, including blocked attempts. Minimum 12 months retention.
• Anomaly detection reports. Reports from east-west traffic anomaly detection, including any alerts generated and investigation outcomes.

Retention requirements:

• Service communication policies, traffic logs, and anomaly detection reports: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Lateral Movement Prevention

• Stimulus: From an agent's runtime environment, attempt to establish connections to 10 internal services not in the agent's service communication policy. Test across protocols: TCP, HTTP, gRPC.
• Expected behaviour: All 10 connection attempts are blocked at the network or service mesh layer.
• Pass criteria: No connection to an unauthorised internal service succeeds.
• Fail criteria: Any connection to an unauthorised service succeeds.

Test 8.2: Mutual Authentication Enforcement

• Stimulus: Attempt to connect to an authorised service without presenting valid mutual authentication credentials (e.g., without a client certificate in mTLS).
• Expected behaviour: The connection is rejected by the receiving service.
• Pass criteria: No unauthenticated east-west connection succeeds.
• Fail criteria: An east-west connection succeeds without mutual authentication.

Test 8.3: Default Deny Verification

• Stimulus: Deploy an agent with no service communication policy defined. Attempt to connect to any internal service.
• Expected behaviour: All connection attempts are denied. The system defaults to blocking all east-west traffic for agents without defined policies.
• Pass criteria: No east-west communication succeeds in the absence of a service communication policy.
• Fail criteria: Any east-west communication succeeds without a defined policy.

Test 8.4: L7 Operation-Level Enforcement

• Stimulus: Using the service mesh, attempt to invoke an API method that is not permitted by the L7 policy (e.g., DELETE when only GET is permitted on the authorised service).
• Expected behaviour: The service mesh blocks the unpermitted method. Only methods explicitly in the policy are allowed.
• Pass criteria: Unpermitted API methods are blocked at the service mesh layer.
• Fail criteria: Unpermitted API methods execute successfully.

Test 8.5: East-West Traffic Logging Completeness

• Stimulus: Execute 5 authorised and 5 blocked east-west communication attempts. Verify all 10 are logged with complete metadata.
• Expected behaviour: All 10 attempts are logged with source, destination, timestamp, protocol, method (where applicable), and outcome.
• Pass criteria: 10 out of 10 attempts are logged with complete metadata.
• Fail criteria: Any attempt is missing from the log or has incomplete metadata.

Test 8.6: Service Mesh Bypass Prevention

• Stimulus: Attempt to bypass the service mesh by directly connecting to a target service's pod IP address, bypassing the mesh proxy.
• Expected behaviour: The direct connection is blocked by network policies. Only connections through the service mesh are permitted.
• Pass criteria: No direct pod-to-pod connection bypassing the service mesh succeeds.
• Fail criteria: Direct connection bypassing the mesh succeeds.

Test 8.7: East-West Anomaly Detection

• Stimulus: Establish a communication baseline over a 7-day observation period. Then generate anomalous traffic: 10x the normal volume to an authorised service, and attempted connections to 3 services not previously contacted.
• Expected behaviour: The anomaly detection system flags both the volume anomaly and the novel destination attempts.
• Pass criteria: Both anomaly types are detected and alerted within the configured detection window.
• Fail criteria: Either anomaly type is not detected.

Conformance Scoring

• Score 0: No east-west isolation — agents operate on flat internal networks with unrestricted lateral communication to all internal services.
• Score 1: Basic network segmentation exists (VLAN or subnet-level) but is coarse-grained, without mutual authentication or L7 policy enforcement — partial isolation that limits but does not prevent lateral movement.
• Score 2: Microsegmentation with explicit service communication policies, mutual authentication, and L7 policy enforcement — structural east-west isolation with fine-grained control.
• Score 3: Verified by independent adversarial testing — an independent party has attempted lateral movement, service mesh bypass, and credential exploitation and all attempts have been blocked.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
PCI DSS	Requirement 1 (Network Security Controls)	Direct requirement
NIST SP 800-207	Zero Trust Architecture	Direct requirement
NIST SP 800-53	SC-7 (Boundary Protection), AC-4 (Information Flow Enforcement)	Direct requirement
EU AI Act	Article 15 (Accuracy, Robustness, Cybersecurity)	Supports compliance
ISO 27001	A.8.22 (Segregation of Networks)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
HIPAA	§164.312(a)(1) (Access Control)	Supports compliance

PCI DSS — Requirement 1 (Network Security Controls)

PCI DSS Requirement 1 requires network security controls to protect cardholder data environments. East-west isolation ensures that AI agents outside the cardholder data environment cannot laterally move into it, and that agents within the cardholder data environment cannot communicate with services outside the scoped environment. Microsegmentation is a recognised implementation pattern for PCI DSS network segmentation.

NIST SP 800-207 — Zero Trust Architecture

SP 800-207 defines the zero trust architecture (ZTA) model, which assumes that no implicit trust is granted based on network location. AG-307 operationalises ZTA principles for AI agent deployments: every east-west connection is authenticated, authorised, and encrypted regardless of whether the source and destination are on the same network segment. The model's principle that "access to individual enterprise resources is granted on a per-session basis" maps to the service communication policy model.

ISO 27001 — A.8.22 (Segregation of Networks)

A.8.22 requires that groups of information services, users, and information systems are segregated in networks. For AI agent deployments, this requires that agent services are segregated from other internal services, with communication permitted only through defined and controlled interfaces. AG-307 extends this to fine-grained service-level segregation rather than coarse network-level segregation.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Internal network — a single compromised agent can reach all internal services accessible through east-west communication

Consequence chain: East-west isolation failure enables lateral movement — the ability of an attacker (or a malfunctioning agent) to move from the compromised system to other internal systems. The blast radius is determined by the extent of unrestricted east-west connectivity: on a flat network, the blast radius is every internal service. The consequence cascade typically follows a pattern: initial compromise (prompt injection, dependency vulnerability) gives the attacker control of one agent; lateral movement (through unrestricted east-west access) expands control to additional services; privilege escalation (through services that trust internal network location) grants administrative access; and data exfiltration or operational disruption follows. The speed of this cascade in AI environments is measured in minutes, not days. The financial and regulatory consequences depend on which services the attacker reaches: payment systems (financial loss + PCI DSS violation), customer data stores (data breach + GDPR notification), trading systems (market manipulation risk + FCA investigation), or infrastructure management (operational disruption + operational resilience violation). Microsegmentation converts this organisation-wide risk into a bounded, single-agent risk.

Cross-references: AG-299 (Workspace Segmentation Governance) provides workspace-level isolation that east-west service isolation complements at the service level. AG-303 (Data Egress Route Governance) controls north-south (outbound) traffic while AG-307 controls east-west (lateral) traffic. AG-300 (Client-Tenant Segregation Governance) prevents cross-tenant lateral movement in multi-tenant deployments. AG-034 (Cross-Domain Boundary Enforcement) provides domain-level boundary controls. AG-081 (Shared Context Isolation) addresses context-level isolation that complements service-level isolation. AG-162 (Least-Agency Provisioning) ensures agents have minimum required service communication permissions.