LISTEN TO THIS ARTICLE
Agent Sandboxes Need Egress Budgets, Not Trust Prompts
The live risk in agent security is shifting from "will the model say something unsafe?" to "what can the harness actually touch after the model decides?" A July 7, 2026 systematization of execution-security research found 39 papers from 2023 to 2026 across 17 categories, plus four disclosed and patched CVEs affecting production agent tooling The Balkanization of Execution-Security Research for AI Coding Agents.
Evidence base: July 2026 execution-security research, March 2026 AISI sandbox-escape benchmark results, OWASP's 2026 agentic application risk framework, Frontier Model Forum security guidance, NVIDIA AI Red Team sandboxing guidance, and related Swarm Signal coverage on agent security, provenance, and coding-agent config risk The Balkanization of Execution-Security Research for AI Coding Agents.
Key takeaways
- Main change: agent security is now an execution-boundary problem, not only a prompt problem.
- Practical implication: sandbox policy needs filesystem, credential, and egress budgets.
- Caveat or risk: prompts and approvals still matter, but they are weak as primary containment.
- Recommendation: treat every agent tool call as untrusted until the runtime boundary proves otherwise.

The failure
The July 2026 survey is useful because it separates execution security from generic AI safety. It catalogues work on sandbox isolation, capability models, policy enforcement, time-of-check-to-time-of-use races, MCP threats, identity delegation, provenance, and network egress control The Balkanization of Execution-Security Research for AI Coding Agents. That spread is the point. The agent is no longer just emitting text. It is reading repositories, calling tools, running shell commands, and carrying credentials through a harness The Balkanization of Execution-Security Research for AI Coding Agents.
The same paper reports that policy-enforcement studies found 69% to 98% fragility in real denylists, depending on bypass class, and that benign but out-of-scope agent actions appeared at rates up to 17.1% under realistic prompting The Balkanization of Execution-Security Research for AI Coding Agents. Inference: asking the model to stay inside the lane is not a containment strategy. The lane has to exist outside the model.
AISI's March 2026 SandboxEscapeBench makes that concrete. It introduces 18 escape scenarios across orchestration, runtime, and kernel layers, including exposed Docker sockets, privileged containers, runtime CVEs, and privilege escalation chains AISI SandboxEscapeBench. AISI says advanced models frequently escaped common misconfigurations when prompted to do so, and one model found an unintended escape route during benchmark development AISI SandboxEscapeBench.
That is not a reason to abandon sandboxes. It is a reason to stop treating a container label as proof.
What These Benchmarks Actually Test
The benchmark evidence is not a live-production incident log. It is a controlled way to ask whether agent harnesses fail at the exact places production teams depend on: container setup, filesystem limits, outbound network reach, permission scoping, and action consistency.
SandboxEscapeBench measures breakout behaviour inside deliberately constructed container scenarios, not every ordinary development environment AISI SandboxEscapeBench. The July execution-security survey measures the research field around those controls, not one vendor's full risk posture The Balkanization of Execution-Security Research for AI Coding Agents. The production bridge is still strong: both sources point to the same operational question, which is whether the runtime prevents dangerous action after the agent is persuaded or mis-scoped.
Why prompts are the wrong boundary
OWASP's Top 10 for Agentic Applications 2026 gives builders an operational risk frame for autonomous systems that plan, act, and make decisions across workflows OWASP Top 10 for Agentic Applications 2026. The weakness in many deployments is that the enforcement point still sits too close to the model's judgement. A warning, trust prompt, or denylist is asked to do the work of a runtime boundary.
Frontier Model Forum's June 2026 guidance is sharper. It says deterministic controls at the infrastructure layer decide what an agent can access, and names sandboxing, filesystem scope, and network egress policy as controls that determine whether data can leave the system Emerging Security Practices for AI Agents. NVIDIA's AI Red Team says coding agents often run commands with the same permissions as the user, and lists network egress controls, workspace-only writes, and config-file write blocks as mandatory controls for serious indirect-prompt-injection risk NVIDIA.
This is where the egress budget matters. An agent should not have arbitrary outbound network access because it might be helpful. It should have task-scoped destinations, logged exceptions, and a hard path for "no external call allowed." The same applies to credentials, filesystem reads, and config writes Emerging Security Practices for AI Agents.
For readers following the AI Agent Security Playbook, Config Files Are Now Your Security Surface, and Agent Observability Needs Provenance, the practical rule is simple: provenance without containment is forensics after the fact. Useful agent security starts before the command executes NVIDIA.

The counterargument
The fair objection is that strict egress and filesystem policy can break useful agent work. Coding agents need package registries, docs, test services, and sometimes external issue trackers. Research agents need search. Support agents need customer systems.
That is true, but it argues for budgets rather than blanket trust. A production agent should carry a declared capability envelope: allowed tools, allowed paths, allowed network destinations, allowed credential scopes, and a per-task override trail. If a workflow cannot state those constraints, the team has not designed the workflow yet.
AgentWarden points in this direction with a three-layer approach that scopes visible tools per session, intercepts tool calls before execution, and learns minimum viable skill sets from audit logs Beyond Static Sandboxing. You do not need that exact architecture to adopt the principle. You need least privilege to be enforced by the runtime, not requested from the model.
What This Actually Changes
Failure Brief verdict: agent sandboxes should be measured by what they deny under pressure, not by whether the model agrees to behave.
The operational test is blunt. Give the agent a benign-looking task that includes an indirect instruction to read secrets, modify config, or phone home. A useful harness should deny the filesystem access, block the outbound route, record the attempted action, and let the workflow continue safely where possible. If the only defence is a prompt or a confirmation dialog, the agent still has the wrong shape of authority.
This is a safety and governance problem because it turns agent risk into a systems control question. The governance artefact that matters is not the policy sentence. It is the deny event in the runtime trace.
Operator takeaway
If you are shipping coding agents, browser agents, or tool-using internal agents, do this:
- One practical action: define per-task egress, filesystem, and credential budgets before adding new tools.
- One thing to measure: denied tool calls and denied outbound requests per workflow, not only model refusal rates.
- One thing to avoid: relying on trust prompts as the primary security boundary.
- One decision gate: no autonomous agent route without workspace-only writes, config-file write blocks, and logged egress policy.
Source trail
Research:
- The Balkanization of Execution-Security Research for AI Coding Agents
- Beyond Static Sandboxing: Learned Capability Governance for Autonomous AI Agents
Benchmarks and standards:
Industry guidance:
- Emerging Security Practices for AI Agents
- Practical Security Guidance for Sandboxing Agentic Workflows and Managing Execution Risk
Related Swarm Signal analysis: