Nightshift
Back to blog

May 29, 2026

/

6 min read

/Strategy

AI Should Meet You Where You Are

EH

Ethan Henley

AI Should Meet You Where You Are

Why we built Nightshift to adapt to your infrastructure instead of asking your infrastructure to adapt to it.

When a team evaluates a new piece of AI infrastructure, the first question is usually what it costs. The license, the compute, the seats. That number is almost never the real one.

The real cost is in the assumptions. An agent runtime is not a narrow tool. To do anything useful, an agent has to compute something, store state, authenticate as someone, hold a secret, reach the network, and call a model. That is six dependencies before it has done a single unit of work. Every platform has to make a decision at each of those six points. The only question that matters is whether it makes the decision for you, or lets you make it.

The hidden migration

Most platforms make it for you. They run on their cloud. They manage identity their way. They keep your data in their tenancy. They route to the model they have partnered with. Each of those choices is reasonable on its own. Taken together, they describe a destination: a place you move your workload to. And moving a workload is a migration, whatever the sales deck calls it.

For a company starting from nothing, a destination is fine. There is nothing to migrate. But most companies that need agents are not starting from nothing. They have a cloud account with years of configuration buried in it. They have an identity provider that every internal system already trusts. They have a compliance boundary that took a long time and real money to stand up. They have hard-won opinions about where their data is allowed to live.

For them, every assumption the platform makes is a place where their environment has to bend. The sum of those bends is a migration wearing the costume of an integration. You do not notice it as a migration because it arrives one reasonable requirement at a time. Standardize on this cloud. Federate to this identity model. Send your data here. Use this model. None of them looks like a re-platforming on its own. All of them together are exactly that.

Every dependency is an interface

We started from the opposite premise. A runtime should treat each of its dependencies as an interface, not a fixed choice. Compute is an interface: run it where you already run things. Identity is an interface: use the provider your systems already trust. Storage, secrets, network egress, and the model itself are interfaces too, each one pointed at a system you already operate.

This sounds like a small distinction. It is not. An interface is a promise that the thing behind it can be swapped. A fixed choice is a promise that it cannot. A runtime built on interfaces can meet your environment where it is. A runtime built on fixed choices can only ask your environment to come to it. That difference decides whether adoption is a configuration exercise or a project with its own budget line and a steering committee.

Each agent dependency wired to a system you already operate
Each dependency is an interface pointed at a system you already operate.

Adapting without giving up guarantees

Meeting you where you are is only worth anything if the runtime is trustworthy at its core. Adapting to someone else's environment is trivial if you are willing to ignore security. The hard version, the one worth building, is adapting while keeping strong guarantees no matter whose infrastructure you land on. A few ideas carry most of that weight.

Isolation. Every agent runs inside its own sandboxed execution environment with a hard boundary around it. A compromised or misbehaving agent cannot reach past that boundary. The isolation is the unit of trust, and it holds regardless of whose cloud it happens to be running in.

Default-deny network policy. Agent network access is governed by explicit, default-deny policy. The agent reaches what you have allowed and nothing more. You decide the egress, not the platform, and not the agent.

System-level observability. You can see what an agent actually does, not only what it reports back. Watching at the level of system calls is the difference between trusting an assertion and verifying a behavior. For anyone who is personally accountable for what runs inside their environment, that difference is the entire job.

Secrets that never persist. Credentials are injected into the isolated environment at the moment of use, scoped to the task, and never written down. The agent gets what it needs to do the work and holds nothing afterward.

None of these properties depend on a particular cloud, a particular identity provider, or a particular model. They belong to the runtime itself. That is precisely what lets the runtime travel to your environment without leaving its guarantees behind.

Deployment becomes a decision you can reason about

The payoff of that design is that deployment is bounded. Because the runtime brings its own guarantees and points its interfaces at systems you already run, adopting it is additive rather than substitutive. You are not re-platforming. You are placing a runtime inside a boundary you already control and configuring it to use the compute, identity, and storage that are already there.

This keeps the blast radius of adoption small enough to actually reason about. You can deploy into a single boundary, hand it a real workload, watch what it does at the system level, and then decide whether to expand. The decision to try is not the decision to migrate. For most AI platforms those have quietly become the same decision. They should not be.

Nightshift is open source. Apache 2.0.View on GitHub

What stays yours

Because the runtime lives inside your boundary and treats the model as an interface, you keep the things that matter. The orchestration runs on your side. The secrets stay in your environment. The work your agents produce stays where you put it. If you call a hosted model, that request does go to the provider, and we would rather say so plainly than pretend otherwise. But everything around that call, the part that accumulates and compounds, remains yours.

Over time, that is what lets a team move from renting capability to owning it. That is a longer story for another post. It starts with a simpler decision than most people expect: whether the infrastructure you adopt fits the environment you already have.

The right question

The industry has spent a few years asking how to get enterprises onto AI platforms. We think that is the wrong question. The better one is how AI fits into the infrastructure enterprises already have. The first treats your stack as a problem to be migrated away from. The second treats it as the ground you build on.

We built Nightshift on the second answer. It meets you where you are, because that is where the work already is.

See it run in your environment

Bring your cloud, your IdP, your compliance boundary. We will show you Nightshift deployed into infrastructure you already control.

Book a demo

Keep reading

The Wrong Question About AI Cost
StrategyMay 27, 2026

The Wrong Question About AI Cost

What does AI cost? Wrong question. The right one is what it costs to keep doing the work the way you do it now while a competitor instruments theirs.

GC
Gianni Crivello
Shipping Real Apps with Harness Engineering
Systems EngineeringMarch 30, 2026

Shipping Real Apps with Harness Engineering

Dogfooding Nightshift by running Claude Code inside a chicklet to migrate production infrastructure, fix a live ETL bug, and ship a full-stack feature. Harness engineering at the platform level.

GC
Gianni Crivello
Containers, But Without The Magic Part 1: Networking
Systems EngineeringMarch 5, 2026

Containers, But Without The Magic Part 1: Networking

Building container networking from scratch using only the ip command. What network namespaces, veth pairs, and CNI plugins actually do under the hood.

GC
Gianni Crivello