Tailscale is building the AI gateway for a world where agents need identity

We sat down with Remy Guercio from Tailscale to talk about what's been cooking at the company. What started as a conversation about networking quickly turned into a fascinating discussion about identity, AI agents, and why the network itself might be the ultimate sandbox.

The problem with AI agents and API keys

Tailscale has been working on something they're calling an AI gateway, and it solves a problem that's been nagging at anyone running AI agents at scale: identity and access control.

"When a node or device joins the tailnet, every other device on the tailnet can know the identity of that node and the identity of the user it's associated with," Remy explained. This built-in identity is what makes Tailscale's approach to AI gateways different.

Here's how it works: instead of distributing API keys to every developer, every CI runner, and every autonomous agent in your organization, you point everything at the AI gateway. The gateway is the only thing that needs the API key. Everything else authenticates through its identity on the tailnet.

"You don't have to distribute API keys to your organization. You don't have to distribute them to your agents. You don't have to do any of that."

Differentiating humans from bots (and bots from each other)

The really interesting part is how granular this control can get. Tailscale can differentiate between you running Claude Code on your laptop versus an autonomous agent running in a GitHub Actions workflow.

For CI/CD environments, they've integrated with GitHub's federated OIDC. An agent can join the tailnet with a tag like "claude-pr-reviewbot" or "docs-reviewbot" without needing a Tailscale key at all. When requests hit the gateway, they come with that tag plus a stable node ID that identifies that specific run of the agent.

"You can get all of that nice sorted list in your gateway to make sure it didn't go off the rails, you know, it didn't start making all these tool calls. You can stop those if you want. You could alert on those."

This opens up some practical scenarios. Maybe your 10x developers get unlimited access to the most capable models, while CI pipelines have strict quotas. Maybe certain groups are encouraged to use less expensive models for routine tasks. Tailscale can sync groups from your identity provider and apply different policies based on who's making the request.

TSNet: when programs join networks

One of the more mind-bending aspects of Tailscale's architecture is something called TSNet, a Go library that lets a program connect directly to a tailnet without any additional infrastructure. The AI gateway is actually built this way.

"It kind of breaks your brain just a little bit when you start to think of like a program itself can just join a private network," Remy admitted.

For developers, this eliminates a lot of the traditional friction. No mini-PRs to get things approved, no back-and-forth with the infrastructure team about access and authorization. You write the code, join the tailnet, and you're running.

The gateway can also receive arbitrary JSON configuration through Tailscale's access control rules on a per-request basis. This means applications can make decisions dynamically based on user, group, or tag—without hardcoding policies into the application itself.

The network as sandbox

Tailscale is also rolling out multiple tailnets and ephemeral tailnets—the ability to spin up networks on demand and tear them down when you're done.

"One of our engineers kind of thinks of it as, hey, now the network is the sandbox. It's not just the container, it's not just the VM."

Customers are using this for connecting customers to infrastructure in isolated ways. Some are spinning up one tailnet per customer, essentially bringing the concept of single-tenant isolation to the network layer.

"You can almost think of it as like single-tenant network versus multi-tenant SaaS. If your customers really want that isolation, you can take that concept and say, hey, we've really segmented you out. And it doesn't have to be all in one cloud. It doesn't have to be all in one location."

The appeal is being able to make guarantees at the network layer. No IP allow-lists to manage, no open ports. If a node is in the tailnet, it can communicate. If it's not, it can't. You could have a remote sensor at a customer site, a machine in a specific AWS region, and a workstation all in a single tailnet where they can only talk to each other.

Looking ahead

As AI agents become more autonomous and more distributed, the questions around identity and access control are only going to get more pressing. How do you give an agent enough access to be useful without giving it the keys to the kingdom? How do you audit what it did and why?

Tailscale's bet is that the answer lies in the network layer—that identity should be built in, not bolted on. Whether you're running a quick experiment on your laptop or deploying a fleet of autonomous agents across cloud and on-prem infrastructure, the same principles apply.

For organizations already thinking about AI governance, it's an approach worth watching.

This interview was recorded at AWS re:Invent 2025 in Las Vegas.