How Lens built Lens Agents to govern its own AI-native operations
TL;DR
- Lens Agents was built for internal use first. Lens became its own first customer, governing agents across marketing, GTM, product, and engineering before shipping the platform externally
- Sandbox + supervisor architecture. A microVM-based sandbox with policy-driven traffic inspection on every request, deployable on-prem, on AWS, Azure, or GCP
- You can also bring your own agent, because the platform is framework-agnostic. The Lens-provided agent is optional. Existing agents gain audit trails, identity binding, and credential injection without rewrite
- Implement budgeting, integrate with any MCP compatible client, and have policies in play for governance
Lens began its shift to an AI-native organization approximately 6 months ago with marketing, GTM, product, and engineering teams all running autonomous agents for their own work.
By adopting an agentic workflow, we’ve hit the same wall every enterprise is now hitting: plenty of agents, little to no visibility into where the agents are, what they are doing, how much they cost, or what sort of permissions they have.
We needed something to help us with all of these issues, and the result was Lens Agents. This platform is a supervised microVM sandbox plus a centralized control plane for governing AI agents anywhere they run, from a developer's laptop to a production Kubernetes cluster.
“We started running autonomous AI agents for our own individual needs, within our teams. We have multiple teams: marketing, GTM, engineering. All of these guys, they want to run agents. And we found out that actually it's not the problem of having great technologies. There are bits and pieces of technologies everywhere and each one of them addresses different pieces of the puzzle. But we didn't find anything that we could actually use to really understand where the agents actually have access and how we can actually govern the access."
— Miska Kaipiainen, Head of Product, Lens
The real challenge with AI workflows: Governance
Enterprise security traditionally meant that you needed to keep threats out. With AI agents, this has flipped, as agents are inside the perimeter by design, usually running with human credentials, often with developer laptops that no one is monitoring.
At Lens, we saw this internally, as engineers ran Claude Code and Codex on their laptops, GTM ran agents against CRM data, and each team has picked its own tools. Nobody could answer the question of which were the agents that touched the data, or which agents installed which CLI tools to get a particular task done.
"It's been almost like a paradigm shift. We have been inviting the AI agents inside to our organization. It's not anymore defending the threats that are coming from outside, but actually the threats that the AI agents themselves cause by being inside the systems already. And often these AI agents are using human credentials. So it's not like the AI has credentials — they are working on behalf of humans, and it's kind of implied credentials. That's a very problematic case because not many organizations have a system or identity solution for how we identify agents and what are the AI behaviors, and how do we distinguish those from the human actors."
— Miska Kaipiainen
Governance isn’t a single problem, it’s a set of overlapping ones. You need to know what data source your agent touches, what they can install, what secrets they touch, and audit trails that are detailed enough to satisfy SOC 2, ISO 27001, NIST AI RMF, and the EU AI Act which becomes fully applicable from August 2026.
"Agents need connectivity to relevant data sources. Whether it's your Salesforce data, your financial data, your internal knowledge base systems, source code, production environments. And at the same time, managing what is the available toolbox that the agents have at their disposal for actually doing something with those connections."
— Miska Kaipiainen
Build vs Buy: What determined Lens to Build Lens Agents
The Lens team has evaluated the existing landscape and noticed that even though all the pieces existed, nothing was tying everything together.
Lens needed governance that:
- Worked on developer laptops, not just Kubernetes clusters
- Worked across any hyperscaler
- Was framework agnostic
- Offered a single pane of glass
- Integrated natively with the MCP Protocol
- Could implement budgeting
- Offered a way to implement Policies
"We started building this platform basically initially for our own needs. And we found out at the end that, hey, this is actually pretty cool, and maybe actually some of the other organizations are in the same spot as we are. So that's where it all started with our own internal needs. And it took off from there."
— Miska Kaipiainen
The Lens Agents Architecture
Lens Agents has two major components: a supervised sandbox for the agent runtime, and a control plane for governance.
The sandbox uses microVM isolation, giving a stronger boundary than a container, while still spinning up fast enough interactive workflows. A supervisor process watches all traffic in and out of the sandbox, and enforces policies on every request. In practice this means that:
- Network egress is constrained by domain and HTTP method allowlists, enforced at the kernel level inside the sandbox
- Credentials are injected server-side when they are needed. This means that the agent runtime never holds the raw secret
- Every action is recorded by the audi trail
- Filesystem, network, and toolchain are bounded by the sandbox, so even a compromised agent can’t reach beyond
"We have been building our own sandboxing technology that is not based on traditional container technology. It's based on the microVM technology. And we have also a supervisor component that is watching all the time what is happening inside this sandbox. Every kind of data traffic that goes in or out from this sandbox — it's basically policy managed. That's one of the core components of this technology stack."
— Miska Kaipiainen
The control plane is where policy lives and visibility consolidates. It offers:
- OIDC SSO identity binding so every agent action is tied to a real human identity
- Team-scoped projects for better isolation
- Spending control to cap budget per organization, team, or agent
- Framework agnostic governance so existing agents gain governance by default
"So enterprises can run multiple tens or hundreds or thousands of these supervised sandboxes on their target environment. Whether they want to deploy on-prem, or on AWS, Azure, or Google Cloud, they can leverage their hyperscaler capacity. We provide the control plane for centralized visibility and all the audit trails. Everything the agents are doing comes to our central location for central IT governance."
— Miska Kaipiainen
The hardest part: using secrets without exposing them
An agent that holds a secret in memory is a security risk. Through prompt injection, a poisoned dependency or a tool the agent installed at runtime to solve a task, these secrets can be exfiltrated.
Lens Agents’ answer is server-side credential injection. The supervisor injects credentials into the outbound requests at the boundary, after the agent has produced the request, but before it leaves the sandbox.
"You need to develop a system where the secrets can be exposed to an agent while the agent actually doesn't have any secrets at any moment in time. We are talking about secret injections, and there are different strategies for how this can be accomplished. Agents are fast, they are doing all kinds of stuff all the time. We have to trust them, they are not malicious by nature, but you need to put in checks and balances so that you as a human are still on top of things."
— Miska Kaipiainen
The bottom line
Lens is running agents internally with full identity binding, audit trails, policy enforcement, and budgeting across teams. The same platform that solved the internal sprawl is what’s now in early access as Lens Agents.
It’s important to understand the Agentic AI workflows are here, Shadow AI is a real problem, and implementing governance for agents will make a crucial difference in balancing speed and control:
"This is a serious threat. Everybody who is listening probably has somewhere on their machine already maybe Claude Code doing some work in the background. So it's just a matter of time when something very, very bad will happen. Even an innocent-looking agent running on your laptop is a massive security threat for many enterprises. How can you actually govern even those agents that run on your employees' laptops? That is a question we need to have an answer to very soon."
— Miska Kaipiainen
To see Lens Agents in action, book a demo with one of our engineers.