Skip to main content
AI Agents Can Now Run in SandboxesGeneral
4 min readFor Security Engineers

AI Agents Can Now Run in Sandboxes

Microsoft has introduced Microsoft Execution Containers (MXC), a policy-driven execution layer that runs AI agents in isolated environments on Windows and WSL. If your team is deploying autonomous agents that interact with production systems, this could transform your containment strategy.

What Changed

MXC simplifies the process of isolating AI agents by providing a developer-friendly API. Instead of manually setting up AppContainers, Windows Sandbox instances, or custom namespaces, you can declare constraints in a policy file and let MXC enforce them. The early preview includes process and session isolation, with integration into Microsoft Entra and Intune for centralized policy management.

GitHub Copilot CLI already uses MXC's process isolation feature. When Copilot suggests a shell command, it executes in a constrained process that can't modify your filesystem beyond defined boundaries.

Key Findings

Process isolation limits blast radius. MXC runs each agent task in a separate process with restricted capabilities. If an agent halts or tries unauthorized file access, the container terminates without affecting your host environment. This aligns with the principle of least privilege in NIST 800-53 Rev 5 control AC-6.

Session isolation prevents state leakage between runs. Each agent execution starts fresh. Credentials, temporary files, and in-memory data from previous runs don't persist. This prevents agents from caching sensitive data and exposing it in future tasks.

Policy enforcement happens at the container boundary. You define allowed network endpoints, filesystem paths, and system calls in a declarative policy. MXC blocks operations outside these bounds before the agent code executes, unlike post-execution monitoring, which detects violations after they occur.

Enterprise integration reduces deployment friction. With Microsoft Entra and Intune, you can push MXC policies through your existing device management pipeline. If you're already distributing security baselines via Intune, adding agent containment policies is straightforward.

The preview doesn't cover network-level isolation yet. MXC currently focuses on process and session boundaries. To restrict which external APIs an agent can call, you'll need additional controls like egress filtering or API gateways.

What This Means for Your Team

If you're running AI agents in production, you're likely using one of three approaches: unrestricted execution (high risk), manual sandboxing with Docker or VMs (high overhead), or custom isolation code (high maintenance). MXC offers a balanced alternative.

For security teams: You gain a standardized method to enforce agent constraints without writing isolation logic for each tool. Instead of auditing each developer's sandboxing implementation, you audit MXC policies.

For development teams: You don't need to master Windows security primitives. The MXC API handles the complexity of AppContainers and process tokens. Your code specifies what the agent needs; MXC restricts everything else.

For compliance teams: MXC provides an audit trail of agent executions and policy violations. When an assessor asks how you prevent AI agents from accessing customer data outside their scope, you can point to enforced container policies.

The limitation is that MXC only works on Windows and WSL. If your agents run on Linux servers or in Kubernetes, you'll need parallel solutions. Consider this a Windows-specific implementation of broader agent containment principles.

Action Items by Priority

Immediate (this quarter):

  1. Inventory your current AI agent deployments. List which agents have filesystem, network, and credential access. Identify high-risk agents that interact with production databases or customer data.

  2. Install the MXC preview on a non-production Windows system. Test it with a low-risk agent (like a code analysis tool) to understand the policy syntax and failure modes.

  3. Document your agent containment requirements. Define which filesystem paths agents should never access, which network endpoints are prohibited, and which system calls are unnecessary. These become your initial MXC policies.

Near-term (next quarter):

  1. Build MXC policies for your three highest-risk agents. Start restrictive and add permissions only when agents fail with clear justification. It's easier to loosen a tight policy than to tighten a permissive one.

  2. Integrate MXC policy distribution with your Intune deployment pipeline. Treat agent containment policies like security baselines: version-controlled, tested in staging, and rolled out incrementally.

  3. Train your development teams on MXC policy syntax. They need to understand how to declare agent requirements without requesting overly broad permissions.

Long-term (next six months):

  1. Establish a policy review process. When developers request new agent permissions, determine who approves them and what the security review criteria are. Build this into your change management workflow.

  2. Monitor MXC violation logs. Set up alerts for repeated policy violations from the same agent. Frequent violations indicate either misconfigured policies or agents that need architectural changes.

  3. Plan for non-Windows environments. If you standardize on MXC for Windows agents, you'll need equivalent controls for Linux-based agents. Research gVisor, Firecracker, or Landlock LSM as potential parallels. gVisor

Microsoft Execution Containers (MXC) represent a significant shift in AI agent security management, emphasizing containment and isolation to prevent rogue AI behavior. Implementing MXC can streamline your security and compliance efforts, providing a clear path forward for managing AI agents safely.

Topics:General

You Might Also Like