Agents Leave the Sandbox

CISA and NSA Draw the Perimeter

When CISA, NSA, and allied partner agencies released joint guidance on adopting agentic AI systems, they did something unusual for government cybersecurity bodies. They acknowledged a technology category before most enterprises have deployed it at scale. The guidance addresses AI systems that operate with minimal human oversight. Systems that make decisions, take actions, and chain multi-step workflows autonomously.

The timing matters. Government security agencies typically publish guidance reactively, after incidents expose vulnerabilities. Publishing proactive guidance on agentic AI signals an assessment that production deployments are imminent and that the attack surface they create is qualitatively different from traditional software. An agent that can read files, execute code, make API calls, and modify databases does not present the same threat model as a chatbot behind a text box.

The guidance centers on several categories of risk. Privilege escalation, where an agent acquires access beyond its intended scope. Prompt injection, where adversarial inputs redirect agent behavior. Data exfiltration, where an agent with broad read access leaks sensitive information through its outputs. And cascading failure, where one compromised agent in a multi-agent pipeline corrupts downstream decisions without triggering any individual alarm.

None of these risks are theoretical. They are the direct consequences of giving an autonomous system the ability to act on its environment. The CISA/NSA guidance is a formal recognition that the agent sandbox. the isolated testing environment where most agentic AI lives today. is about to break open.

Why the Sandbox Was Always Temporary

A technical essay on agent architecture made the case directly: the agent harness belongs outside the sandbox. The argument is structural. Agents confined to sandboxed environments can demonstrate capability but cannot deliver value. An agent that can write code but cannot commit it, that can draft an email but cannot send it, that can query a database but cannot act on the results. these are demos, not deployments.

Production value requires production access. The harness. the orchestration layer that manages agent execution, tool calls, and state. must operate in the same environment as the systems the agent is meant to affect. That means the harness needs to handle authentication, authorization, audit logging, rate limiting, and rollback in real time. Moving the harness outside the sandbox is the engineering step that converts an agent from a prototype into a production system. It is also the step that creates real risk.

Uber's Data Machine Gambit

Uber announced a plan to convert its driver fleet into real-time data collection infrastructure for self-driving companies. Millions of drivers. Continuous sensor data from cameras, GPS, accelerometers. Mapped to road conditions, traffic patterns, edge cases, and near-miss events in every geography Uber operates.

This is a pivot from platform company to data infrastructure company. Uber's competitive advantage in the autonomous vehicle space was always its rider demand network. Now it is adding a second advantage: the most geographically diverse, continuously updated driving dataset on Earth. Autonomous vehicle agents trained on this data will have exposure to conditions that no simulation environment and no single fleet of test vehicles can replicate.

The strategic implication extends beyond autonomous vehicles. Uber is demonstrating a pattern that will repeat across industries: incumbent companies with large physical footprints converting their existing operations into training data pipelines for autonomous agents. A logistics company can do the same with delivery routes. A hospital network can do it with clinical workflows. A manufacturing company can do it with production line telemetry. The organizations that own the richest operational data will have the most capable domain-specific agents. Data collection at scale becomes agent training infrastructure.

The Agent Infrastructure Layer Goes Global

Google Cloud is competing to control the AI agent infrastructure layer in Thailand, positioning against AWS and Azure for enterprise agent deployments across Southeast Asia. The competition is over who provides the managed runtime for agents. The orchestration, the tool registries, the observability stack, the credential management.

This is the cloud platform play repeating itself for agents. A decade ago, hyperscalers competed over who would run your containers. Now they compete over who will run your agents. The difference is that agents require a richer platform layer. Containers need compute and networking. Agents need compute, networking, tool access, state management, memory, and security boundaries that adapt based on the agent's current task context. The platform that gets this right in one geography can replicate it globally. That is why Google, AWS, and Azure are racing to establish agent platform dominance in high-growth markets before enterprise patterns harden.

Insurers Exit. Specialists Enter.

Major insurers are excluding AI liability from standard policies, creating a coverage vacuum that specialty markets are rushing to fill. This is the insurance industry telling the technology industry, in the clearest possible terms, that it cannot price the risk of autonomous AI systems using existing actuarial models.

The exclusions target the exact scenario the CISA/NSA guidance addresses: AI systems that take actions with real-world consequences. When an agent makes a hiring decision that exhibits self-preferential bias documented in academic research, who bears liability? When a chatbot prioritizes flattery over facts and a user makes a consequential decision based on incorrect information, which policy covers the loss? When an autonomous agent executes a financial transaction based on a hallucinated data point, is that an errors-and-omissions claim, a product liability claim, or something that no existing policy category covers?

Standard commercial general liability policies were written for a world where software does what it is programmed to do. Agents do what they are prompted to do, which is a fundamentally different risk profile. The output is non-deterministic. The behavior varies with context. The failure modes are emergent rather than designed. Insurers cannot write a policy for a system whose behavior they cannot bound.

The specialty market forming to fill this gap will develop pricing models based on agent architecture characteristics. Agents with human-in-the-loop approval gates will carry lower premiums than fully autonomous agents. Agents with comprehensive audit logging will be cheaper to insure than opaque ones. Agents operating in sandboxed environments will cost less to cover than agents with production system access. Insurance pricing will become a forcing function for agent security architecture. Organizations that want affordable coverage will need to build the controls that make their agents insurable.

The Enterprise Revenue Signal

Salesforce began separately reporting AI revenue through its Agentforce Apps and Data 360 categories. Breaking out agent revenue as a distinct line item tells investors, and the market, that agent deployments are generating enough revenue to matter on an earnings call. This is the first major enterprise software company to create dedicated disclosure categories for agent-derived revenue.

When a company the size of Salesforce restructures its financial reporting around agents, it signals that the buyer base has shifted. Enterprises are no longer evaluating agents as an experimental add-on. They are purchasing agent capabilities as a distinct product category with its own budget line, its own ROI expectations, and its own procurement cycle. African board leaders are already budgeting for AI deployment, even as they struggle to translate that budget into measurable results. The gap between spending and outcomes is where agent deployment strategy lives.

Agents Expand Their Domain

Open Design, an open-source framework, demonstrates how coding agents can function as design engines. The framework lets a coding agent generate, iterate, and refine visual designs through natural language instructions. This extends the agent capability frontier from code generation into a creative domain that was previously agent-resistant.

The significance is in the pattern, not the specific application. Every month, agents add a new tool category to their repertoire. Code execution. File system access. API calls. Database queries. Browser automation. And now, visual design manipulation. Each new tool category expands the surface area of what an agent can do in a single workflow without human handoff. An agent that can write code, design the interface, deploy the result, and monitor the outcome is performing a workflow that previously required four specialized humans.

Tech companies paying up to $1 million for communications hires who never write code tells you something about where human value concentrates as agents absorb technical execution. The premium shifts to judgment, stakeholder management, narrative construction. The tasks agents cannot do well. Organizations restructuring their teams around agent capabilities will need to identify which roles are augmented by agents and which are replaced by them. The answer changes every quarter as agent tool access expands.

Apple raised the Mac Mini's starting price to $799 after AI demand drained supply. Developer hardware is now priced as agent infrastructure. The Mac Mini has become a local agent runtime, not a consumer desktop. When hardware pricing shifts because of agent workloads, the category has crossed from experimental to operational.