sandboxing is really the only way to make agentic workflows auditable for enterprise risk. we can't underwrite trust in the model's output, but we can underwrite the isolation layer. if you can prove the agent literally cannot access the host network or sensitive volumes regardless of its instructions, that's a much cleaner compliance story than just relying on system prompts.
This may sound obvious, but there must also be an enforcement of what's allowed into that sandbox.
I can envision perfectly secure sandboxes where people put company secrets and communicate them over to "the cloud".
exactly, egress control is the second half of that puzzle. A perfect sandbox is useless for dlp if the agent can just hallucinate your private keys or pii into a response and beam it back to the model provider. it’s basically an exfiltration risk that traditional infra-level security isn't fully built to catch yet.
Sandbox won’t be enough, distroless + “data firewall” + audit
Indeed, but a rock solid sandboxing and isolation strategy is step 0.