If your agent egress story is "we set HTTPS_PROXY to point at the proxy," the proxy is asking nicely. The kernel has no opinion on what the agent does next. This post is about the line between asking nicely and actually preventing the thing. The line is whether the kernel agrees with you. Everything on the wrong side of that line is policy. Everything on the right side is a control. The bestiary Plenty of common AI security controls live on the asking-nicely side. A short catalog: HTTPS_PROXY , HTTP_PROXY , NO_PROXY environment variables. Cooperative libraries read them. Uncooperative subprocesses ignore them. There is no kernel hook that says "this UID's traffic must traverse 127.0.0.1:8888." Tool deny-lists at the model layer. "Do not call curl ." The model agrees and then writes a Python script that imports requests . The deny-list never sees requests . System prompts that say "do not exfiltrate." A system prompt is text inside a context window. The text shapes the model's output distribution.…