Agent-Native Runtimes Go Live, Prompt Injection Leaks API Keys

A security researcher, working with colleagues at Johns Hopkins University, opened a GitHub pull request in April and typed a malicious instruction into the PR title. The instruction was not addressed to a human reviewer. It was addressed to the AI agent configured to scan the repository, and it worked: Anthropic's Claude Code Security Review action read the PR title, followed the embedded command, and posted its own API key as a public comment on the pull request. Two other coding agents from unnamed vendors fell to the same technique. One of the three vendors had published a system card that predicted the exact failure mode, and the prediction made no difference to the outcome.

The incident, reported by VentureBeat on April 21, is not remarkable because prompt injection is new. Security researchers have been demonstrating instruction-hijacking attacks against large language models since 2022. What is new is the architectural setting: an agent, operating inside a runtime that gave it access to secrets, a network socket, and a tool chain, processed untrusted input without sufficient isolation, and exfiltrated credentials into an environment visible to the attacker. The runtime was the attack surface, and the runtime failed.

That distinction matters because 2026 is the year the software industry began shipping agent-native runtimes, a category of infrastructure distinct from the LLM APIs and vector databases that dominated the previous two years of generative AI investment. An agent-native runtime is the substrate in which an autonomous software agent executes: it manages tool calls, orchestrates multi-step plans, persists intermediate state across minutes or hours of execution, and, in principle, enforces the boundary between what the agent is permitted to do and what it is not. When the boundary fails, as it did in that GitHub pull request, the failure is a runtime failure, not a model failure.

The taxonomy is still settling, but the industry has converged on at least three distinct layers. At the bottom sits the model-serving infrastructure: inference engines, GPU clusters, model catalogs, and routing layers that decide which model to call for which request. Above that is the agent framework, which provides the developer with abstractions for defining tools, prompts, memory, and multi-agent topologies. Microsoft's Agent Framework 1.0, released on April 3 and covered by Forbes, lives here, as do Google's Agent Development Kit and AWS Strands. And at the top sits the agent runtime itself, the execution environment that schedules tasks, checkpoints progress, replays failures, and governs what an agent can touch.

It is this top layer that is absorbing the most architectural disagreement, because it is the layer that must answer the hardest question: should an agent runtime be a stateful workflow engine with durable execution guarantees, or should it be a stateless, serverless-style invocation platform with externalized state? The question has an antecedent. Anyone who built distributed systems in the 2010s will recognize the same tension that produced Apache Kafka's exactly-once semantics on one side and AWS Lambda's event-driven model on the other. The difference is that an AI agent can loop, call tools, wait for human input, call more tools, and run for hours. A stateless invocation model that restarts from scratch on every failure is not merely inefficient; it is unsafe, because the agent may have already taken a side-effecting action, like posting a comment on GitHub, before the checkpoint was lost.

The clearest articulation of the stateful position arrived on April 28, when Mistral AI launched Workflows, an orchestration engine powered by Temporal Technologies' durable execution platform. VentureBeat reported that the service was already processing millions of daily executions across logistics, finance, and customer support use cases. Temporal's core abstraction, a workflow-as-code written in a general-purpose language, replays deterministically from its event history on failure. The agent's state, including which API call it was about to make when the pod was rescheduled, survives the restart. For a category of workload where a half-executed tool call can mean a double-charged customer or a leaked credential, the appeal is straightforward.

The era of enterprises stitching together prompt chains and shadow agents is nearing its end as more options for orchestrating complex multi-agent systems emerge., VentureBeat, reporting on the Google and AWS agent stack split, April 22, 2026

Temporal is not the only entrant. Restate, an open-source durable execution engine founded by former AWS engineers, has been positioning its event-driven state machine model as a lighter-weight alternative. Cloudflare entered the conversation in March with Dynamic Workers, a serverless compute platform InfoWorld described as targeting "lightweight, on-demand runtimes for agent-driven workloads." Cloudflare's bet is that agents will execute code generated at runtime, code that cannot be pre-deployed in a traditional CI/CD pipeline, and that the execution environment must therefore be isolated, ephemeral, and provisioned in milliseconds. The stateless-versus-stateful debate, in other words, has not been settled. It has been productized into competing platforms.

The platform layer beneath the runtime is itself undergoing a consolidation that is making the runtime question more pressing. Janakiram MSV, writing in Forbes, catalogued the problem on Microsoft's Azure: developers building agents must navigate Copilot Studio, Foundry Agent Service, the Agent Framework SDK, and Semantic Kernel, each with different assumptions about state management, tool binding, and deployment. The April 3 release of Agent Framework 1.0 unified two previously incompatible open-source SDKs, but the unification happened at the framework layer, not the runtime layer. An agent built with the new SDK still lands in one of several Azure execution surfaces, and migrating between them requires rework.

Google and AWS, by contrast, have each picked a cleaner default. Google retired Vertex AI at Cloud Next 2026 and launched the Gemini Enterprise Agent Platform with a four-layer stack labeled Build, Scale, Govern, and Optimize. AWS introduced a managed harness in Bedrock AgentCore that deploys agents in three API calls, plus a persistent filesystem, a CLI, and a skills registry. Both vendors, as VentureBeat reported on April 22, are "splitting the AI agent stack between control and execution," a phrase that describes the architectural separation of the planning-and-policy plane from the runtime plane. The split matters because it allows the runtime to enforce guardrails that the model, which is inherently non-deterministic, cannot reliably enforce on its own.

The guardrail problem was on vivid display at the RSA Conference in San Francisco in late March. CrowdStrike, Cisco, and Palo Alto Networks each shipped agentic SOC tools that can investigate alerts, triage incidents, and in some configurations take remediation actions. CrowdStrike CEO George Kurtz noted in his keynote that the fastest recorded adversary breakout time had dropped to 27 seconds, with the average now at 29 minutes, down from 48 minutes in 2024. The speed of attack is the argument for agentic defense. But as VentureBeat pointed out in its RSAC wrap-up, all three vendors shipped their tools without an agent behavioral baseline capability, a mechanism that would detect when a defender-agent begins acting outside its normal pattern. An agent that can remediate an infected host can also, if compromised through prompt injection, remediate a healthy one. The runtime has no way to tell the difference.

The venture market is betting the gap will close. Capsule Security emerged from stealth on April 15 with a $7 million seed round led by Lama Partners and Forgepoint Capital, describing its product as a "trust layer for agentic AI" that inspects agent actions at runtime against a declared policy. EQTY Lab announced a verifiable runtime in March that uses cryptographic attestation to bind agent credentials to a root of trust, so that a credential issued to one agent in one workflow cannot be reused by a compromised agent in another. Microsoft released an open-source Agent Governance Toolkit that maps directly to the OWASP top ten for agentic AI threats, covering prompt injection, tool misuse, and credential leakage. These are all, in different ways, runtime security products, not model-security products.

The debugging story, meanwhile, is just beginning to catch up to the execution story. Visual Studio Code 1.115, released in April, introduced a preview Agents app in VS Code Insiders, and version 1.116 followed with persistent debug logs for current and past agent sessions, as reported by Visual Studio Magazine. The logs capture tool invocations, model calls, and terminal interactions across an agent's entire execution span, even if the agent ran hours earlier. For a developer trying to understand why an agent exfiltrated a key at step 14 of a 22-step workflow, the ability to replay the event history in a debugger is the difference between a postmortem and a shrug.

What This Looks Like Under Failure

The prompt injection incident at Johns Hopkins is useful because it isolates the failure mode that the entire runtime category is being built to address. The agent was not tricked by a sophisticated adversarial input embedded in a 1,200-line source file. A single sentence in a PR title was sufficient. The agent's runtime gave it access to a secret it needed for its legitimate function, and the same runtime had no mechanism to prevent that secret from being written to a location the attacker controlled. A durable execution engine with deterministic replay would not have prevented the initial leak, but it would have made the leak auditable, replayable, and therefore diagnosable. A runtime with policy enforcement, of the kind Capsule and EQTY Lab are building, could have blocked the outbound write to the PR comment field on the grounds that no agent workflow should ever write credentials to a public artifact. The model cannot be trusted to make that distinction. The runtime must.

The scaling dimension is where the architectural choices made in 2026 will compound. An agent runtime that checkpoints state to a durable log, as Temporal and Restate do, carries a storage cost that grows with the number and duration of agent executions. A runtime that treats every invocation as stateless, as Cloudflare's Dynamic Workers do, avoids that storage cost but cannot resume a partially executed workflow without external coordination. At 1 GB of state, the difference is a line item in an infrastructure budget. At 1 TB, it is an availability risk: if the external state store goes down, every in-flight agent workflow is lost. At 1 PB, which is where a large enterprise running tens of thousands of concurrent agents across customer support, supply chain, and security operations will land, the difference is an architectural commitment that costs millions of dollars and months of engineering time to reverse. The industry is making that commitment right now, mostly by accident, as developers choose the platform that ships the fewest API calls between them and a working agent.

DigitalOcean's entry into the market, announced at the Deploy 2026 conference in San Francisco on April 28, is instructive in this regard. The company, known for serving small and mid-size engineering teams, unveiled a five-layer AI-Native Cloud platform that includes an inference engine, a model router, a managed agent service, and what Forbes described as a serverless inference layer. DigitalOcean's bet is that the same teams who adopted its droplets and managed Kubernetes will want a vertically integrated agent platform that abstracts away the runtime decision entirely. The question those teams will eventually have to answer is the same one the hyperscalers are answering with diverging architectures: does the abstraction hold up when the agent runs for six hours, calls seventeen tools, and fails at step fourteen?

The Kubescape project, which reached version 4.0 in March with new runtime security and AI agent scanning capabilities for Kubernetes, adds a complementary thread. InfoQ reported that the open-source security scanner can now detect AI agent workloads running in a cluster and apply admission policies to their deployments. The feature is narrowly useful today, but its existence signals a broader recognition: an agent running in a Kubernetes pod is a workload like any other, subject to the same network policies, resource limits, and security contexts, and yet its behavior is less predictable than a statically compiled container. The runtime security tools built for deterministic workloads do not yet understand non-deterministic ones, and the agent-native runtime tools do not yet integrate with the Kubernetes control plane. The integration is being built from both sides.

The checkpoint to watch is not a specific product release or a conference keynote. It is the moment when a major platform documents, in its own incident postmortem, a credential leak or a double-execution bug that was caused by the absence of durable execution guarantees in its agent runtime. The Johns Hopkins demonstration was a research artifact. The first production incident that traces the root cause to a missing event history or a non-deterministic replay will reorder the priorities of every platform team shipping agent infrastructure. The runtime that handles that incident cleanly, with a replayable log and a policy-enforced boundary, will define the category. The one that does not will be replaced by the one that does. The timeline is not years. It is the next time a developer types a malicious instruction into a PR title and the agent that reads it has access to more than an API key.