A founder's perspective on rebuilding the network stack around autonomous intelligence — where the unit of identity is the agent, not the IP.
The network went blind exactly when it mattered most.
For thirty years, the network identified things by where they were. An IP address, a port, a 5-tuple. That was a fine proxy for who and what, back when one machine ran one workload and the map of the network was the map of the org. That assumption is now broken in the most consequential way it has ever been broken.
Agents — autonomous software that reasons, calls tools, and talks to other agents — are arriving in fleets. They are numerous, ephemeral, and chatty. Dozens of them share a single host. They spin up and die in seconds. They share IP addresses. They talk to each other (agent-to-agent, "A2A") and to tools and services over protocols like MCP, almost always over TLS the network was never designed to see into.
So at the precise moment the things on your network became autonomous and numerous, the network lost the ability to see them. It sees IPs and ports — the one identity dimension agents have made meaningless. It cannot tell you which agent is talking, to whom, doing what, or whether it should be allowed to. This is not a monitoring gap. It is a structural blindness. And every security, compliance, and operational control you have built on top of the network inherits it.
Agentic Networking is our name for fixing it: rebuilding the network's core abstractions — identity, discovery, load-balancing, onboarding — around the agent, not the IP. This paper is about why that has to happen, and how we're doing it.
Every shift in computing creates an attack surface before it creates the controls to manage it. Agents are no exception, and the surface is unusually sharp because agents act. Consider what an agent fleet actually exposes:
The uncomfortable part: your current stack is blind to all of it, because it identifies by the wrong thing. A firewall that reasons in IPs and ports cannot enforce "agent A may talk to agent B but not agent C" — it doesn't know A, B, or C exist.
It is tempting to assume the existing network-security vendors will add an "agent feature" and the problem goes away. They won't, and the reason is architectural, not a matter of effort. Traditional firewalls and the network-security stack are pre-agent by construction:
We are not trying to build a better firewall. We are operating at a layer the firewall never reached: agent identity. That is not a feature you add to a packet-and-port engine. It is a different plane.
Maya rebuilds the network's foundational services around the agent. The cleanest way to understand it is by analogy to the network primitives you already know — Maya is, in effect, a new network stack whose unit is the agent rather than the host.
| Classic primitive | Maya's agent-era equivalent | What it does |
|---|---|---|
| IP address (identity) | AID — Agent Identity | A per-agent identity derived from the wire, not assigned by config. The stable unit of visibility and enforcement. |
| DNS (discovery) | MCP-aware governance | Governs how agents discover and reach tools and services — at the connectivity and identity layer. |
| Load balancing (distribution) | AILB — Agentic Load Balancing | Distributing work across agents by agentic properties, not round-robin (see §6). |
| DHCP (onboarding) | Stitch — host-side onboarding | Brings agents onto the fabric automatically as they appear on a host, with no per-agent configuration. |
| ACLs / policy (control) | Cipher — intent-driven policy | From hand-written rules to declared intent: say what you want in plain language; Cipher compiles it to enforceable agent policy. |
Five design choices separate Maya from "a firewall that learned the word agent."
Maya's agent identity (AID) is computed deterministically from properties already present in the traffic. Nothing is injected into the agent — no SDK, no sidecar, no per-agent configuration. An agent appears on a host and Maya attributes its traffic automatically. This is the foundation of zero-touch: you plug in the fabric and the agents light up, identified and observable, without anyone wiring them up one by one. It is also what makes the model scale — identity computed from the wire needs no central registry to agree on who an agent is.
Maya does not terminate TLS and does not read the contents of your agents' conversations. It governs which agent is talking to which agent, tool, or service — the connectivity and identity layer — across MCP, A2A, and any other agent protocol, without ever decrypting your traffic or holding your keys. This is deliberate, and it is a feature: no key custody, no man-in-the-middle posture, deployable in minutes rather than quarters.
Maya is designed to complement SPIFFE, not compete with it. SPIFFE issues and attests workload identity at the application layer — it says, cryptographically, who a workload is. Maya is the network-enforcement plane for that identity — it sees that identity expressed on the wire and governs what it may reach. SPIFFE issues; Maya enforces.
Maya emits standard OpenTelemetry (OTLP) out of the box — into your existing Datadog, Grafana, or whatever you already run. Because Maya's per-agent identity shares a common key (the agent's cgroup) with host-based agent telemetry, your platform can correlate Maya's network-identity view with your existing application and runtime telemetry. Maya isn't one more console to watch; it's a high-value signal that makes the observability investment you've already made smarter.
An agent-aware network demands agent-aware policy — and you cannot express agent intent in IPs and ports. "The billing agents may delegate to the refund agent, but neither may reach the external payments tool without approval" has no representation in a 5-tuple. Cipher closes that gap: you declare intent in plain language, and it compiles to enforceable policy that Warp applies and Loom manages.
What we've described is the foundation. Here is the trajectory it makes possible.
Because the underlying physical identity is derived deterministically from the wire, identity shards without coordination: every enforcement point can agree on who an agent is with no global consensus bottleneck. On top of that physical identity sits a logical, scope-bearing address that makes any agent uniquely routable across regions, providers, and clouds:
The physical identity (stable, wire-derived) is the enforcement key; the logical address is location and scope layered on top. Because enforcement binds to the stable identity — not to a Warp or Weaver, which can change on failover — the fabric can scale toward millions of agents in a single Maya domain without a coordination bottleneck.
Once the network knows agent identity, it can distribute work in ways a round-robin balancer never could: by capability, by trust and reputation, by cost, by latency class, by which model backs an agent, by affinity to an ongoing A2A conversation. Balancing agents by what makes them agents is a capability that only exists once the network is agent-aware. It is where agentic networking stops being defensive and starts being a platform.
The internet spent two decades becoming identity-aware for people — single sign-on, zero-trust, per-user policy. We did it because access without identity is chaos, and at human scale, chaos is a breach. Agents are arriving at a scale that dwarfs the human internet, and they act on their own. They need the same thing humans got — identity-aware, observable, enforceable communication — except the volume and the autonomy mean it has to live in the network itself, not bolted on top.
That is the world we're building: one where agent-to-agent communication is governed by default — across every host, region, and cloud, without instrumenting a single agent.
We're looking for design partners. Available on AWS today.
Become a design partner →