Multi-Tenant AI Agent Safety: Isolating Customer Workloads

Multi-tenant AI agent deployments require strict isolation so that one customer's agent cannot access another customer's data, configurations, or resources. SafeClaw by Authensor enforces tenant isolation at the policy level: each tenant gets a scoped policy that restricts file access to their workspace directory, limits network calls to their authorized endpoints, and produces a separate audit trail — all evaluated deny-by-default before any action executes.

Quick Start

npx @authensor/safeclaw

Per-Tenant Policy Architecture

Structure tenant policies in a dedicated directory:

.safeclaw/
  tenants/
    tenant-acme.yaml
    tenant-globex.yaml
    tenant-initech.yaml
  shared/
    base-restrictions.yaml

Tenant-Scoped Policy

# .safeclaw/tenants/tenant-acme.yaml
version: "1.0"
description: "Tenant: Acme Corp — isolated workspace"
tenantId: "acme"

rules:
  # File isolation: only access Acme's workspace
  - action: file.read
    path: "workspaces/acme/**"
    effect: allow
    reason: "Tenant-scoped read access"

- action: file.write
    path: "workspaces/acme/**"
    effect: allow
    reason: "Tenant-scoped write access"

# Block access to other tenants
  - action: file.read
    path: "workspaces/**"
    effect: deny
    reason: "Cross-tenant access blocked"

# Network isolation
  - action: network.request
    domain: "acme.api.platform.com"
    effect: allow
    reason: "Tenant-specific API endpoint"

- action: network.request
    domain: "*"
    effect: deny
    reason: "Block all non-tenant network access"

# Shell restrictions
  - action: shell.execute
    command: "*"
    effect: deny
    reason: "Shell execution blocked for tenant agents"

- action: "*"
    effect: deny
    reason: "Tenant baseline: deny all unscoped actions"

Workspace Directory Isolation

Enforce a strict workspace hierarchy:

workspaces/
  acme/
    data/
    config/
    output/
  globex/
    data/
    config/
    output/
  initech/
    data/
    config/
    output/

SafeClaw's path matching ensures workspaces/acme/** never resolves to workspaces/globex/ — even with path traversal attempts like workspaces/acme/../../globex/data. SafeClaw normalizes paths before evaluation, stripping .. sequences.

Preventing Path Traversal

Add an explicit traversal guard:

  - action: file.read
    path: "/../"
    effect: deny
    reason: "Path traversal attempt blocked"

- action: file.write
    path: "/../"
    effect: deny
    reason: "Path traversal attempt blocked"

SafeClaw evaluates these rules before checking workspace-scoped allows, ensuring traversal patterns are caught regardless of the target path.

Dynamic Tenant Policy Loading

For platforms with many tenants, generate policies dynamically:

function generateTenantPolicy(tenantId, allowedDomains) {
  return {
    version: "1.0",
    description: Tenant: ${tenantId},
    tenantId,
    rules: [
      {
        action: "file.read",
        path: workspaces/${tenantId}/**,
        effect: "allow"
      },
      {
        action: "file.write",
        path: workspaces/${tenantId}/**,
        effect: "allow"
      },
      ...allowedDomains.map(domain => ({
        action: "network.request",
        domain,
        effect: "allow"
      })),
      { action: "*", effect: "deny" }
    ]
  };
}

Per-Tenant Audit Trails

Filter audit logs by tenant for compliance reporting:

# Acme's activity log
npx @authensor/safeclaw audit export \
  --filter policy=tenant-acme \
  --format json \
  --since "30 days"

Cross-tenant access attempts (security investigation)
npx @authensor/safeclaw audit export \
  --filter effect=deny \
  --filter path="workspaces/*" \
  --format json

Any denied cross-tenant access attempt appears in the audit log with full context: which tenant's agent tried to access which path, when, and which rule blocked it.

Resource Limits Per Tenant

Combine SafeClaw policies with resource constraints:

  # Rate limiting per tenant
  - action: network.request
    rateLimit:
      maxRequests: 100
      window: "1 minute"
    effect: allow
    reason: "Tenant rate limit: 100 req/min"

This prevents a single tenant's agent from consuming disproportionate platform resources.

Why SafeClaw

• 446 tests including path normalization and traversal prevention
• Deny-by-default ensures tenant agents start with zero cross-tenant access
• Sub-millisecond evaluation scales to thousands of tenant policy evaluations
• Hash-chained audit trail provides per-tenant compliance evidence
• Works with Claude AND OpenAI — tenant isolation applies regardless of provider
• MIT licensed — embed in your multi-tenant platform without licensing concerns

See Also

• Filesystem Isolation for AI Agents: Beyond Chroot
• Network Policies for AI Agents: Controlling Outbound Traffic
• Role-Based Access Control for AI Agents
• Zero Trust Architecture for AI Agents