Where Secure Agent Workspace Fits#
Table 2: Where Secure Agent Workspace Fits
Need |
Right home |
Why |
|---|---|---|
Day-to-day non-autonomous development |
Local endpoint |
Lowest latency, full editor control, fully offline-capable. |
OSS / public-data work needing wide public-internet reach |
Secure Agent Workspace - public profile |
Intentionally outside the enterprise allowlist; i.e. no access to corpnet. |
Higher-autonomy agentic dev with internal-service dependencies and long sessions |
Secure Agent Workspace - corporate profile |
Approved autonomy substrate; allowlisted internal reach; persistent personal workspace. |
Hosting a service for other users to consume |
Service-hosting platform |
Multi-user serving and productionization concerns. |
The corporate vs public split maps to what’s commonly called the lethal trifecta in agentic AI security: an agent becomes weaponizable when it has all three of (1) access to private data, (2) exposure to untrusted content, and (3) the ability to externally communicate (the exfiltration channel). Each profile defangs the trifecta by removing one leg. The corporate profile bounds external communication (allowlist + broker + human review for writes — no unbrokered exfiltration channel). The public profile removes private data access (intentionally outside the enterprise allowlist; nothing sensitive to exfiltrate). Either way, breaking one leg reduces the exfiltration attack, but does not solve other agent harmful actions such as destructive writes, DoS on internal systems, hallucinations, etc.
Three Timescales of Sandbox Lifecycle#
Different workloads need different sandbox lifetimes. The Secure Agent Workspace pattern accommodates all three with a single architecture:
Table 3: Three Timescales of Sandbox Lifecycle
Timescale |
Home in Secure Agent Workspace |
Example workloads |
|---|---|---|
Long-running (days / weeks) — persistent filesystem, persistent agent state |
The Secure Agent Workspace VM itself |
Always-on personal assistant, long alpha-research loop, multi-day refactor |
Per-session (minutes / hours) — ephemeral filesystem reset between sessions |
OpenShell sandbox inside the VM |
Coding agent run, document-drafting task, triage burst |
Per-command (ms / s) — clean state on each tool call |
OpenShell Drivers per-call ephemeral pod |
High-trust tool execution (untrusted code review, exfil-risky operations), red-team / eval harness |
The user/sponsor, workspace and logical-agent identities — plus the signed-policy and audit pipelines — span all three timescales. Only the short-lived runtime credential is minted fresh per-call, bound back to the same user/sponsor, workspace and local agent registration.