This work addresses the challenge of fragmented and hard-to-audit security policies in highly autonomous agent systems, where authentication, authorization, and delegation are typically hard-coded at the application layer. To overcome this limitation, the authors propose Agent Guard, a transparent, sandbox-based security architecture that leverages eBPF to intercept communication traffic and integrates TLS 1.3 channel binding with post-handshake attestation to enforce least-privilege delegation without modifying upper-layer orchestration code. By innovatively combining eBPF with short-lived scoped tokens, Agent Guard achieves, for the first time, end-to-end verification of identity, scope, and channel binding across heterogeneous multi-cloud environments, enabling efficient, auditable, and secure agent-to-agent communication.

Agentic systems increasingly run user-authored orchestration code that invokes tools, spawns subtasks, and delegates work across machines and clouds. Although this high agency is productive, it creates a security problem: identity, authorization, provenance, and delegation are often pushed into application code, where they become difficult to enforce consistently and difficult to audit. We present \emph{Grimlock}, an \emph{Agent Guard} that restores separation of concerns by moving trust enforcement into the sandbox substrate while leaving agent code unchanged. Grimlock uses \emph{eBPF-enforced traffic interception} to ensure that sandbox communication passes through a guard, and combines it with \emph{post-handshake attestation} bound to standard TLS~1.3 channel bindings. After a channel is established, the guard authorizes communication and mints short-lived, channel-bound \emph{scope tokens} that capture least-privilege delegation. At the receiving side, the destination guard re-validates identity, scope, and channel binding, terminates TLS, and releases plaintext to the destination sandbox only after policy checks succeed. kTLS provides an efficient dataplane for protected communication. As a result, Grimlock offers a path toward transparent, auditable, and scope-bound agent-to-agent communication across heterogeneous multi-cloud environments, using commodity Linux primitives and without requiring changes to user-layer orchestration code.