Security boundaries in agentic architectures

As agents increasingly adopt coding agent architectures, which involve reading filesystems, running shell commands, and generating code, they become multi-component systems requiring distinct levels of trust. Traditionally, these components operate within a single security context, exposing them to risks such as prompt injections, which can lead to unauthorized actions like data exfiltration. To mitigate these risks, it's crucial to establish security boundaries among the four actors in an agentic system: the agent, agent secrets, generated code execution, and the filesystem. Current practices often lack these boundaries, allowing shared security contexts that heighten vulnerability. A more secure approach involves separating agent compute from sandbox compute, with generated code running in isolated environments without direct access to secrets. Combining application sandboxes with secret injection proxies enhances security by maintaining isolation and preventing credential misuse. Despite the benefits, adoption remains low due to compatibility challenges, but those who implement these measures early will gain a security edge as agents handle increasingly sensitive tasks.