We know the networks where all our agents should connect from.
Currently we can only restrict by who has access to the token which is difficult if a token was inadvertently leak. Ability to restrict agents by CIDR would give us a defence in depth control and reduce the importance of a buildkite agent access token