An autonomous agent with tool access can do real damage in production. Here's the sandboxing architecture we built for an enterprise rollout - and the four findings the security audit raised anyway.
An agent that can write to your database, deploy code, send emails, or move money is not a chatbot. It's a process with permissions. And like any process with permissions, the question that matters is: when it does the wrong thing, how much can it break?
We were brought in to harden an internal automation platform after the client's security team flagged that the existing agent runtime had no real isolation. Agents executed tool calls in-process with the orchestrator. A compromised tool, a prompt injection, or a runaway agent could touch anything the orchestrator could touch.
This is a common pattern. Sandboxing is treated as something you'll add later. By the time "later" arrives, agents are wired into ten production systems and pulling them apart is a quarter-long project.
Sandboxing an AI agent is not the same as sandboxing untrusted code. Untrusted code is adversarial by design - you assume it wants to escape. An agent is usually well-intentioned but easily manipulated by its inputs. The threat model isn't malware; it's a confused deputy.
That changes the design priorities. You care less about exotic escape vectors and more about:
The audit raised four issues with the first version of our sandbox.
1. The orchestrator and the agent shared a process. A misbehaving agent could read the orchestrator's environment variables, including credentials for unrelated tools.
2. Outbound network was unrestricted. The agent had egress to anywhere on the public internet. Data exfiltration via a hallucinated URL was theoretically a single tool call away.
3. Filesystem writes were persistent. A previous agent run could leave artefacts that influenced the next one.
4. Time and token budgets were soft. A runaway agent in a loop could burn through API credits unchecked.
We rebuilt agent execution around four primitives, each enforced at infrastructure level rather than inside the agent code.
Per-run ephemeral containers. Each agent invocation runs in its own short-lived container, fresh filesystem, no inheritance from previous runs. The container image contains only the tools the agent needs.
Egress allow-lists, denied by default. The container can reach only the specific MCP servers and APIs listed in the agent's manifest. We use a sidecar proxy that intercepts all outbound calls and rejects anything not in the allow-list. The allow-list is part of the agent's deployment artefact, reviewable in code.
# agent manifest excerpt
egress_allow:
- host: crm.internal
methods: [GET, POST]
paths: ["/api/v2/contacts/*"]
- host: api.anthropic.com
methods: [POST]
paths: ["/v1/messages"]
Credentials injected per run, never baked. The container receives credentials at start-up via a secrets broker, scoped to the run's task. When the container terminates, the credentials are revoked. There is nothing useful to steal from a stopped container.
Hard budget enforcement. Wall-clock time, tool-call count and token budget are enforced by the orchestrator. When a budget is hit, the agent is terminated and the run is marked failed. Failing closed is the point.
We would invest in observability before the audit, not because of it. Once the sandbox was in place, debugging legitimate agent failures got harder - the containers were ephemeral, the logs were scattered and reproducing a bad run required capturing the exact prompt, tool responses and timing. We added structured event logging two months in. It should have been there on day one.
We would also push back harder on "let the agent just run shell commands." There's almost always a way to expose the same capability as a narrow, reviewable MCP tool. Shell access is sandbox-defeating by nature.
Sandboxing isn't about stopping a malicious agent. It's about ensuring that when a well-intentioned agent gets confused - which it will - the damage is contained to one run, one container and one revocable credential set. Build that containment in before you wire agents into anything that matters.