The Digital Airlock: Securing the Supply Chain of Intelligence

Mihir Wagle 5 min read

This article was originally published on LinkedIn on December 9, 2025. Read it there.

Why AI Agents need "Pick Tickets" and "RFID," not just data policies

I received a lot of great feedback about my articles on the data supply chain and I will update the articles with the new comments. In my last article, The Physics of AI, I argued that we need to treat data as something limited by constraints of energy - optimizing for thermodynamics. Today, I want to talk about another concept: Containment.

There's two stories that I learned about recently - the guy who ordered 18,000 waters at a Taco Bell) and candidates who insert LLM prompts into their resumes to fool ATS. What I'm recommending here, is a simple way to address these, using concepts from the physical world.

In a physical supply chain, we don't secure a bio-lab, a cleanroom, or a high-value vault with a "User Agreement." We secure it with an Airlock.

We use negative pressure rooms and physical separation. We rely on the laws of physics to prevent contamination, not the good intentions of the staff. If you don't have the badge, the door doesn't open. It is not a rule; it is a mechanism.

Yet, in the data world, we are still trying to secure AI with "Policies." We write PDF rules and set up role-based access controls (RBAC) on the database and hope they hold. But in 2026, your user is an AI Agent. It doesn't care about your policy PDF. It will find the path of least resistance.

To secure the enterprise, we have to stop trusting "Application Logic" and start building "Topology." Here is the Supply Chain blueprint for securing the AI era: The Airlock, The Pick Ticket, and The RFID.

1. The Architecture: The "Digital Airlock"

We are currently making a mistake called "Direct Connection." We are plugging LLMs directly into our Data Warehouses via thin semantic wrappers. In logistics, you never let a delivery truck drive directly onto the factory floor. They stop at the Receiving Dock.

We need to build a Data Airlock. This is not just a Semantic Layer (which is just a map). This is a Runtime Isolation Environment.

  • The Dirty Zone: Your raw database (SAP, Oracle, Lakehouse).
  • The Airlock: A serverless, isolated compute environment.
  • The Clean Zone: The AI Agent.

The Physics: The Agent has no network route to the Dirty Zone. It is physically impossible for the Agent to "see" the raw table. It can only speak to the Airlock via a strict API (a "Service Window"). The Airlock retrieves the data, sanitizes it, and passes it through the window. Security isn't a password; it's a missing wire.

2. The Protocol: Pick Tickets, not Open Aisles

If you let an Agent write SQL, you are effectively letting a visitor walk onto the warehouse floor and browse the shelves. That is a security failure. In a secure facility, visitors stop at the Service Window.

We need to enforce the "Pick Ticket" Model. The Agent cannot ask for tables or columns. It can only submit a specific, pre-approved Pick Ticket (an API Contract).

Bad (Open Aisle): SELECT * FROM Orders WHERE Value > 10k

Good (Pick Ticket): retrieve_high_value_orders(Region: "US")

The Airlock accepts the ticket, validates the request, retrieves the goods, and slides them through the window. The Agent never knows how the warehouse is organized—or even which database the data came from. It just knows the ticket was filled.

3. The Audit: From "Paper Manifests" to "Digital RFID"

In the old days of logistics, we tracked shipments with a "Bill of Lading" (a paper list). The origin of this concept was to track ownership of the shipment, since titles were important (LickBarrow vs Mason), but it extended to tracking the contents easily. If a box was lost, or if a toxic chemical was stored next to food, we only found out after looking at the paperwork. It was reactive.

Modern supply chains use RFID. The item itself broadcasts its identity, its hazard level, and its origin to every sensor it passes.

We need to stop using "Logs" (Paper Manifests) and start using Digital RFID (Persistent Metadata). Most organizations have data tags, but they are "painted on the warehouse shelf" (the database column). As soon as the data is queried, transformed, or vectorized for an LLM, the tag falls off. The data becomes anonymous text.

The Solution: The "Sticky" Tag. We need a governance layer that acts like an Active Inventory System. When data leaves the warehouse, its classification (Confidential, PII, Internal) must be chemically bonded to the payload. When the Airlock releases a chunk of data to the AI, it injects the RFID:

Payload: "Q3 Revenue is $5M"

RFID_Tag: { "Sensitivity": "High", "Owner": "Finance", "Expiry": "24h" }

Why this matters: This allows us to install "Security Gates" at the egress. If an Agent tries to email a summary to an external client, the gate scans the payload. It doesn't need to "understand" the text. It just reads the RFID tag: "Sensitivity: High." Beep. The gate closes. The email is blocked.

It works like the anti-theft sensors at a clothing store. The system doesn't need to know why you are taking the jacket; it just knows the tag hasn't been deactivated.

4. Closing the loop

The Taco Bell scenario can be limited by simply using quantity limits in pick tickets (Amazon does this very well today) and limiting the number of pick tickets per customer. As for the creative candidates, making the resume a well defined pick ticket eliminates the risk of prompt injection.

Conclusion: Topology is Destiny

We can stop being Librarians (shushing people and pointing to rules) and start acting like Facility Managers (building secure perimeters). If your security depends on an Agent "promising" not to leak data, you have already lost.

Build an Airlock - Issue Pick Tickets - Tag the Cargo. Let the topology do the work.

← Back to blog

Enjoyed this post? Get new ones in your inbox.

Or subscribe via RSS