7 min read

AI Tenant Isolation: The 39% Leak Problem

A review of 200+ self-hosted AI tools found 39% leak across tenants via containers. MicroVM and enclave isolation is safer but costs more. Choose isolation based on regulatory risk, not just price.

Featured image for "AI Tenant Isolation: The 39% Leak Problem"

Hoody runs 812 isolated containers across three bare-metal servers on a single flat-rate bill. It’s the cheapest, fastest-growing multi-tenant isolation model available right now — and it may also be the most dangerous. A source review of 200+ self-hosted AI tools found that 78 leaked across tenants, a roughly 39% failure rate. The market is scaling the architecture that is empirically the least safe because it is the most economically attractive. I call this the Isolation Economics Gap, and if you’re building multi-tenant agentic AI, you need to understand it before you pick a sandbox.

The Container Trap: Cheap, Fast, and Leaking

Container-per-tenant isolation dominates deployments because the economics are irresistible. Hoody runs 812 isolated containers across 3 bare-metal servers with each customer getting their own filesystem, URL, and kernel namespace on one flat-rate server bill with no per-tenant meter. OpenLegion provides per-agent Docker container isolation with dedicated network namespaces, starting at $62/month. You bring your own LLM API keys with zero token markup. The pitch is simple: shared infrastructure, isolated tenants, predictable cost.

Here’s the problem. Container isolation uses a shared host kernel, which means one unpatched CVE compromises every container on that host. Known escape vectors include CVE-2024-21626 and CVE-2025-59528, the latter carrying a CVSS score of 10.0. MicroVM isolation via Firecracker requires a full VM escape, which is orders of magnitude harder by design. The technology exists to close this gap. The market just isn’t adopting it fast enough.

The empirical evidence is damning. A source review of 200+ self-hosted AI tools found 78 leaked across tenants — approximately a 39% leak rate. These aren’t theoretical vulnerabilities in obscure libraries. They’re the same container-based architectures being deployed right now by teams who read the pricing page, saw a flat rate, and shipped to production. When AI agents fail in production, the root cause is often skipped safety plumbing. Tenant isolation is no different.

MicroVM Isolation: Stronger Boundaries, Per-Second Bills

MicroVMs eliminate the shared-kernel problem by giving each sandbox its own guest OS kernel backed by hardware virtualization. Novita Agent Sandbox uses Firecracker microVM isolation and supports BYOC deployment in your own AWS or GCP VPC with no subscription fee, billed at $0.0000098/s per 1 vCPU as of July 2026. Perplexity’s SPACE sandbox wraps each agent task in a Firecracker microVM with per-session credential isolation for tenant-separated agent execution. These are the architectures that should be the default for multi-tenant agentic AI.

The cost math shifts dramatically at scale, though. At 200 concurrent sandboxes, total monthly costs range from $7,200 to over $35,000 depending on platform. Northflank sits at the low end at $0.01667/vCPU-hr — the math works out to approximately $7,200/month for 200 sandboxes × 1 vCPU × 730 hours × $0.01667. Higher-tier platforms exceed $35,000/month at the same scale. That’s a 5x spread for the same workload profile.

PlatformIsolation ModelPricingTarget Audience
HoodyContainer (bare metal)Flat-rate per serverSaaS teams wanting predictable cost
NovitaFirecracker microVM$0.0000098/s per 1 vCPUCompliance-sensitive teams needing BYOC
NorthflankMicroVM (Kata/gVisor)$0.01667/vCPU-hrTeams needing per-second metering + GPU
OpenLegionDocker containerFrom $62/monthSelf-hosted agent fleets with cost controls

The tradeoff is clear. Flat-rate container platforms give you predictable bills and ownership alignment. Per-second microVM platforms give you granular visibility, governance, and hardware-level escape resistance. You’re choosing between cost predictability and isolation guarantees — and most teams are picking the cheaper option without auditing the risk.

Logical vs. Physical Tenancy: Where the Boundaries Actually Live

Isolation isn’t just about containers versus microVMs. It’s about where the tenant boundary is enforced — in infrastructure, in application logic, or in cryptographic claims. Amazon Bedrock AgentCore implements a three-level hierarchy (Tier → Tenant → User) enforced at every layer through documents in knowledge base, memory, model access, and cost tracking. ibl.ai operates multi-tenant AI architecture across 1.6M+ users and 400+ organizations with hard data isolation where tenant data is stored in logically or physically separated partitions with no cross-tenant access possible at the architecture level.

Then there’s the claim-based approach. A multi-tenant MCP hosting architecture enforces cross-tenant non-interference at the load-balancer layer via aud and product_id claims on every JWT, with one shared platform database and N per-product domain databases never cross-joined. This is logical isolation at scale — no dedicated infrastructure per tenant, just cryptographic claims that pin every request to a tenant identity.

The tension here is real. Snowflake and LoginRadius argue tenant isolation must be enforced by infrastructure — RBAC, row access policies, identity boundaries — never trusted to the LLM or app logic. The MCP paper and ibl.ai show isolation enforced at the load-balancer and platform layers via claims, with shared infrastructure working in production across hundreds of organizations. Both approaches are running in production right now. The question is which failure mode you can tolerate.

Tenant isolation must span data, identity, performance, and analytics layers, and analytics and reporting surfaces are among the most common isolation failure points in SaaS. You can get the container boundary right and still leak data through a misconfigured analytics query that’s missing a tenant filter. This is why the AI platform engineering control plane gap matters — without observability into how tenant context flows through every layer, you’re flying blind.

Sovereign AI and Confidential Computing: The Nuclear Option

For regulated industries, even microVM isolation isn’t enough. Prem Enclave applies confidential computing — Intel TDX, AMD SEV-SNP, NVIDIA Confidential Computing — with post-quantum encryption across AI clusters for tenant-isolated sovereign AI with zero data retention. The data stays encrypted throughout processing. Not even the platform provider can read it.

NeuralMesh supports multiple fully isolated tenants on a single cluster with each getting own private network, performance controls, security policies, and administrator, plus composable dedicated hardware per tenant from one control plane. Anchor customers get dedicated hardware. Smaller tenants get logical isolation on shared infrastructure. Both models run on the same platform.

This is the top of the isolation pyramid. It’s also the most expensive and operationally complex. You don’t start here. You end up here when regulatory requirements, data sovereignty laws, or customer contracts demand cryptographic proof that tenant data never left the enclave. For most teams, this is overkill. For teams in healthcare, defense, or government AI deployments, it’s the only architecture that passes audit.

The Cost Question: Flat-Rate vs. Per-Second at Scale

The pricing models reveal a deeper philosophical split. OneReach prices its GSX platform as enterprise infrastructure — capacity-based Private Dedicated Environments with zero markup on tokens, cloud compute, and storage. No seats. No per-agent metering. The pitch is ownership alignment: you buy the capacity, you own the asset, costs flatten at scale. OpenLegion follows a similar logic with flat monthly plans.

Per-second metering tells a different story. Northflank and Novita bill for exactly what you use, which means costs scale linearly with agent activity. At 200 concurrent sandboxes, you’re looking at $7,200/month on the low end and $35,000+ on the high end. The AI platform infrastructure inversion is real — agent traffic now exceeds human infrastructure use, and per-second billing gives you the governance visibility to prove it.

Flat-rate pricing hides sprawl. Per-second pricing exposes it but penalizes you for it. The right choice depends on whether your priority is cost predictability or spend visibility. If you’re running a sandboxed MCP deployment with unpredictable agent activity spikes, per-second metering gives you the data to govern. If your workload is steady-state and well-understood, flat-rate is cheaper and simpler. Just don’t confuse predictable cost with safe architecture.

The Isolation Debt Crisis

The industry’s rush to container-per-tenant flat-rate sandboxes is creating a systemic isolation debt. A 39% leak rate in self-hosted tools isn’t a rounding error — it’s a structural failure of software-scoped boundaries under real agent autonomy. Containers are cheap, fast, and easy to deploy. They’re also the isolation model most likely to leak when an agent does something you didn’t anticipate.

Here’s my recommendation. If you’re deploying multi-tenant agentic AI in any regulated context — healthcare, finance, government, or any environment where a cross-tenant data leak would trigger a breach notification — mandate microVM or enclave-grade isolation as the default. Firecracker-based sandboxes like Novita and Northflank give you hardware-level escape resistance at per-second billing rates that, while more expensive than flat-rate containers, are still dramatically cheaper than a breach. For non-regulated workloads with trusted code, container isolation is a reasonable starting point — but budget for the migration to microVMs before you scale past a few dozen tenants.

The open question: will the market self-correct, or will it take a high-profile cross-tenant leak in a container-based AI platform to force the shift? Given that 63% of organizations still lack a formal AI governance policy, I wouldn’t hold my breath. The cheapest architecture is winning. The safest architecture is niche. And the gap between them is where your data lives.