Network policies controlling egress would be one thing. I haven't seen how you make secrets available to the agent, but I would imagine you would need to proxy calls through a mitm proxy to replace tokens with real secrets, or some other way to make sure the agent cannot access the secrets themselves. Specifically for an agent that works with code, I could imagine being able to run docker-in-docker will probably be requested at some point, which means you'll need gvisor or something.
That's exactly what i did personnaly on my oss repo https://github.com/ysa-ai/ysa
I want to run my agents fully isolated with headless mode. To achieve that safely you have to run a proxy