Agyn: An Open-Source Platform for AI Agents with Scalable On-Demand Execution, Agent Definition as a Code, and Zero-Trust Access

Nikita Benkovich; Vitalii Valkov

arxiv: 2605.27575 · v2 · pith:56TCOPDZnew · submitted 2026-05-26 · 💻 cs.AI

Agyn: An Open-Source Platform for AI Agents with Scalable On-Demand Execution, Agent Definition as a Code, and Zero-Trust Access

Nikita Benkovich , Vitalii Valkov This is my paper

Pith reviewed 2026-06-29 17:10 UTC · model grok-4.3

classification 💻 cs.AI

keywords AI agentsserverless runtimeKubernetesTerraformzero-trust securityopen-source platformscalable executionagent definition as code

0 comments

The pith

Agyn is an open-source platform for scaling AI agents via code-defined definitions, a signal-driven Kubernetes runtime, and zero-trust security.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents Agyn to solve the shift from building individual AI agents to operating non-deterministic, stateful agents with privileged access at production scale. It centers on three principles: a signal-driven stateful serverless runtime on Kubernetes, a Terraform provider that treats agent and harness definitions as code, and a zero-trust least-privilege security model. The platform claims to be agent-agnostic, model-agnostic, and cloud-agnostic. A sympathetic reader would care because organizations need reliable isolation and governance when agents interact with internal services. If the approach holds, deployments could move from ad-hoc setups to standardized, auditable infrastructure.

Core claim

We present Agyn, an open-source platform designed around three key principles tailored for agent workloads: a signal-driven, stateful serverless runtime on Kubernetes; a Terraform provider for agent and harness definition; and a security model grounded in zero-trust and least-privilege principles. Agyn is agent-agnostic, model-agnostic, and cloud-agnostic.

What carries the argument

The Agyn platform, which combines a signal-driven stateful serverless runtime on Kubernetes, a Terraform provider for agent definition as code, and a zero-trust least-privilege security model.

If this is right

Agents and their execution harnesses can be defined, versioned, and deployed as infrastructure code through the Terraform provider.
Execution becomes on-demand and scalable through the signal-driven serverless runtime on Kubernetes.
Access follows zero-trust and least-privilege rules, limiting what each agent can reach.
The same platform can host any agent or model without custom changes.
Deployments remain independent of specific cloud providers.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Teams could treat agent configurations the same way they treat other infrastructure, enabling standard review and rollback processes.
The zero-trust model might simplify compliance checks for regulated environments that run agents.
The runtime design could support other stateful, event-driven workloads that share similar isolation needs.

Load-bearing premise

These three architectural choices are sufficient to deliver the required isolation, governance, and security for production AI agents at scale.

What would settle it

A deployed agent in Agyn gaining unauthorized access to an internal service or failing to maintain state and scale under a non-deterministic workload.

Figures

Figures reproduced from arXiv: 2605.27575 by Nikita Benkovich, Vitalii Valkov.

**Figure 1.** Figure 1: Agyn system architecture. External clients (web chat, console, custom connectors) interact with the platform via the Gateway. The control plane manages agent definitions, orchestration, and tenant state. Agent pods communicate with platform services exclusively through the OpenZiti overlay network (mTLS). The data plane elements (filled in green) handle runtime events and agent pod life cycle. thread with … view at source ↗

read the original abstract

As organizations move toward production deployments of AI agents, which execute non-deterministic workflows, maintain stateful sessions, and often operate with privileged access to internal services, the engineering challenge shifts from building individual agents to operating them at scale with proper isolation, governance, and security. In this paper we present Agyn, an open-source platform designed around three key principles tailored for agent workloads: a signal-driven, stateful serverless runtime on Kubernetes; a Terraform provider for agent and harness definition; and a security model grounded in zero-trust and least-privilege principles. Agyn is agent-agnostic, model-agnostic, and cloud-agnostic.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Agyn is a high-level description of an open-source platform combining Kubernetes serverless, Terraform, and zero-trust for AI agents, but the paper supplies no data or comparisons to support its claims.

read the letter

The paper introduces Agyn, an open-source platform for running AI agents at scale. It centers on three pieces: a signal-driven stateful serverless runtime on Kubernetes, a Terraform provider for defining agents and harnesses, and a zero-trust security model. The work frames these as responses to isolation, governance, and security needs for stateful, non-deterministic agent workloads, and it stresses that the platform stays agent-agnostic, model-agnostic, and cloud-agnostic.

The integration of those three elements is what is actually new here. The paper does a reasonable job spelling out why production agent deployments differ from ordinary services and how the chosen tools might map onto those differences. The open-source stance and the emphasis on infrastructure-as-code are practical touches that could help adoption.

The main limitation is the complete absence of supporting material. There are no implementation details, no benchmarks, no security evaluations, no usage examples, and no comparisons against existing agent runtimes or orchestration systems. The claims rest on the architecture description alone, so it is impossible to judge whether the runtime actually delivers the promised isolation or whether the Terraform layer adds meaningful value over standard approaches.

This is a system-description paper aimed at engineers and ops teams who already work with Kubernetes and Terraform and are looking for ready-made patterns for agent management. Researchers or readers seeking new methods, reproducible results, or engagement with prior literature will not find much here.

I would not bring it to a reading group. It does not have the evidence or depth that would justify sending it to peer review.

Referee Report

1 major / 1 minor

Summary. The paper presents Agyn, an open-source platform for operating AI agents at scale. It is designed around three principles: a signal-driven, stateful serverless runtime on Kubernetes, a Terraform provider for agent and harness definition as code, and a zero-trust least-privilege security model. The platform is described as agent-agnostic, model-agnostic, and cloud-agnostic, targeting challenges of isolation, governance, and security for non-deterministic, stateful agent workflows with privileged access.

Significance. If the platform is implemented and released as described, it would provide a practical open-source contribution for infrastructure-as-code management of AI agents on Kubernetes with explicit security controls. The combination of serverless execution, Terraform-based definitions, and zero-trust principles aligns with established cloud-native practices and could facilitate reproducible deployments. The agent- and cloud-agnostic stance is a noted strength for broad applicability.

major comments (1)

[Abstract] Abstract: The central claim that the three architectural choices address isolation, governance, and security for production AI agents at scale is presented without any description of the signal-driven runtime mechanics, state management implementation, or concrete zero-trust enforcement mechanisms (e.g., how least-privilege is enforced across agent sessions). This absence is load-bearing for assessing whether the design actually solves the stated engineering challenges.

minor comments (1)

The manuscript would benefit from a dedicated related-work section citing prior serverless frameworks (e.g., Knative, OpenFaaS) and Terraform-based agent orchestration efforts to clarify novelty.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback on the manuscript. We address the major comment below and agree that revisions to the abstract are warranted to better support the central claims.

read point-by-point responses

Referee: [Abstract] Abstract: The central claim that the three architectural choices address isolation, governance, and security for production AI agents at scale is presented without any description of the signal-driven runtime mechanics, state management implementation, or concrete zero-trust enforcement mechanisms (e.g., how least-privilege is enforced across agent sessions). This absence is load-bearing for assessing whether the design actually solves the stated engineering challenges.

Authors: We agree that the abstract is currently too high-level and does not include even brief descriptions of the signal-driven runtime mechanics, state management approach, or zero-trust enforcement details. This limits the ability to evaluate the claims from the abstract alone. In the revised version, we will expand the abstract to concisely outline these elements (e.g., signal propagation for execution triggering, persistent session state handling on Kubernetes, and RBAC/identity-based least-privilege controls across sessions) while keeping it within length constraints. The full technical details remain in the body sections on the runtime, Terraform provider, and security model. revision: yes

Circularity Check

0 steps flagged

No significant circularity: pure system description with no derivations or predictions

full rationale

The manuscript is a high-level engineering description of an open-source platform (Agyn) built around three architectural components: a signal-driven Kubernetes runtime, a Terraform provider, and a zero-trust security model. No equations, fitted parameters, quantitative predictions, or derivation chains appear anywhere in the text. The central claim is simply the existence and design of these components to address isolation/governance/security needs; this is not derived from prior results within the paper or via self-citation chains. The contribution is self-contained as a descriptive artifact and contains no load-bearing steps that reduce to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is a systems description of a software platform and introduces no mathematical free parameters, scientific axioms, or postulated entities beyond the platform name and its high-level components.

pith-pipeline@v0.9.1-grok · 5648 in / 1137 out tokens · 38824 ms · 2026-06-29T17:10:27.226928+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

22 extracted references · 4 canonical work pages · 3 internal anchors

[1]

Agyn Inc.: Agyn Platform,https://github.com/agynio/platform
[2]

Amazon Web Services: Amazon Bedrock AgentCore.https://aws.amazon.com/ bedrock/agentcore/(2024), accessed 2026-05-22

2024
[3]

io/specification(2024), accessed 2026-05-22 8 N

Anthropic: Model context protocol specification.https://modelcontextprotocol. io/specification(2024), accessed 2026-05-22 8 N. Benkovich, V. Valkov

2024
[4]

Anthropic: Claude Code: An agentic coding tool.https://docs.anthropic.com/ en/docs/claude-code(2025), accessed 2026-05-24

2025
[5]

https://platform.claude.com/docs/en/ managed-agents(2026), public beta, April 2026

Anthropic: Claude Managed Agents. https://platform.claude.com/docs/en/ managed-agents(2026), public beta, April 2026. Accessed 2026-05-31

2026
[6]

Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges

Chhabra, A., Datta, S., Nahin, S.K., Mohapatra, P.: Agentic AI security: Threats, defenses, evaluation, and open challenges. arXiv preprint arXiv:2510.23883 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[7]

Cloud Native Computing Foundation: OpenFGA: A relationship-based access control system.https://openfga.dev/(2024), accessed 2026-05-22

2024
[8]

https://github.com/ kagent-dev/kagent(2025), accessed 2026-05-24

CNCF: kagent: Kubernetes-native AI agent platform. https://github.com/ kagent-dev/kagent(2025), accessed 2026-05-24

2025
[9]

Google: AX: A distributed agent runtime.https://github.com/google/ax (2025), accessed 2026-05-24

2025
[10]

In: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (2023)

Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M.: Not what you’ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection. In: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (2023)

2023
[11]

HashiCorp: Terraform: Infrastructure as code.https://www.terraform.io/ (2024), accessed 2026-05-22

2024
[12]

In: Proceedings of the Conference on Innovative Data Systems Research (CIDR) (2019)

Hellerstein, J.M., Faleiro, J., Gonzalez, J.E., Schleier-Smith, J., Sreekanti, V., Tumanov, A., Wu, C.: Serverless computing: One step forward, two steps back. In: Proceedings of the Conference on Innovative Data Systems Research (CIDR) (2019)

2019
[13]

Cloud Programming Simplified: A Berkeley View on Serverless Computing

Jonas, E., Schleier-Smith, J., Sreekanti, V., Tsai, C.C., Khandelwal, A., Pu, Q., Shankar, V., Carreira, J., Krauth, K., Yadwadkar, N., et al.: Cloud program- ming simplified: A Berkeley view on serverless computing. In: arXiv preprint arXiv:1902.03383 (2019)

work page internal anchor Pith review Pith/arXiv arXiv 1902
[14]

LangChain: LangGraph: A library for building stateful, multi-actor applications with LLMs.https://github.com/langchain-ai/langgraph (2024), accessed 2026- 05-22

2024
[15]

NetFoundry: OpenZiti: A zero-trust networking platform.https://openziti.io/ (2024), accessed 2026-05-22

2024
[16]

OpenAI: OpenAI Codex: An agentic coding tool.https://github.com/openai/ codex(2025), accessed 2026-05-31

2025
[17]

In: 2019 USENIX Annual Technical Conference (USENIX ATC) (2019)

Pang, R., Caceres, R., Burrows, M., Chen, Z., Dave, P., Germer, N., Golynski, A., Graney, K., Kang, N., Kissner, L., et al.: Zanzibar: Google’s consistent, global authorization system. In: 2019 USENIX Annual Technical Conference (USENIX ATC) (2019)

2019
[18]

Information and Software Technology108, 65–77 (2019)

Rahman, A., Mahdavi-Hezaveh, R., Williams, L.: A systematic mapping study of Infrastructure as Code research. Information and Software Technology108, 65–77 (2019)

2019
[19]

arXiv preprint arXiv:2510.16720 (2025)

Sang, J., Xiao, J., Han, J., Chen, J., Chen, X., Wei, S., Sun, Y., Wang, Y.: Beyond pipelines: A survey of the paradigm shift toward model-native agentic AI. arXiv preprint arXiv:2510.16720 (2025)

work page arXiv 2025
[20]

In: ;login: The USENIX Magazine

Ward, R., Beyer, B.: BeyondCorp: A new approach to enterprise security. In: ;login: The USENIX Magazine. vol. 39 (2014)

2014
[21]

AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation

Wu, Q., Bansal, G., Zhang, J., Wu, Y., Zhang, S., Zhu, E., Li, B., Jiang, L., Zhang, X., Wang, C.: AutoGen: Enabling next-gen LLM applications via multi-agent conversations. In: arXiv preprint arXiv:2308.08155 (2023)

work page internal anchor Pith review Pith/arXiv arXiv 2023
[22]

In: Proceedings of the 32nd Network and Distributed System Security Symposium (NDSS) (2025)

Wu, Y., Ma, S., Feng, Y., Tao, G., Xu, X., Zhang, X.: IsolateGPT: LLM-based agents with least-privilege isolation. In: Proceedings of the 32nd Network and Distributed System Security Symposium (NDSS) (2025)

2025

[1] [1]

Agyn Inc.: Agyn Platform,https://github.com/agynio/platform

[2] [2]

Amazon Web Services: Amazon Bedrock AgentCore.https://aws.amazon.com/ bedrock/agentcore/(2024), accessed 2026-05-22

2024

[3] [3]

io/specification(2024), accessed 2026-05-22 8 N

Anthropic: Model context protocol specification.https://modelcontextprotocol. io/specification(2024), accessed 2026-05-22 8 N. Benkovich, V. Valkov

2024

[4] [4]

Anthropic: Claude Code: An agentic coding tool.https://docs.anthropic.com/ en/docs/claude-code(2025), accessed 2026-05-24

2025

[5] [5]

https://platform.claude.com/docs/en/ managed-agents(2026), public beta, April 2026

Anthropic: Claude Managed Agents. https://platform.claude.com/docs/en/ managed-agents(2026), public beta, April 2026. Accessed 2026-05-31

2026

[6] [6]

Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges

Chhabra, A., Datta, S., Nahin, S.K., Mohapatra, P.: Agentic AI security: Threats, defenses, evaluation, and open challenges. arXiv preprint arXiv:2510.23883 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025

[7] [7]

Cloud Native Computing Foundation: OpenFGA: A relationship-based access control system.https://openfga.dev/(2024), accessed 2026-05-22

2024

[8] [8]

https://github.com/ kagent-dev/kagent(2025), accessed 2026-05-24

CNCF: kagent: Kubernetes-native AI agent platform. https://github.com/ kagent-dev/kagent(2025), accessed 2026-05-24

2025

[9] [9]

Google: AX: A distributed agent runtime.https://github.com/google/ax (2025), accessed 2026-05-24

2025

[10] [10]

In: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (2023)

Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M.: Not what you’ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection. In: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (2023)

2023

[11] [11]

HashiCorp: Terraform: Infrastructure as code.https://www.terraform.io/ (2024), accessed 2026-05-22

2024

[12] [12]

In: Proceedings of the Conference on Innovative Data Systems Research (CIDR) (2019)

Hellerstein, J.M., Faleiro, J., Gonzalez, J.E., Schleier-Smith, J., Sreekanti, V., Tumanov, A., Wu, C.: Serverless computing: One step forward, two steps back. In: Proceedings of the Conference on Innovative Data Systems Research (CIDR) (2019)

2019

[13] [13]

Cloud Programming Simplified: A Berkeley View on Serverless Computing

Jonas, E., Schleier-Smith, J., Sreekanti, V., Tsai, C.C., Khandelwal, A., Pu, Q., Shankar, V., Carreira, J., Krauth, K., Yadwadkar, N., et al.: Cloud program- ming simplified: A Berkeley view on serverless computing. In: arXiv preprint arXiv:1902.03383 (2019)

work page internal anchor Pith review Pith/arXiv arXiv 1902

[14] [14]

LangChain: LangGraph: A library for building stateful, multi-actor applications with LLMs.https://github.com/langchain-ai/langgraph (2024), accessed 2026- 05-22

2024

[15] [15]

NetFoundry: OpenZiti: A zero-trust networking platform.https://openziti.io/ (2024), accessed 2026-05-22

2024

[16] [16]

OpenAI: OpenAI Codex: An agentic coding tool.https://github.com/openai/ codex(2025), accessed 2026-05-31

2025

[17] [17]

In: 2019 USENIX Annual Technical Conference (USENIX ATC) (2019)

Pang, R., Caceres, R., Burrows, M., Chen, Z., Dave, P., Germer, N., Golynski, A., Graney, K., Kang, N., Kissner, L., et al.: Zanzibar: Google’s consistent, global authorization system. In: 2019 USENIX Annual Technical Conference (USENIX ATC) (2019)

2019

[18] [18]

Information and Software Technology108, 65–77 (2019)

Rahman, A., Mahdavi-Hezaveh, R., Williams, L.: A systematic mapping study of Infrastructure as Code research. Information and Software Technology108, 65–77 (2019)

2019

[19] [19]

arXiv preprint arXiv:2510.16720 (2025)

Sang, J., Xiao, J., Han, J., Chen, J., Chen, X., Wei, S., Sun, Y., Wang, Y.: Beyond pipelines: A survey of the paradigm shift toward model-native agentic AI. arXiv preprint arXiv:2510.16720 (2025)

work page arXiv 2025

[20] [20]

In: ;login: The USENIX Magazine

Ward, R., Beyer, B.: BeyondCorp: A new approach to enterprise security. In: ;login: The USENIX Magazine. vol. 39 (2014)

2014

[21] [21]

AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation

Wu, Q., Bansal, G., Zhang, J., Wu, Y., Zhang, S., Zhu, E., Li, B., Jiang, L., Zhang, X., Wang, C.: AutoGen: Enabling next-gen LLM applications via multi-agent conversations. In: arXiv preprint arXiv:2308.08155 (2023)

work page internal anchor Pith review Pith/arXiv arXiv 2023

[22] [22]

In: Proceedings of the 32nd Network and Distributed System Security Symposium (NDSS) (2025)

Wu, Y., Ma, S., Feng, Y., Tao, G., Xu, X., Zhang, X.: IsolateGPT: LLM-based agents with least-privilege isolation. In: Proceedings of the 32nd Network and Distributed System Security Symposium (NDSS) (2025)

2025