[EAAPL-AGT004] Agent Sandboxing
Category: Agentic AI
Sub-category: Security Architecture
Version: 2.2
Maturity: Proven
Tags: sandboxing, compute-isolation, security, code-execution, network-egress, escape-detection, resource-quotas
Regulatory Relevance: EU AI Act (Art. 9, 15), APRA CPS 234, ISO 27001 §A.12.6, NIST AI RMF (MANAGE 2.2), SOC 2 Type II
1. Executive Summary
The Agent Sandboxing Pattern defines the secure execution environment that isolates AI agent tool executions from the host infrastructure, other agent workloads, and each other. As AI agents gain the ability to execute code, call external APIs, read and write files, and interact with databases, the execution environment becomes a critical attack surface. An unsandboxed agent that is manipulated via prompt injection can exfiltrate data, modify production systems, or pivot to attack other services.
For CIO/CTO audiences: this pattern is the equivalent of a bank's vault door. It does not prevent an agent from being asked to do something harmful; it ensures that even if an agent is compromised or manipulated, the blast radius is contained to the task it was explicitly authorised to perform. Without sandboxing, a single successful prompt injection against your most capable agent could mean unrestricted access to your entire enterprise infrastructure. With sandboxing, the attacker is limited to the resource quota and network scope of that single tool invocation — and every attempt is logged and detectable. This pattern is non-negotiable for production AI agents executing code or making external API calls.
2. Problem Statement
Business Problem
Organisations deploying AI agents with code execution, file system, or API-calling capabilities face an existential risk: an agent that is manipulated via prompt injection or that malfunctions can execute arbitrary actions on enterprise infrastructure. The consequential damages — data exfiltration, ransomware staging, financial fraud, or regulatory violation — can far exceed the cost of the agent use case itself.
Technical Problem
AI agents run as processes on compute infrastructure. Without isolation, they share the OS kernel, network namespace, filesystem, and memory address space with other processes. A malicious tool, a compromised package dependency, or a successful prompt injection that tricks the agent into generating malicious code has full access to everything the agent process can reach — which, in cloud environments with overly permissive IAM roles, can be the entire AWS/Azure/GCP estate.
Symptoms of Absence
- Agents execute code in-process or in shared container environments with no isolation
- Network calls from tool executions are unrestricted — any endpoint is reachable
- CPU/memory consumption by one agent task can starve other workloads
- No alerting when a tool execution attempts to access a restricted file path or network destination
- Security assessment of the agent produces an unacceptably large attack surface with no containment boundary
Cost of Inaction
- Security: A single successful sandbox escape or prompt injection gives an attacker the agent's full cloud credentials
- Compliance: APRA CPS 234 requires capability to contain and detect security incidents; absence of sandboxing is a material finding
- Operational: Runaway tool executions (infinite loops, memory leaks) can crash host infrastructure, affecting unrelated workloads
- Insurance: Cyber insurers increasingly require demonstrable code execution isolation for AI agent deployments
3. Context
When to Apply
- The agent can execute code generated by an LLM (code executor tool)
- The agent can call external APIs on behalf of users
- The agent has read/write access to file systems
- The agent handles sensitive data that must not be exfiltrated
- Multi-tenant environments where one agent's actions must not affect another tenant's data or compute
When NOT to Apply
- The agent is purely an LLM inference wrapper with no tool use (no sandbox needed for inference calls themselves)
- The agent runs in a fully air-gapped, single-tenant environment with static, pre-approved tools only (lighter controls may suffice)
- Proof-of-concept with no production data and no external network access
Prerequisites
- Container runtime or hypervisor infrastructure (Kubernetes, Docker, Firecracker, or equivalent)
- Network policy enforcement capability (Kubernetes NetworkPolicy, AWS Security Groups, iptables)
- Secrets management (no credentials in sandbox environment that are not explicitly required)
- Audit log infrastructure to receive sandbox event logs
- EAAPL-AGT003 (Tool Registry) providing sandbox_requirements per tool
Industry Applicability
| Industry |
Sandboxing Requirement |
Key Concern |
Isolation Level |
| Financial Services |
Mandatory |
Data exfiltration, financial API abuse, regulatory breach |
Hypervisor (Firecracker/gVisor) for highest sensitivity |
| Healthcare |
Mandatory |
Patient data exfiltration, EHR system tampering |
VM-level isolation; network allow-list only |
| Technology / SaaS |
High |
Code execution in multi-tenant platforms, supply chain attacks |
gVisor or Docker + seccomp + AppArmor |
| Government |
Mandatory |
Classified data protection, system integrity |
Air-gapped sandbox; hardware-enforced isolation |
| Retail |
Medium |
PII protection, payment system integrity |
Docker + seccomp; network egress controls |
4. Architecture Overview
The Agent Sandboxing Pattern defines a five-layer isolation model. Each layer addresses a different attack vector, and the layers are defence-in-depth: compromising one layer does not automatically breach the others.
Why layered isolation rather than a single control?
Container security history is instructive: Docker containers that rely only on namespace isolation have been escaped via kernel vulnerabilities (CVE-2019-5736, runc breakout). gVisor adds a userspace kernel; Firecracker adds a hypervisor boundary. Each layer closes attack vectors that the layer below leaves open. For production AI agents executing untrusted LLM-generated code, layers 1–4 (namespace, kernel, hypervisor, and network) are all required.
Layer 1: Process Namespace Isolation
Each tool execution spawns in an isolated Linux namespace set: PID (process cannot see host processes), mount (private filesystem), network (private network interface), IPC (no shared memory with host), and UTS (custom hostname). This is the baseline provided by container runtimes. It prevents basic information leakage (process enumeration) and limits lateral movement within the host.
Layer 2: Syscall Filtering (seccomp)
A seccomp profile defines the exact set of Linux syscalls the sandbox process may invoke. For typical tool executions (HTTP API calls, file I/O, computation), the permitted syscall set is far smaller than the full Linux syscall table. Any syscall not on the allow-list causes the process to be killed with SIGKILL and triggers a security alert. This is the primary defence against kernel exploit attempts: even if an attacker can generate malicious code, the syscalls needed to exploit a kernel vulnerability are blocked.
Layer 3: Mandatory Access Control (AppArmor / SELinux)
A MAC policy defines filesystem paths the sandbox process may access (read/write), network operations permitted, and capabilities (Linux capabilities) the process holds. The policy is defined by the tool type: an API caller needs network access but no filesystem write; a file processor needs specific directory access but no network. The tool registry provides the MAC profile name to the sandbox orchestrator at invocation time. Any MAC violation is logged and alerted.
Layer 4: Kernel Isolation (gVisor / Firecracker)
For highest-sensitivity tool executions (LLM-generated code execution, untrusted third-party tool implementations), a virtualised kernel boundary is added. gVisor (runsc) intercepts all syscalls in a Go-based userspace kernel, providing a deep isolation boundary without full VM overhead. Firecracker provides a full KVM microVM with a lightweight kernel (50ms startup), used for the highest-risk executions. The choice between gVisor and Firecracker is a trade-off between isolation strength and startup latency.
Layer 5: Network Egress Controls
By default, the sandbox has no external network access (default-deny egress). A network allow-list specifies the exact endpoints and ports the tool is permitted to call. The allow-list is derived from the tool's registration metadata in the tool registry. Any connection attempt to an unlisted endpoint is blocked at the network layer (iptables/NetworkPolicy/firewall) and logged as a security event. DNS resolution is intercepted — DNS queries for unlisted domains are blocked.
Resource Quotas
The sandbox enforces hard resource quotas: CPU (in millicores), memory (in MiB), execution time (timeout in seconds), and network bandwidth. These quotas prevent a runaway tool execution from exhausting compute resources and prevent slow exfiltration via bandwidth. Quotas are defined per tool type in the tool registry and enforced by the container orchestrator (Kubernetes resource limits) and Linux cgroups.
Capability Allow-Listing
Linux capabilities provide fine-grained privilege controls below the root/non-root dichotomy. Sandbox processes drop all capabilities not on the explicit allow-list (typically: none, or at most CAP_NET_BIND_SERVICE for tools that need to bind ports). Running as a non-root user inside the namespace is required; user namespace remapping is applied to prevent privilege escalation via UID manipulation.
Escape Detection
A monitoring agent (eBPF probe or privileged sidecar) monitors sandbox processes for escape indicators: unusually high syscall rates, attempts to access restricted file paths (MAC violations), attempts to connect to unlisted network endpoints, process spawning outside expected patterns, and CPU/memory usage spikes. Any anomaly triggers an immediate alert and can trigger sandbox termination.
5. Architecture Diagram
flowchart TD
subgraph Input["Invocation Layer"]
A[Tool Dispatcher]
B[(Tool Registry)]
end
subgraph Sandbox["Sandboxed Environment"]
C[Sandbox Orchestrator]
D[Tool Execution]
E[Escape Detector]
end
subgraph Egress["Network Egress"]
F{Allow-list Check}
G[Approved Endpoints]
H[Blocked + Alerted]
end
A -->|invocation + identity| C
B -->|isolation profile| C
C -->|provision sandbox| D
D -->|network call| F
F -->|allowed| G
F -->|blocked| H
C --> E
E -->|anomaly| H
D -->|result| A
style A fill:#dbeafe,stroke:#3b82f6
style B fill:#fef9c3,stroke:#eab308
style C fill:#f0fdf4,stroke:#22c55e
style D fill:#f0fdf4,stroke:#22c55e
style E fill:#f0fdf4,stroke:#22c55e
style F fill:#f3e8ff,stroke:#a855f7
style G fill:#d1fae5,stroke:#10b981
style H fill:#fee2e2,stroke:#ef4444
6. Components
| Component |
Type |
Responsibility |
Technology Options |
Criticality |
| Sandbox Orchestrator |
Control Plane |
Provisions sandbox per invocation; injects isolation profile; manages lifecycle |
Kubernetes + custom operator; AWS Lambda; custom Docker daemon wrapper |
Critical |
| Linux Namespace Isolation |
OS Primitive |
PID/mount/net/IPC/UTS namespace separation |
Linux kernel namespaces (built into all container runtimes) |
Critical |
| seccomp-bpf Filter |
Kernel Security |
Syscall allow-list enforcement; SIGKILL on violation |
seccomp-bpf (kernel 3.17+); Docker seccomp profiles; OCI runtime hooks |
Critical |
| AppArmor / SELinux Profile |
MAC Enforcer |
Filesystem, network, and capability MAC policy enforcement |
AppArmor (Debian/Ubuntu); SELinux (RHEL/Fedora); kata-containers |
High |
| gVisor (runsc) |
Kernel Emulation |
Userspace kernel intercept for all syscalls; deep isolation without full VM |
gVisor (Google OSS); Kata Containers |
High (for code execution) |
| Firecracker MicroVM |
Hypervisor |
Full KVM-based microVM for maximum isolation; 50–125ms boot |
Firecracker (AWS OSS); AWS Lambda uses Firecracker internally |
High (highest-risk tools) |
| Network Policy Enforcer |
Network Security |
Default-deny egress; allow-list enforcement; DNS intercept |
Kubernetes NetworkPolicy + Calico/Cilium; iptables; AWS Security Groups |
Critical |
| eBPF Escape Detector |
Security Monitoring |
Real-time syscall and kernel event monitoring; escape indicator detection |
Falco; Tracee (Aqua Security); custom eBPF probes; Cilium Tetragon |
High |
| Resource Quota Controller |
Compute |
CPU/memory limits; execution timeout; bandwidth ceiling |
Kubernetes resource limits + LimitRange; cgroups v2; AWS Lambda timeout |
High |
| Audit Log Exporter |
Compliance |
Ships sandbox events (start, end, resource usage, security events) to audit log |
Fluentd, Vector, OpenTelemetry Collector |
Critical |
| Isolation Profile Store |
Configuration |
Stores per-tool isolation profiles: seccomp profile, AppArmor profile, network allow-list, quotas |
Part of Tool Registry (EAAPL-AGT003) |
High |
7. Data Flow
Sandbox Invocation Flow
| Step |
Actor |
Action |
Output |
| 1 |
Tool Dispatcher |
Sends invocation request: tool_id, validated arguments, agent identity |
Invocation request to orchestrator |
| 2 |
Sandbox Orchestrator |
Fetches isolation profile from tool registry: seccomp profile, MAC profile, network allow-list, resource quotas, isolation level (container/gVisor/Firecracker) |
Isolation profile |
| 3 |
Sandbox Orchestrator |
Provisions isolated execution unit: applies namespace config, loads seccomp profile, loads AppArmor profile, configures network policy, sets cgroup resource limits |
Provisioned sandbox |
| 4 |
Audit Log |
Records sandbox start event: sandbox_id, tool_id, agent_id, task_id, isolation_level, timestamp |
Pre-execution audit record |
| 5 |
Tool Executor |
Executes tool code within sandbox; all syscalls filtered; all network calls checked against allow-list; filesystem access enforced by MAC |
Tool result or error |
| 6 |
eBPF Monitor |
Continuously monitors syscall patterns, network connections, file accesses during execution |
Security events (normal = no events) |
| 7 |
Sandbox Orchestrator |
Receives result or timeout; records resource consumption; destroys sandbox |
Resource metrics |
| 8 |
Audit Log |
Records sandbox end event: result hash, execution time, CPU/memory used, any security events, timestamp |
Post-execution audit record |
| 9 |
Tool Dispatcher |
Receives result from orchestrator; returns to agent |
Tool result |
Escape Attempt Detection Flow
| Step |
Actor |
Action |
Output |
| 1 |
Sandbox Process |
Attempts blocked syscall / restricted file access / unlisted network connection |
Kernel/network block |
| 2 |
seccomp / AppArmor / NetworkPolicy |
Blocks operation; generates kernel audit event |
Block event |
| 3 |
eBPF Monitor / Falco |
Captures kernel audit event; evaluates against escape indicator rule set |
Security alert |
| 4 |
Security Alert Platform |
Receives alert with: sandbox_id, tool_id, agent_id, event_type, attempted_resource, timestamp |
P1/P0 security incident |
| 5 |
Sandbox Orchestrator |
Optionally terminates sandbox immediately on escape indicator |
SIGKILL to sandbox process |
| 6 |
Audit Log |
Records security event with full context |
Forensic audit record |
Error Flow
| Error |
Detection |
Recovery |
| Execution timeout |
Sandbox Orchestrator (timer) |
SIGKILL sandbox; return timeout error to dispatcher; retry logic in dispatcher |
| Memory limit exceeded |
cgroup OOM killer |
OOM kill event logged; return OOM error; alert if persistent |
| Tool code crash (unhandled exception) |
Process exit code |
Capture stderr; return structured error; retry if idempotent tool |
| Network egress block (attempted) |
NetworkPolicy |
Block + log; return tool error indicating network restriction; security alert generated |
8. Security Considerations
Defence-in-Depth Model
The five-layer model means an attacker must break multiple independently hardened controls. Historical container escape CVEs (runc, Docker, containerd) typically bypass Layer 1 only; Layers 2–4 would contain the impact in each case.
Secrets in the Sandbox
- Secrets needed by the tool (API keys, DB credentials) are injected as environment variables just-in-time by the sandbox orchestrator via the secrets vault
- Secrets are never present in the tool code, the agent prompt, or the audit log
- Secrets are revoked from the environment immediately after the sandbox exits (ephemeral dynamic secrets are preferred)
- The MAC policy prevents the sandbox process from reading the host's secrets vault mount
OWASP LLM Top 10
| OWASP LLM Risk |
Sandbox Relevance |
Mitigation |
| LLM01 Prompt Injection |
An injection could cause the agent to generate malicious code executed in the sandbox |
Sandbox limits blast radius; seccomp blocks dangerous syscalls even if code executes; network allow-list prevents exfiltration |
| LLM08 Excessive Agency |
An agent manipulated into calling unauthorised tools or performing unauthorised actions |
Network allow-list is per-tool, not per-agent; even if agent is manipulated, sandbox enforces tool-level constraints; capability allow-listing removes dangerous Linux capabilities |
| LLM02 Insecure Output Handling |
LLM-generated code executed in sandbox |
seccomp + AppArmor contain the execution; gVisor/Firecracker for LLM code execution tools |
| LLM05 Supply Chain |
Compromised third-party tool package executes malicious code |
Sandbox contains the execution; eBPF monitoring detects anomalous behaviour patterns |
| LLM04 DoS |
Tool execution consumes excessive compute |
Hard resource quotas (CPU/memory/time) prevent starvation; cgroup enforcement is kernel-level |
Container Image Hardening
- Sandbox base images are minimal (scratch or distroless); no shell, no package manager, no unnecessary utilities
- Images are built deterministically from pinned dependencies; vulnerability-scanned before deployment
- Images are signed (Cosign/Notary); admission controller validates signatures before running
9. Governance Considerations
Security Review of Isolation Profiles
- Every isolation profile (seccomp + AppArmor + network allow-list + quotas) requires security team review before being used in production
- Profile changes are treated as security-relevant configuration changes and go through change management
Governance Artefacts
| Artefact |
Owner |
Frequency |
Purpose |
| Isolation Profile Register |
Security Engineering |
Per tool registration |
Documents isolation level and justification for each tool |
| Escape Attempt Log |
Security Operations |
Continuous |
Immutable record of all detected escape attempts and security events |
| Sandbox Security Review |
Security Engineering |
Annually + on platform upgrade |
Review of isolation profile efficacy against current CVE landscape |
| Container Image SBOM |
Platform Engineering |
Per image build |
Software bill of materials for audit and vulnerability management |
| Penetration Test Results |
External Security Firm |
Annually |
Evidence of sandbox hardening efficacy for APRA/ISO audit |
10. Operational Considerations
SLOs
| SLO |
Target |
Window |
Alert |
| Sandbox provisioning latency (container) |
≤ 200ms p95 |
1-hour rolling |
> 500ms triggers P2 |
| Sandbox provisioning latency (Firecracker) |
≤ 500ms p95 |
1-hour rolling |
> 1s triggers P2 |
| Security event detection latency |
≤ 5 seconds from event to alert |
Per event |
> 30s triggers P1 |
| Escape attempt false positive rate |
≤ 0.1% of invocations |
Weekly |
> 1% triggers review |
| Sandbox resource quota enforcement |
100% — no quota breach allowed |
Continuous |
Any breach is P0 |
Monitoring
- Per-sandbox resource consumption: CPU, memory, wall-clock time, network bytes sent/received
- Security event rate per tool_id: escape indicators, network blocks, MAC violations
- Sandbox startup latency histogram per isolation level
- Alert: any Firecracker escape indicator triggers P0 incident regardless of time of day
Incident Response
| Incident |
Detection |
Response |
| Suspected sandbox escape |
eBPF monitor escape indicator alert |
Immediate: kill sandbox; quarantine host node; alert security team; P0 incident; forensic capture of host memory |
| Mass sandbox timeout (DoS pattern) |
Timeout rate spike > 5% over 5 min |
Throttle invocations; investigate tool code; circuit breaker on affected tool |
| Isolation profile violation (MAC) |
AppArmor/SELinux DENY log |
Alert security; review tool code; consider suspending tool |
11. Cost Considerations
Cost Drivers
| Cost Driver |
Container |
gVisor |
Firecracker |
Notes |
| Startup overhead |
~10–50ms |
~50–200ms |
~100–500ms |
Impacts p95 latency of tool invocations |
| Per-invocation compute overhead |
~2–5% |
~10–20% |
~15–25% |
Syscall intercept cost |
| Infrastructure (idle capacity for burst) |
Low |
Low–Medium |
Medium |
Firecracker pre-warmed pool adds cost |
| eBPF monitoring CPU overhead |
~1–3% per node |
~1–3% per node |
~1% (hypervisor layer) |
Falco/Tracee per-node cost |
Indicative Cost Comparison (per 1M sandboxed executions, 1s avg execution time)
| Isolation Level |
Additional Compute Cost vs. No Sandbox |
Risk Reduction |
Recommended For |
| Container + seccomp + AppArmor |
+5–10% |
High |
Standard API caller tools |
| gVisor (runsc) |
+15–25% |
Very High |
LLM-generated code execution |
| Firecracker MicroVM |
+25–35% |
Maximum |
Untrusted third-party code; highest-risk tools |
12. Trade-Off Analysis
Isolation Technology Options
| Option |
Isolation Strength |
Startup Latency |
Throughput |
Security Gaps |
| Docker + seccomp + AppArmor |
High |
10–50ms |
Very High |
Shared kernel; kernel CVEs can break isolation |
| gVisor (runsc) |
Very High |
50–200ms |
High |
Userspace kernel; some syscall compatibility gaps |
| Firecracker MicroVM |
Maximum |
100–500ms |
Medium |
Highest isolation; limited to Linux guest; memory overhead |
| AWS Lambda (managed) |
High (managed) |
Cold start 200ms–2s |
High |
Shared underlying infrastructure; cold start cost |
| WASM sandbox (Wasmtime/Wasmer) |
Very High |
<10ms |
Very High |
Language-specific; emerging toolchain; not all tools portable |
Architectural Tensions
| Tension |
Left Pole |
Right Pole |
Balance |
| Isolation depth vs. Latency |
Firecracker for all tools; maximum safety |
No sandbox; lowest latency |
Tiered: container+seccomp for standard tools; gVisor for code execution; Firecracker for highest-risk |
| Restrictive allow-list vs. Tool flexibility |
Minimal syscall allow-list; breaks some tools |
Permissive allow-list; reduced protection |
Profile per tool type; allow-list derived from tool's actual syscall trace in test environment |
| Pre-warmed pool vs. Cost |
Large pre-warmed Firecracker pool; zero cold start |
No pre-warming; cold starts on every invocation |
Small pre-warmed pool (e.g., 10 VMs) for predictable baseline; scale-out for bursts |
13. Failure Modes
| Failure Mode |
Likelihood |
Impact |
Detection |
Recovery |
| Kernel vulnerability allows namespace escape |
Very Low |
Critical |
eBPF anomaly detection; process monitoring |
Kernel patching; Firecracker for high-risk; incident response |
| seccomp profile too restrictive (breaks tool) |
Medium |
Medium — tool fails |
Tool invocation error; test environment validation |
Profile tuning via strace-based syscall auditing in test |
| Firecracker microVM pool exhausted |
Low |
High — tool invocations queue |
Pool depth metric; queue depth alert |
Scale-out pool; fallback to gVisor |
| eBPF monitor false positive kills legitimate sandbox |
Low |
Medium — task failure |
Alert correlation with tool success rate |
eBPF rule tuning; false positive rate monitoring |
| Network allow-list blocks required endpoint |
Medium |
Medium — tool fails |
Tool invocation error; network block log |
Update allow-list after security review |
| Resource quota too low for complex tool |
Medium |
Medium — timeout/OOM |
Execution timeout / OOM kill events |
Quota tuning based on p95 observed resource use |
14. Regulatory Considerations
APRA CPS 234
- Sandboxing directly implements the "capability to contain" requirement — the organisation must demonstrate capability to contain security incidents affecting information assets
- Escape detection alerting implements the "ability to detect material security incidents promptly" requirement
- Isolation profiles and penetration test results are evidence for CPS 234 annual attestation
EU AI Act
- Art. 15 (Accuracy, Robustness, Cybersecurity): sandboxing with escape detection directly implements the cybersecurity requirement for high-risk AI systems
- Art. 9 (Risk Management): isolation tier selection (container/gVisor/Firecracker) is a documented risk treatment
ISO 27001
- §A.12.6.1 (Management of Technical Vulnerabilities): container image scanning + signature validation satisfies this control
- §A.12.2.1 (Controls Against Malware): seccomp + AppArmor + escape detection implements this control in the AI agent context
NIST AI RMF
- MANAGE 2.2: sandboxing is the primary technical control for managing AI agent action risk; hardened profiles per tool risk tier implement the tiered risk treatment requirement
15. Reference Implementations
AWS
| Component |
Service |
| Standard isolation |
AWS Fargate (gVisor-based; managed) |
| Code execution sandbox |
AWS Lambda (Firecracker-based; managed) |
| Network egress control |
VPC Security Groups + NAT Gateway + AWS Network Firewall |
| Escape detection |
Amazon GuardDuty (container threat detection) + custom CloudWatch agent |
| Audit log |
AWS CloudTrail + S3 Object Lock |
Azure
| Component |
Service |
| Standard isolation |
Azure Container Instances (isolated) |
| Code execution |
Azure Container Apps (sandbox) |
| Network control |
Azure Virtual Network + NSG + Azure Firewall |
| Escape detection |
Microsoft Defender for Containers |
| Audit log |
Azure Monitor Logs + Immutable Blob |
GCP
| Component |
Service |
| Standard isolation |
Cloud Run (gVisor by default) |
| Network control |
VPC Firewall Rules + Cloud Armor |
| Escape detection |
Google Cloud Security Command Center |
| Audit log |
Cloud Audit Logs + Cloud Storage WORM |
On-Premises
| Component |
Technology |
| Standard isolation |
Kubernetes + containerd + gVisor (runsc runtime class) |
| High isolation |
Kata Containers (KVM-based) |
| Network control |
Kubernetes NetworkPolicy + Calico/Cilium |
| Escape detection |
Falco + eBPF; Tracee (Aqua Security) |
| Audit log |
Falco alert + Kafka + MinIO WORM |
| Pattern |
ID |
Relationship Type |
Notes |
| Single Agent Pattern |
EAAPL-AGT001 |
Depends On |
AGT001's Act phase always executes through a sandbox |
| Agent Tool Registry |
EAAPL-AGT003 |
Depends On |
Registry provides isolation profile per tool to sandbox orchestrator |
| Agent Identity and Authorisation |
EAAPL-AGT009 |
Integrates With |
Agent identity is used to select appropriate isolation tier |
| Agent Cost Governance |
EAAPL-AGT010 |
Integrates With |
Sandbox resource quotas enforce per-task compute cost ceilings |
| Human-in-the-Loop Agent |
EAAPL-MAG003 |
Peer |
HITL gates can bypass sandbox for human-reviewed actions (with explicit override) |
17. Maturity Assessment
Overall Maturity: Proven
| Dimension |
Score (1–5) |
Evidence |
| Isolation Technology Maturity |
5 |
Linux namespaces, seccomp, AppArmor decades-old; gVisor/Firecracker production-proven at Google/AWS scale |
| AI-Agent-Specific Tooling |
3 |
Generic container security tools apply; AI-agent-specific escape detection rules still maturing |
| Operational Patterns |
4 |
Runbooks, incident response for container security mature; eBPF monitoring tooling maturing rapidly |
| Security Hardening |
4 |
Defence-in-depth model well-established; WASM sandbox emerging as complementary tier |
| Regulatory Evidence Base |
4 |
Penetration test frameworks established; APRA/ISO mapping well understood |
18. Revision History
| Version |
Date |
Author |
Changes |
| 1.0 |
2024-02-01 |
Security Architecture |
Initial publication |
| 1.1 |
2024-05-15 |
Security Engineering |
Added Firecracker tier; eBPF detection tooling |
| 2.0 |
2024-10-01 |
Architecture Board |
Added WASM sandbox option; OWASP LLM section; five-layer model formalised |
| 2.1 |
2025-01-10 |
Security Architecture |
Added APRA CPS 234 mapping; container image signing requirement |
| 2.2 |
2025-04-01 |
Architecture Board |
Added Falco/Tracee implementation guidance; escape detection latency SLO |