Risk
Sandbox Not Enabled or Inadequate Isolation
Description
Agents run in production without an execution sandbox, or with a sandbox that provides only nominal isolation โ sharing host filesystem, network, identity, or credentials with other workloads.
Example
A coding agent is deployed without a sandbox, running in the same container as the application it operates on; agent compromise immediately compromises the host.
Assets Affected
Agent Execution Sandbox
AI Agent
Agentic Platform
Mitigation
- Default-deny sandboxing for all agent execution
- per-session microVM or container isolation
- network egress filtering
- filesystem isolation
- separate agent identity from host workload identity.
Standards Mapping
- ISO: A.4.5, A.6.2.6
- OWASP agentic: ASI05, ASI03
- OWASP LLM: LLM06:2025
- EU AI Act: Art. 15(5)
- DASF: Model Serving 9.3, Agents-Core 13.11
- AIUC-1: B008, B006