GitHub outlined its defense-in-depth approach to securing agentic workflows in CI/CD pipelines. Agents run in ephemeral, sandboxed containers with restricted permissions and network egress controls enabled by default. Write operations require explicit elevation via pull requests or issue comments, and all tool access is governed by an allowlist. Credentials are routed through trusted proxies outside the agent execution boundary, which prevents prompt injection attacks from exfiltrating secrets. Staged workflows buffer and validate changes before they are committed, providing a review checkpoint between AI-generated output and the production branch. For platform and DevOps teams, this architecture addresses a core concern with AI-assisted pipelines: runaway or manipulated agents making unauthorized changes. The traceability guarantees — full execution logs across trust boundaries — give security teams an audit trail comparable to human-authored workflow runs. Teams evaluating agentic CI/CD should review the allowlist and egress control configurations as baseline requirements before enabling write-capable agents in production pipelines.