Execution & Tools / Runtime Guardrail
FR EN

Execution & Tools

Runtime Guardrail

Execution sandbox: it isolates and constrains the actual execution of the tools and code the agent decides on.

Plane
Execution & Tools
Flow steps
7
Frameworks
NIST 800-53 · OWASP LLM05/06

Technology

Why use it

Run the agent’s tools and code in an isolated, bounded environment.

Why it matters to security

Contains blast radius: even hijacked, the agent cannot escape the sandbox or reach what it isn’t allocated.

Implementations gVisorFirecrackerrootless containersE2B

Assume breach: confine execution so the compromise stays local.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Execution in an isolated environment (container/sandbox).
    NIST 800-53 SC-39 · SC-7
    Process isolation stops a tool from touching the host.
  • No excess privilege (non-root, minimal capabilities).
    NIST 800-53 AC-6
    Least privilege limits what a compromise can do.
  • Outbound network restricted by default.
    NIST 800-53 AC-4 · SC-7
    Cutting egress by default blocks simple exfiltration.

Enterprise

Enterprise standard
  • Resource quotas (CPU, memory, time).
    NIST 800-53 SC-5
    Bounding resources contains abuse and runaway loops.
  • Ephemeral, read-only filesystems.
    NIST 800-53 SI-14
    Non-persistence wipes state between runs.
  • Tool input/output validation.
    NIST 800-53 SI-10OWASP LLM05:2025
    Tool input and output are treated as untrusted.

Advanced

High-assurance / regulated
  • Just-in-time privilege allocation per run.
    NIST 800-53 AC-6
    Rights exist only for the duration of the call.
  • Behavioral detection inside the sandbox.
    NIST 800-53 SI-4
    Anomalous execution behavior is blocked live.
  • Execution policies as code, tested.
    NIST 800-53 CM-3
    Execution bounds are versioned and verified.

Architecture notes

  • Cut egress by default.details ▸
    Most exfiltration goes through a mundane outbound connection.
    Allow only strictly necessary destinations, on an allow-list.

References

NIST SP 800-53 Rev5
SC-39 (Process Isolation), SC-7 (Boundary), AC-6, AC-4, SC-5, SI-14 (Non-Persistence), SI-10.
OWASP LLM05 / LLM06:2025
Improper Output Handling and Excessive Agency contained at execution.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone