Every data governance policy is only as trustworthy as the infrastructure enforcing it.
At Expanso, we deploy lightweight agents across thousands of locations to control data at the source. Filter before it moves. Govern before it lands in Snowflake or Databricks or Splunk. Enforce compliance before sensitive data ever leaves the edge. That's our entire model: upstream control, everywhere, automatically.
But those agents run in our customer's environments. Across edge sites, on-prem clusters, air-gapped environments, sovereign clouds. And customers seeking stronger isolation between processes on these machines often look to "defense-in-depth" techniques, such as running pipelines in containers, so that even if a data pipeline has been compromised, the machine remains unaffected.
That's why we're announcing that Expanso is joining Chainguard's Commercial Builds partner program, launching today at ASSEMBLE 2026 in New York.
You Can't Govern Data with Ungoverned Infrastructure
Most conversations about data security focus on the data itself. PII redaction, HIPAA compliance, GDPR enforcement, data residency policies. And, make no mistake, those matter enormously. It's why Expanso exists.
But there's a layer underneath that gets far less attention: the security posture of the pipeline infrastructure itself. When you're running 10,000+ nodes per cluster across dozens of geographies, every container image deployed to every edge location is a potential attack surface. Chainguard's data shows the scale of the challenge: over 500 million container build manifests across more than 2,000 open source projects, with the attack surface growing faster than security teams can audit.
The traditional approach of scanning after deployment misses the point entirely when your agents are scattered across a global network processing sensitive telemetry, healthcare records, or financial transactions at the point of origin. You need cryptographic certainty that the image running your data pipeline was built from verifiable source code, carries no known vulnerabilities, and hasn't been tampered with. And you need that assurance before the container ever reaches the edge.
Why Chainguard Fits How We Think
Chainguard's philosophy mirrors something fundamental to how we built Expanso: fix the problem at the source, not after the fact.
We do this with data. Define policies once, enforce them automatically at the point of creation, and send only clean, governed data downstream. Chainguard does the same thing with software supply chains. Their container images are rebuilt continuously from verifiable source code, carry signed SBOMs and attestations, and maintain zero or near-zero known CVEs. Their Factory 2.0 system, powered by an agentic framework called DriftlessAF, uses a combination of traditional and AI-driven reconciliation to keep images current and secure at a pace that manual processes can't match.
The alignment isn't just philosophical. When 72% of enterprise application teams rank software supply chain risk as a top three concern, and nearly 60% of new cloud-native deployments cite regulatory requirements as a primary design factor, the organizations we serve need both stories to be airtight. They need governed data AND governed infrastructure.
What This Means for Expanso Customers
In practical terms, organizations running Expanso's policy-driven data pipelines across distributed environments can now ensure the agents doing the filtering, transforming, and governing are themselves built on hardened, attested container images. Whether that agent is processing O-RAN telemetry at a cell tower, redacting PHI in a hospital system, or filtering logs before they hit Splunk, the container it runs in carries provenance you can verify and a security posture you can prove to auditors.
Combined with Expanso's zero-trust architecture and our participation in the Edge AI Foundation's Defense Working Group, this gives customers operating in defense, healthcare, financial services, and telecom a security story that runs from source code to data destination, with no gaps in between.
No CVE triage backlogs. No hoping the base image someone pulled six months ago hasn't been compromised since. Governance all the way down.
The Bigger Picture
By the end of 2026, theCUBE Research expects over 50% of enterprise container images in production to be policy-validated or cryptographically attested before deployment. With AI-assisted development now present in over 80% of enterprise software organizations, the containers that code runs in need governance baked into the pipeline, not bolted on afterward.
Upstream data control makes this both harder and more important. Harder because the blast radius of a compromised pipeline agent scales with every node running it. More important because the entire value proposition of controlling data at its source depends on organizations trusting the infrastructure that does the controlling.
Chainguard secures the software supply chain. Expanso governs the data pipeline. Together, customers get trust from container image to data destination, without compromise.
Come See Us at ASSEMBLE
We'll be at ASSEMBLE 2026 in New York today. If you're building distributed data infrastructure and thinking about how supply chain security fits into your governance architecture, come find us.