From Shadow AI to Enterprise Asset: A Seven-Layer Reference Architecture for Docker's AI Stack

Most organizations are already using AI agents in their development workflows. The question is whether those agents are governed or fall under the category of "shadow AI". Docker's recent AI-focused releases can be composed into a single architecture that reduces developer friction while giving platform and security teams isolation, visibility, and policy enforcement at each layer. Here's the full stack in seven layers. Note: For a deep dive into these concepts, see From Shadow AI to Enterprise Asset: A Seven-Layer Reference Architecture for Docker's AI Stack - The Deep Dive . The Seven Layers Layer Docker Tool(s) What It Does Foundation Docker Hardened Images + Registry Access Management + Image Access Management Hardened/minimal base images; registry allowlisting (RAM) and Docker Hub image-type controls (IAM) to reduce exposure to unapproved sources Definition cagent Declarative YAML agent configs with root/sub-agent orchestration Inference Docker Model Runner + Remocal/MVM Local-fir