A thread currently making rounds on Lobsters AI hits a nerve many in the security field know well, but few speak loudly about: you can have a strict network allowlist on your AI containers, and it still won't help enough.

The linked article — a technical note on "canister egress proxy" and DLP (Data Loss Prevention) — argues that traditional network controls are fundamentally insufficient when attackers (or misconfigured AI agents) actively try to get data out. And the community reactions are noteworthy: people are not surprised, they are frustrated.

Why is this relevant right now? Because 2025–2026 have been the years when organizations truly started running AI agents in production with network access. Many believed that a sensible allowlist — "the agent can only talk to these APIs" — was sufficient isolation. It's not enough.

An AI agent that can make HTTP calls to one allowed service can, in principle, exfiltrate data through the same channel.

The techniques that bypass allowlists are not new technology. DNS tunneling has existed for years: data is encapsulated in DNS queries against domains controlled by the attacker, and since DNS traffic is rarely blocked, it gets through. HTTPS exfiltration works by making traffic look like regular HTTPS to an allowed host. ICMP tunneling hides data in ping packets. And then there's the misuse of legitimate services — uploading files to Google Drive or Dropbox, services that are almost always on the allowlist.

Research data underscores the severity: 96 percent of all ransomware incidents in Q1 2026 involved data leakage, and the average cost per incident approaches $5.2 million according to IBM's 2024 Data Breach Report.

Network allowlists don't stop AI leaks — here's why - Bilde 1

What makes this particularly uncomfortable in an AI context is that agents are, by definition, designed to communicate with the outside world. They retrieve data, call APIs, and forward results. The line between legitimate behavior and exfiltration is difficult to draw — and that's precisely the line attackers and prompt injection attacks exploit.

What to do? The Lobsters discussion points to egress proxies with DLP inspection, microsegmentation, and active monitoring of outbound traffic as necessary measures — not optional. Allowlists are a prerequisite, not a solution.

These are early signals from a technical community, not yet confirmed by larger security reports. But the conversation is ongoing, and it suggests that many AI deployments today have a security model that is a couple of years behind.

Source: Lobsters AI / dergraf.org — community discussion, not peer-reviewed research.