Substac — April 10, 2026

Five Slices of Swiss Cheese Between Your Agent and Everyone Else

In 1990, psychologist James Reason published a model for understanding how catastrophic failures happen in complex systems. He’d been studying aviation disasters and hospital errors — situations where multiple safeguards existed but people still died. No single safety layer is perfect. Every defense has holes in it. The dangerous moment is when the holes in every layer happen to line up at the same time.He called it the Swiss Cheese model. Each defensive layer is a slice of Swiss cheese. Each slice has holes — weaknesses, gaps, edge cases. Stack enough slices together and the odds of a threat passing through every hole simultaneously become vanishingly small.The model transformed how the aviation industry thinks about safety. It changed healthcare protocols. And it turns out to be a useful way to think about securing AI agents that can execute arbitrary code on your behalf.Most SaaS platforms keep customer data in shared infrastructure. A single database, shared compute, application-level logic deciding who sees what. If the application logic has a bug, that’s your one layer of defense — and it just failed.That’s manageable when your SaaS product is a project management tool or a CRM. The blast radius of a tenant isolation failure is data exposure.AI agents are different. An OpenClaw agent can run shell commands, browse the web, read and write files, connect to your Slack, Telegram, or Discord and has API keys for all of those and more. If tenant isolation fails for an AI agent platform, the attacker doesn’t just see your data — they potentially have access to everything your agent can do.A single-layer approach isn’t enough. You need defense in depth — Swiss cheese, in safety engineering terms.Darko wrote a detailed post on the Kilo blog covering KiloClaw’s security architecture, and it maps cleanly to the Swiss Cheese model. There are five independent layers of tenant isolation. For one customer to access another’s data, all five would have to fail simultaneously.Here’s what those layers look like:Every request is authenticated before it reaches a customer’s machine. The routing destination comes from the authenticated user identity stored server-side, not from anything the user controls in the request.This matters because the most common class of tenant isolation bugs in SaaS products is Insecure Direct Object Reference — where you change an ID in a URL or API call and access someone else’s stuff. KiloClaw sidesteps this entirely by never letting the user specify the destination.Each customer’s VM runs inside a dedicated Fly.io application. Not a shared app with per-user containers — a separate application entirely. One customer’s storage can’t be attached to another customer’s machine. Internal networks are isolated at the application boundary.Each customer environment sits on its own isolated WireGuard network mesh. During the independent security assessment, cross-tenant network tests confirmed that customers can’t discover each other’s mac