In an earlier post I argued that the way to use AI safely isn’t permission gates — it’s containment and reversibility. Build the cage carefully, then let the agent be free inside it. That was the principle. This is the building.
The shape of the cage
Four Proxmox servers. Two run the actual infrastructure. One is a spare — cold, ready, deliberately doing nothing until something dies. (As the last post showed, something always dies.) And one is dedicated entirely to automation and AI workloads, kept separate from everything that matters, so an agent having a bad day can’t reach anything in production.
Underneath that sits a network built to keep things apart on purpose. I rebuilt the whole internal network during the recovery: OPNsense doing the routing and firewalling, VLANs segmenting the traffic, access points and machines each slotted into the segment they belong in and no other. Nothing talks to anything just because they share a wire. They talk because a rule says they may.
This is the unglamorous half of “working with AI” that nobody posts about. Before any agent gets clever, the blast radius is already drawn on the map.
Every agent gets its own machine
Then the part that tends to surprise people: each agent that runs on its own gets its own machine. Not a shared box with separate logins — its own home.
- The coding agent I work with — the assistant in my editor — runs where I run, because we’re collaborating in real time and I see every change as it happens. That one isn’t caged. It’s a colleague at my desk.
- An assistant on an old HP all-in-one, reborn as a Win11 box, runs a desktop chat app — the machine I brain-dump and think out loud to.
- Lola, the assistant I built to talk to rather than to work, has her own machine entirely: her own local model, root on her own box, dedicated and always on. Her home, hers alone.
- A background dev agent lives on an old development machine turned Linux host — remote editor server, CLI agent, picking up work in the background while I’m doing something else.
The pattern underneath is simple. An agent that runs on its own gets its own house, with a firewall guarding the house from the network and the network from the house. An agent I work with in real time doesn’t need that cage, because I am the review step, live.
Why this is the opposite of reckless
I lay this out in detail because “I let AI agents run my infrastructure” is exactly the kind of sentence that makes a careful person nervous — and they’re right to be. Done carelessly, it’s a disaster waiting to happen. I know. I lived the disaster.
So the architecture is the answer to that nervousness, not a dismissal of it:
- Isolation. An agent can only reach what its network segment allows. A mistake stays local instead of becoming everyone’s problem.
- Reversibility. Everything an agent touches in code lands in git. Every machine is described in IaC and backed by PBS. A bad day is a rollback, not a rebuild.
- A spare, always. Hardware dies — I have the receipts. There is always a cold machine waiting to take over.
- Human review where it counts. The agent at my desk is watched live. The agents running on their own land their work in a review step before any of it becomes real.
None of this is exotic. It’s the same defence-in-depth thinking any serious operator applies to any risky system. An AI agent doesn’t get exempted from engineering discipline because it’s AI. It gets more of it — because it can act faster, and more confidently, than a human does when it’s wrong.
That’s the whole philosophy in one line: give the agent freedom, but only inside a structure that makes being wrong cheap.
Build the cage well, and you stop being afraid of what’s inside it. That’s how I went from an AI agent wiping all my servers to running a setup I genuinely trust — without ever pretending the risk isn’t real.
Part of The 2026 Rebuild.