Governed Implementation

The Control Plane Is Leaving the Container: Network and Identity as the New Agent Sandbox

TV
Thiago Victorino
7 min read
The Control Plane Is Leaving the Container: Network and Identity as the New Agent Sandbox

For two years the containment conversation has been about boxes. How thick are the walls, how fast does the box boot, how do you stop the process inside from breaking out. We catalogued that work in the four-floor containment stack, and we traced how a sandbox can leak through a feature it was designed to expose in the intended-escape essay. Two conference talks in June 2026 reframe the whole effort. The most interesting boundary is no longer the wall of the box. It is the wire leaving it.

Remy Guercio of Tailscale opened his AI Engineer talk with a deceptively simple question: what if the network was the sandbox? Mukil Loganathan of LangChain answered an adjacent one from the runtime side: how do you run untrusted agent code at all when the threats are escaping the boxes you trust? Put the two talks together and a pattern falls out that neither names directly. Sandboxing has been quietly conflating two separate problems, and the fix is to pull them apart.

Two Problems Wearing One Name

When a team says “we sandboxed the agent,” they usually mean two things at once.

The first is execution isolation: the agent’s process cannot read the host filesystem, cannot touch another tenant’s memory, cannot escalate to the kernel. This is the gVisor, Firecracker, microVM work. It is mature, and the talks confirm it is also under sustained attack.

The second is access control: the agent should not be able to reach the production database, exfiltrate the API key, or call an endpoint outside its task. Teams have historically solved this inside the box too, by injecting scoped credentials, hoping the agent does not log them, and praying nothing reads /proc/self/environ.

Those two problems have different shapes. Isolation is about what the process can touch locally. Access control is about what the process can reach remotely. Folding them into one “sandbox” word is why the intended-feature escape keeps happening: you harden the walls, then hand the agent a working key and a network path, and the key walks out through a door you built on purpose.

Aperture: A Credential the Agent Cannot Steal

Tailscale’s answer, per Guercio’s talk, is Aperture. The framing is to stop trying to keep the secret safe inside the box and instead make sure the box never holds a secret worth stealing.

In the demo, the agent runs in what Guercio calls “API key mode,” and the API key is set to a literal dash. A single character. There is nothing to exfiltrate, because the value the agent holds is meaningless. The real credential lives at the network layer. When the agent makes a call, the request leaves the container, hits Aperture, and Aperture attaches the actual identity and authorization on the way out. The agent presents intent. The network presents identity.

This inverts the threat model. Prompt injection that convinces the agent to print its environment variables now leaks a dash. A supply-chain package that scrapes the runtime for tokens, the kind of attack the recent “sci-holude” credential-exfiltration package demonstrated, finds nothing because the token was never there. You have not made the secret harder to steal. You removed it from the place the attacker can reach.

The second claim from the talk is the one that should change how platform teams think. Because every call has to traverse one chokepoint to acquire identity, that chokepoint sees everything. Guercio put it plainly: “I have a guarantee I’ve seen every tool call this thing ever made, not from inside the container.” That last clause is the whole point. Observability that lives inside the box can be disabled, bypassed, or escaped by the same vulnerability that breaks isolation. Observability that lives on the wire cannot be turned off by the thing being watched.

And once the wire is watched, the data surprises you. Tailscale’s own traffic, Guercio noted, shows that bash dominates structured and MCP tool calls once you can actually see what agents do. The clean, typed, schema-validated tool interface is not where the action is. The action is in shelling out. You only learn that by instrumenting the network, because the agent will not tell you.

LangSmith Sandboxes: Isolation as a Primitive, Auth as a Sidecar

Loganathan’s talk comes at the same split from the execution side, and lands on the same architecture without naming it as a trend.

LangSmith Sandboxes are built to run untrusted agent code, and the threat backdrop he walks through is sobering: the n8n sandbox escape, a prompt-injection escape from a Google AI browser, a 700-byte container escape that reaches the host kernel, the sci-holude credential-exfiltration package. The premise is that the code is hostile and the isolation will eventually be tested for real.

So the isolation is taken seriously as its own primitive. Per the talk, spin-up clocks in at a P50 of 0.98 seconds, the platform runs thousands of concurrent microVMs, and each one supports snapshot, restore, and fork. That is execution isolation treated as a fast, disposable resource rather than a heavyweight setup.

The detail that matters for our argument is smaller and easier to miss. LangSmith runs an auth-proxy that keeps credentials out of the runtime. Same move as Aperture, different vendor, arrived at independently. The microVM handles “what can this process touch locally.” The auth-proxy handles “what can this process reach remotely, and with whose authority.” Two problems, two mechanisms, pulled apart on purpose.

This Is a New Layer, Not Another Vendor

It would be easy to file Aperture and the LangSmith auth-proxy under the convergence we have already tracked, one more pair of names in the same crowded market. That reading misses what changed.

The earlier framing named identity as one of four containment surfaces, a floor among floors. What these two talks show is identity climbing out of the rack and becoming the control plane for all of it. When access control moves to the network, the same chokepoint that issues identity also enforces authorization and records observability. Containment and audit stop being separate systems you have to keep in sync. They collapse into one control point that every call must cross.

This also closes the question the intended-escape essay left open. If a sandbox can leak through a feature it was built to expose, hardening the walls cannot save you, because the leak is a door, not a crack. Moving the credential off the agent answers it directly. The door can still open. There is just nothing valuable on the other side of it to carry out. We argued in the trust-architecture piece that you design for the agent you cannot fully trust; a dash-valued key is what that looks like in production.

Do This Now

Pick one agent running in production. Ask a single question: if its runtime were fully compromised right now, what credential would the attacker walk away with? If the honest answer is a real database password, a real cloud token, or a real API key sitting in an environment variable, your access control still lives inside the box, and the box is the thing under attack.

The move is not to buy a bigger box. Put a chokepoint on the wire. Let the agent hold a placeholder, let the network attach identity at call time, and route every tool, LLM, and bash call through that one point. You get containment and a complete audit trail from the same mechanism, and you get them in the one place the agent cannot reach to disable. Start with the agent whose blast radius scares you most.

These are conference talks, not published benchmarks, so treat the spin-up numbers and the bash-dominance figure as what the speakers reported in their demos. The architecture, though, does not depend on the numbers. It depends on a question worth asking on Monday: is your access control inside the box you are trying to contain, or on the wire leaving it?

This analysis synthesizes What if the network was the sandbox? (Tailscale, June 2026), Run Untrusted Agent Code with LangSmith Sandboxes (LangChain, June 2026).

Victorino Group helps teams design agent containment that holds in production. Let’s talk.

All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →

Part of The Thinking Wire, published by Victorino Group.

If this resonates, let's talk

We help companies implement AI without losing control.

Schedule a Conversation