--- id: agent-runtime-sandboxing title: 'Agent Runtime Sandboxing' schema_type: TechArticle category: ai language: en confidence: medium last_verified: '2026-06-02' created_date: '2026-06-02' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-agent-runtime-sandboxing-1 statement: >- Docker Engine security documentation describes container isolation using Linux kernel features such as namespaces, cgroups, capabilities, and mandatory access control. source_title: Docker Engine Security source_url: https://docs.docker.com/engine/security/ - id: fact-agent-runtime-sandboxing-2 statement: >- Kubernetes Pod Security Standards define Privileged, Baseline, and Restricted policies for broad coverage of security-sensitive pod settings. source_title: Pod Security Standards source_url: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - id: fact-agent-runtime-sandboxing-3 statement: >- NIST SP 800-190 provides application container security guidance across images, registries, orchestrators, containers, and host operating systems. source_title: NIST SP 800-190 Application Container Security Guide source_url: https://csrc.nist.gov/pubs/sp/800/190/final completeness: 0.82 known_gaps: - The article does not compare specific hosted code-execution sandboxes or browser-isolation vendors. disputed_statements: [] primary_sources: - title: Docker Engine Security type: documentation year: 2026 url: https://docs.docker.com/engine/security/ institution: Docker - title: Pod Security Standards type: documentation year: 2026 url: https://kubernetes.io/docs/concepts/security/pod-security-standards/ institution: Kubernetes - title: NIST SP 800-190 Application Container Security Guide type: standard year: 2017 url: https://csrc.nist.gov/pubs/sp/800/190/final institution: NIST secondary_sources: [] updated: '2026-06-02' ai_models: - gpt-5-codex --- ## TL;DR Agent runtime sandboxing isolates code execution, browser automation, file access, and network calls so an agent cannot freely affect the host environment or unrelated systems. ## Core Explanation Sandboxing turns an agent runtime into a controlled execution boundary. It should limit filesystem scope, network egress, process privileges, secret access, and kernel capabilities while preserving enough observability to debug failures. Containers are a common base layer, but containers alone are not a complete policy. Strong agent sandboxes combine least-privilege credentials, restricted volumes, resource quotas, syscall and capability controls, per-task cleanup, and review gates before high-impact operations. ## Source-Mapped Facts - Docker Engine security documentation describes container isolation using Linux kernel features such as namespaces, cgroups, capabilities, and mandatory access control. ([source](https://docs.docker.com/engine/security/)) - Kubernetes Pod Security Standards define Privileged, Baseline, and Restricted policies for broad coverage of security-sensitive pod settings. ([source](https://kubernetes.io/docs/concepts/security/pod-security-standards/)) - NIST SP 800-190 provides application container security guidance across images, registries, orchestrators, containers, and host operating systems. ([source](https://csrc.nist.gov/pubs/sp/800/190/final)) ## Further Reading - [Docker Engine security](https://docs.docker.com/engine/security/) - [Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - [NIST SP 800-190](https://csrc.nist.gov/pubs/sp/800/190/final)