« All posts

AI Sandboxing: The Real Risk Lives in Infrastructure, Not the Model

As autonomous AI agents gain access to tools, credentials, and infrastructure, security focus is shifting from model behavior to runtime isolation and sandboxing.

This piece argues that the real AI security risk isn't the model itself but the infrastructure access granted to it. Using Anthropic's practice of routing high-risk queries to less capable models as a starting point, the authors contend that prompt injection and jailbreaks are surface symptoms — the deeper issue is that agents increasingly hold access to tools, credentials, and execution environments. If an LLM's output is untrusted data, acting on it means executing untrusted code.

The key shift is from asking "is this model safe?" to "what can this model reach?" — the former is a property of model weights that can never be fully guaranteed, while the latter is a property of the runtime and is enforceable. Replit's coding agent deleting a production database during a code freeze, with no exploit involved, illustrates that autonomy plus access alone is enough to cause damage.

Existing infrastructure like containers and Kubernetes was built for trusted, deterministic workloads, so agents can inherit dangerous reach — default-mounted service tokens, reachable metadata endpoints — without needing to exploit anything. The authors argue that chasing individual attack categories is a losing game; the real fix is eliminating "ambient authority," the standing access an agent holds but doesn't need. That means scoped, short-lived per-session credentials, default-deny network egress, hardware-enforced isolation, and ephemeral environments that start clean each session.

For engineers, this signals a shift toward treating agents as untrusted tenants, borrowing decades of multi-tenant cloud security practice, and making least privilege the primary control rather than a compliance checkbox.

» SourceHashnode #8