diff --git a/AGENTS.md b/AGENTS.md
index fd04d2e..6c7a7af 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -96,6 +96,7 @@ This repository provides shared Renovate presets for consumer repositories:
 |----------|------|-------------|
 | Ansible Collection CI | [ci-ansible-collection.yml](./.github/workflows/ci-ansible-collection.yml) | Linting, security scan, sanity/unit/integration tests, build |
 | Ansible Molecule CI | [ci-ansible-molecule.yml](./.github/workflows/ci-ansible-molecule.yml) | Auto-discovered Molecule scenarios under `extensions/molecule/`, docker driver |
+| Ansible Molecule CI (KVM) | [ci-ansible-molecule-kvm.yml](./.github/workflows/ci-ansible-molecule-kvm.yml) | Molecule scenarios in full VMs via the `molecule-qemu` driver — for roles needing a real kernel/init (k3s, container engines, systemd-service agents) |
 | Go CI | [ci-go.yml](./.github/workflows/ci-go.yml) | golangci-lint, gofmt, go vet, go test |
 | Lint | [ci-lint.yml](./.github/workflows/ci-lint.yml) | MegaLinter aggregator |
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index be147f8..0234ee3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,17 @@ This is a rolling release - changes are deployed continuously to `main`.
 
 ### Added
 
+- **ci-ansible-molecule-kvm.yml**: New reusable Molecule runner that boots full
+  VMs via the `molecule-qemu` driver instead of the docker driver, for roles
+  that need a real kernel and init system (k3s `modprobe`/cgroups, container
+  engines, agents that must run as a stable `systemd` service — under docker
+  the unit reports started while it has crash-looped, masking config bugs).
+  GitHub-hosted `ubuntu-latest` exposes a writable `/dev/kvm`, so the job
+  installs `qemu-system-x86`/`qemu-utils`/`genisoimage`, adds the runner to the
+  `kvm` group, and runs molecule via `sg kvm`; molecule-qemu auto-detects KVM
+  acceleration and falls back to TCG. Validated end-to-end on `arillso.agent`
+  (alloy) and `arillso.container` (k3s). Docker-driver roles keep using
+  `ci-ansible-molecule.yml`
 - **AGENTS.md**: New "Ansible Collection Conventions" section documenting the
   shared release workflow shape (`name`, `run-name`, `concurrency`), the
   Keep-a-Changelog format, the cross-collection dependency-bound matrix