Agent Engineering Wiki
Agent engineering · knowledge map
샌드박싱, 범위 지정 자격 증명 및 가드레일
🛠️ Solution·active·17 sources·updated 2026-07-03
Assume the agent will be hijacked and limit the damage: run its code in a sandbox, give it narrowly scoped and short-lived credentials, gate high-impact actions behind approvals, and screen inputs/outputs with guardrails. None of these stops injection on its own — together they shrink the blast radius of one that gets through.
Each control layer has a published gap, so the field is stacking them into defense in depth rather than trusting any one of them:
- Execution sandboxes contain arbitrary code, but recent analysis is blunt
that they "don't solve credential authorization" — the agent inside the box still holds tokens that injected instructions can spend, so isolating the process is not the same as isolating its privileges.
- Guardrail models screen prompts and outputs, yet "From Shield to Target"
shows the guardrail's own reasoning can be turned into a denial-of-service vector against the protected agent.
- Authorization is where the center of gravity is moving: scope what each
tool/connector can do and provision it centrally — e.g. identity-provider-managed MCP connector auth — so permissions are explicit and revocable rather than ambient.
- Non-human identity: treat each agent as its own identity with scoped
credentials, lifecycle, and audit trail, rather than a sidecar on a human's session.
- OS-level isolation: Microsoft positions Windows as a trust base for
agents with a dedicated Execution Container, pushing the sandbox boundary down into the OS instead of leaving it a process wrapper.
- Identity-based sandbox platforms are shipping as concrete primitives:
Cordium is a self-hosted Kubernetes sandbox where infrastructure secrets never enter the agent's reach.
- Harness-level secret hiding: Claude Code's
sandbox.credentials
setting blocks sandboxed commands from reading credential files and secret environment variables, closing part of the "the box still holds tokens" gap at the config layer.
- Per-parameter permissions: Claude Code's
Tool(param:value)syntax can,
for example, block Opus subagents, so authorization is scoped per action, not per tool.
- Approval-gated writes: datasette-agent's
execute_write_sqlrequires
explicit user approval on top of a general resource-sharing ACL layer, gating the write paths that matter.
- Ephemeral cloud accounts: Cloudflare now lets you run a Workers project
under a temporary, disposable account with no standing login — a self-expiring credential boundary instead of handing an agent your real account keys (worth noting, as Simon Willison points out, that the "for AI agents" framing is partly marketing — it is a general ephemeral scoped-account feature that happens to be exactly the short-lived least-privilege primitive agents need).
- Drop-in process isolation: the open-source Workdir gives an agent a
disposable, isolated working directory out of the box, commoditizing execution sandboxing into something you install rather than build — though the credential-authorization gap above means the box alone still isn't the boundary.
- Tool-call firewalls: Cerberus is a local firewall that sits in front of
an agent's tool calls, mediating and blocking them at the dev machine rather than inside a cloud platform — the local-dev counterpart to the network perimeters and platform governance below.
- Enterprise platforms: Grab's security team built Palana, a
Kubernetes-native secure execution platform, on the premise that model-driven agents — unlike deterministic software — exhibit unpredictable tool-use and code-writing and need a purpose-built isolation-plus-governance substrate to run safely in production. It packages the same controls (sandboxed execution, scoped access, central governance) as paved-road infrastructure a platform team operates.
- Network perimeter: Google Cloud's VPC Service Controls now adds
agentic-AI guardrails that draw a network-level boundary around the data an agent can touch, so a hijacked agent holding valid tokens still cannot move protected data out of the perimeter — the egress-control complement to credential scoping (identity limits *what the agent is allowed to do*, the network perimeter limits *where data can go* even when an action is authorized).
- Secure defaults at the harness level: Claude Code changed its default
permission mode to "Manual" across the CLI, VS Code, and JetBrains, shipping least privilege as the out-of-the-box behavior rather than an opt-in a team has to discover and turn on.
- External output verification: SonarQube plugins now run trusted static
analysis over code written by Claude Code, Copilot, Codex, and Cursor, adding an independent, non-model check on what the sandbox lets an agent produce — a control on the agent's *output*, complementing the controls above on its execution and credentials.
Least privilege plus human approval on the few actions that really matter remains the most durable control across all of these layers.
Two controls extend the "assume compromise" stack in different directions: secure-by-default harness configuration (Claude Code's default permission mode moving to "Manual" across its CLI and IDE integrations) closes the gap between what a default setup permits and what a user actually intended, while independent output verification (SonarQube's trusted static-analysis plugins for Claude Code, Copilot, Codex, and Cursor) adds a non-model check on what an agent produces rather than only on what it's allowed to do.
That builds on the network-perimeter control (Google Cloud VPC Service Controls), operated platforms (Grab's Palana), and the commoditized base layer of drop-in sandboxes and tool-call firewalls (Workdir, Cerberus).
More isolation and tighter scopes mean more friction: approval gates add latency and human cost, narrow credentials break workflows that legitimately need broad access, and sandboxes add ops overhead. Guardrail models add a per-call cost and a new failure/attack surface of their own.
The honest stance is defense in depth with no single layer trusted — which is more moving parts to build and monitor. Best calibrated to blast radius: heavy controls on agents with write access or money/data reach, lighter on read-only ones.
This is standard security engineering applied to a new actor: least privilege, short-lived scoped tokens, egress limits, and approvals — not prompt cleverness. The actionable lesson is to treat the sandbox as containing *code* and the credential/authorization layer as containing *capability*, and to govern tool access centrally (see MCP) so a hijacked agent can reach little.
- Coding Agent Sandboxes Don't Solve Credential Authorization
- From Shield to Target: Denial-of-Service Attacks on LLM-Based Agent Guardrails
- Centrally manage authorization for MCP connectors | Claude
- Every AI Agent Is an Identity. Most Organizations Don't Treat Them That Way
- Windows Platform Security and the Race to Secure AI Agents
- Show HN: FOSS sandbox platform that hides infra secrets from devs and AI agents
- claude-code v2.1.178
- datasette-agent 0.3a0
- datasette-acl 0.6a0
- Temporary Cloudflare Accounts for AI agents
- Workdir: Open-source sandboxes for AI agents
- Grab Builds Secure Agentic AI Workload Platform
- Securing agentic AI with perimeter guardrails: What's new in VPC Service Controls
- Cerberus – a local firewall for AI agents' tool calls
- claude-code v2.1.187
- claude-code v2.1.200
- SonarQube plugins bring trusted verification to Claude Code, Copilot, Codex, Cursor, and beyond - Security Boulevard