Home/AI Agents/Sandboxing
AI Agents

Sandboxing

Running an agent where it can't do damage — the only agent safety measure that doesn't depend on the model behaving.

Reading level: Curious
Pick your depth ↓

When not to use it

  • (There isn't a case for skipping it. The question is how much capability fits inside.)*
  • A read-only sandbox, when the agent must act. Safe and useless is also a failure.
  • A container, when running genuinely hostile code. Containers are isolation, not a security boundary against escape.
  • Sandboxing alone, with a hostile tool. Containing the agent doesn't help if the MCP server is the problem.

Reach for something else instead

  • (Complements, not substitutes.)*
  • Capability restriction — don't grant it. The sandbox's cheapest layer.
  • Human confirmation at the boundary — where actions leave the sandbox.
  • microVMs (Firecracker, gVisor) — when a container isn't a strong enough boundary.
  • Tool emulation — test what the agent would do without letting it.

Sources & further reading

  • Greshake et al. (2023), Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection — why the threat model has to assume compromise.
  • Ruan et al. (2023), Identifying the Risks of LM Agents with an LM-Emulated Sandbox — ToolEmu; finding agent failures by emulating the tools.
  • Agarwal et al. (2020), Firecracker: Lightweight Virtualization for Serverless Applications — microVMs; what a real isolation boundary costs.

Primary sources, listed so you can check the claims on this page rather than take them on trust.

Where people go wrong

  • Relying on a system prompt to prevent an action the agent is capable of. That's a request, not a boundary.
  • Skipping egress filtering. An agent that can reach any URL can send your data to any URL.
  • Treating a container as a security boundary against determined escape. It isn't; microVMs are.
  • Persisting state between tasks, so a compromise persists too.
  • Designing capability first and containment afterwards. It's the wrong order and it doesn't get revisited.

At a glance

FieldAI Agents
Why it's differentit changes what's possible, not what's likely
Threat modelassume prompt injection succeeded
Cheapest layerread-only, scoped, short-lived credentials
Most skippedegress filtering
In tension withthe entire product direction
DifficultyIntermediate
Flashcards for this concept
Question
Answer
1 / 4

Often compared with

Sandboxing vs. guardrails — guardrails ask the model not to; sandboxing removes the option. Only one of them survives a compromised model.