Agents are transforming how developers and business teams work, but with great power comes the need for control. Docker AI Governance provides centralized oversight to ensure agents operate safely. Below, we answer key questions about this new paradigm. How agents are changing work, where they run, why existing tools fail, the two harm paths, how Docker governs, what Claws are, and why laptops are new production.
How are agents changing the workplace beyond autocomplete?
Agents have moved far beyond simple autocomplete functions. Developers now use them to read entire codebases, refactor code across multiple services, and ship entire products from start to finish—a phenomenon known as "vibe coding" that is going directly to production on laptops worldwide. This shift isn't limited to engineering. A new category of agents, called Claws, is already in production, handling tasks like sending emails, managing calendars, booking travel, pulling CRM data, reconciling reports, and querying production systems. Marketing, finance, sales, and support teams are adopting these agents as quickly as engineering, because the productivity gains are too significant to ignore. Companies that move first are out-executing those that delay. What once took quarters to roll out organization-wide now happens in weeks.
Where do AI agents actually run, and why does that matter for security?
Agents and Claws operate outside the secure environments that enterprises spent two decades building. They don't sit behind CI/CD pipelines, inside a VPC, or follow IAM models. Instead, they run on the developer's laptop, using the developer's credentials, accessing private repos, production APIs, customer records, and the open internet—often within the same session. This makes the laptop the most powerful node in the enterprise, but also the most exposed. Laptop and agent environments have become the new production, yet they lack the governance controls applied to traditional infrastructure. Without proper oversight, an agent could inadvertently access sensitive data, execute malicious code, or connect to unauthorized network endpoints, creating significant security and compliance risks.
Why can't existing security tools like CI/CD or IAM govern agent behavior?
Traditional security tools are blind to what an agent does. CI/CD pipelines don't see agent activity because an agent isn't a pipeline job. The VPC doesn't see it because the laptop is outside the perimeter. IAM doesn't see it because the agent acts as the developer, using their credentials. The result is that CISOs cannot tell what an agent touched, what code it ran, or where data went. Yet they also cannot tell the business to slow down adoption. This creates a bind for every security leader: they need to enable agent usage for productivity gains, but they lack the visibility to ensure safety. The existing toolset was designed for a world of fixed infrastructure and human-initiated actions, not for autonomous agents making decisions and taking actions on behalf of users.
What are the two critical paths through which an agent can cause harm?
Reducing the problem to first principles, an agent has exactly two paths to cause significant harm. First, it can execute code itself, touching files, opening network connections, and potentially running malicious scripts or accessing unauthorized data. Second, it can call a tool through an MCP server to act on an external system, such as sending an email, modifying a database, or triggering a production deployment. To govern an agent effectively, you must control both paths. If you miss either one, your governance is incomplete. An agent could bypass code execution controls by using a tool, or it could bypass tool controls by executing code directly. Docker AI Governance is built to address both paths, ensuring that every action an agent takes is visible, controlled, and auditable.
How does Docker AI Governance provide centralized control over agents?
Docker AI Governance offers a centralized framework to control how agents execute, what they can reach on the network, which credentials they can use, and which MCP tools they can call. This allows every developer in your company to run AI agents safely, regardless of where they work—on a laptop, in a container, or in the cloud. The system monitors both code execution and tool calls, providing full visibility into agent behavior. It enforces policies that can restrict which repositories an agent can access, which APIs it can call, and which external endpoints it can connect to. By applying the same rigor to agent environments as you would to production infrastructure, Docker AI Governance lets organizations unlock the productivity benefits of agents without compromising security or compliance.
What are "Claws" agents and how are they used in production?
Claws are a new class of AI agents designed for business functions beyond engineering. They are already in production, performing tasks like sending emails, managing calendars, booking travel, pulling CRM data, reconciling reports, and querying production systems. Marketing, finance, sales, and support teams are adopting Claws as fast as engineering adopts coding agents, because the productivity gains are too large to ignore. These agents operate with the same autonomy as developer agents, but they often interact with sensitive business data and external services. This makes governance even more critical, as a misconfigured Claw could send an unauthorized email, delete a customer record, or expose confidential information. Docker AI Governance extends its control to Claw agents, ensuring they only perform approved actions on approved systems.
Why is the laptop now considered the new production environment?
In the traditional model, production was a hardened data center or cloud VPC with strict access controls and monitoring. Today, agents run on developer laptops, using the developer's credentials to access production systems, private repositories, and sensitive data. The laptop has become the most powerful node in the enterprise: it can execute code, open network connections, and call tools that affect real systems. At the same time, it is the most exposed—outside the corporate perimeter, often on untrusted networks, and without the monitoring applied to production servers. When an agent on a laptop goes rogue, it can cause the same damage as a compromised production server. Therefore, laptop and agent environments must be governed with the same rigor as production. Docker AI Governance brings that governance to where agents actually run, closing the security gap.