惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
V
V2EX
博客园 - 【当耐特】
WordPress大学
WordPress大学
爱范儿
爱范儿
美团技术团队
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
小众软件
小众软件
量子位
Hugging Face - Blog
Hugging Face - Blog
B
Blog RSS Feed
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
雷峰网
雷峰网
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
M
MIT News - Artificial intelligence
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 聂微东
H
Hackread – Cybersecurity News, Data Breaches, AI and More
腾讯CDC
大猫的无限游戏
大猫的无限游戏
Jina AI
Jina AI
博客园 - 叶小钗
GbyAI
GbyAI
Y
Y Combinator Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
F
Full Disclosure
G
Google Developers Blog
D
Docker
T
Tailwind CSS Blog
C
Check Point Blog
Last Week in AI
Last Week in AI
人人都是产品经理
人人都是产品经理
T
The Blog of Author Tim Ferriss
B
Blog
博客园 - 三生石上(FineUI控件)
博客园 - Franky
H
Help Net Security
MyScale Blog
MyScale Blog
U
Unit 42
D
DataBreaches.Net
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
InfoQ
阮一峰的网络日志
阮一峰的网络日志
The GitHub Blog
The GitHub Blog
L
LangChain Blog
有赞技术团队
有赞技术团队
Martin Fowler
Martin Fowler
Microsoft Security Blog
Microsoft Security Blog

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
Sandboxing AIOps and Agentic AI Security
mendyberger · 2026-05-08 · via Hacker News - Newest: "AI"

Sandboxing AIOps and Agentic AI Security

When people talk about AI sandboxes today, they usually mean:

  • seccomp, seatbelt, or bubblewrap
  • containers built from namespace mappings, cgroups, and allowlists
  • hand-tuned profiles bolted onto the existing OS
  • some assemblage of the above

These are all useful tools. But none of them were built for agentic AI security, and every single one of them inherits the same original sin: ambient authority.

You might be familiar with that term from Mark Miller's work on capability security. It's become particularly important in our new AI-inflected security era, because it describes the default condition of every modern runtime.

A given process inherits whatever permissions its execution environment happens to provide, which might include filesystem access, network egress, the developer's git credential, an AWS API key sitting in an environment variable, the identity of the user who launched the shell...

The list goes on.

No one intentionally granted that authority, and the process never asked for it. It is simply there.

ambient authority

When the process in question is a deterministic, human-authored binary, ambient authority is (arguably, sometimes) a risk that you can manage with audits and reviews. But today, developers are using AI tools like agents and LLM CLIs on their workstations, and these processes inherit the developers’ identity, capabilities, authority, and context. When you put agents and non-deterministic workflows in the mix, ambient authority creates an intolerable attack surface.

The problem here is an entire paradigm that violates the principle of least authority: the notion that every process should hold the minimum authority required to do its job, and nothing more. Modern runtimes turn that principle on its head, making authority the default and restriction the exception.

Conventional sandboxing security stacks try to whittle the attack surface down. You map the LLM into a constrained namespace. You give it network isolation through bubblewrap. You write allowlists for which sockets it can open and which hosts it can reach. You run it as a different Linux user.

Now you spend your time playing whack-a-mole: a new exfiltration path opens up and you patch it; a new credential vector appears and you patch that too. You spend just as much time maintaining and patching the long tail of containerized dependencies in your distribution, even if they are not formal requirements of your use case.

An engineer I spoke with recently calls this the cartographer's dilemma. The reference is to a commission to map a region perfectly, every line and boundary precisely traced. The work is impossible. The territory keeps moving, and the lines are never quite right. That is the trap of any allow-by-default control system layered onto a runtime that grants authority by default. You are mapping a coastline that keeps shifting, and the LLM is happy to walk along it until it finds an unmapped cove.

AI agent security from first principles

The alternative is to start from zero authority and add capabilities only where they are explicitly granted.

This is what WebAssembly and WASI give you out of the box. A Wasm component begins with no filesystem, no network, no system calls, no environment variables, and no visibility into the host. Any capability it possesses must be declared as a typed import in the component's interface, and the host manages the capability grant.

component imports and exports

This is Miller's object-capability model expressed as a runtime: the reference is the permission, and a component that holds no reference can reach no resource.

In plain language: a Wasm component has exactly the authority it needs to do its job, and nothing else. The principle of least authority becomes a runtime guarantee.

For AI agent access control, there are two critical implications.

First, capability grants can be virtualized. When you give a Wasm component a filesystem capability, you are not handing it /etc and walking away. You are handing it an interface, and the host backs that interface with whatever it wants to back it with: a real directory, an in-memory tmpfs, a per-session blob store, or a synthetic view assembled from a database.

The component cannot tell the difference. It cannot escape the abstraction. This is what makes filesystem isolation in a Wasm sandbox fundamentally different from a chroot or a bind mount. The boundary is a typed interface rather than a path on disk.

Second, capability grants compose. A component does not import "the network." It imports wasi:http with the specific shape of HTTP traffic it is allowed to handle. It imports wasi:keyvalue with a specific bucket. Every capability is named, scoped, and reviewable. There is nothing ambient. There is nothing inherited. There is only what was passed in.

That is the substrate. Now we can talk about what runs on top of it.

AIOps and authorship of intent

Engineers working with LLMs are becoming authors of intent.

While they may no longer write the code, they are still accountable for the outcomes of what their software does: correctness, security, cost, maintainability. The shape of the work has changed, but the contract has not.

What is missing is an operational framework that captures that intent, plans against it, executes within bounds you can describe in advance, and produces an audit trail that closes the loop back to the original ask.

That framework is what I am calling AIOps. AIOps is the operational substrate for governing autonomous coding work end-to-end. Better IDEs and better agentic harnesses live inside it. The framework is broader than either, and it has a shape:

AIOps pipeline

Intent capture

Work begins from a GitHub issue, a Slack message, an email, or some other trigger. The original expression of intent is the artifact you plan against, and it is the artifact you eventually compare results back to.

Classification and plan extraction

A component reads the intent and produces a structured plan: what the steps are, what each step needs to touch, and what would constitute success. The plan is reviewable before any model runs against it.

Policy-based scheduling

Each step in the plan gets routed to the right model based on cost, security posture, resilience, and performance. A cheap step does not need a frontier model. A sensitive step does not run against a vendor your policy excludes. The router is model-agnostic by design, so the matching is a policy decision rather than a vendor lock-in.

Bounded execution

Every step runs in a Wasm sandbox with a capability grant scoped to that step. The component for a step that reads from a database has a database capability and nothing else. The component for a step that writes a file has a filesystem capability scoped to a per-session directory and nothing else. The principle of least authority is enforced by the runtime.

Validation and iteration

This is a loop, never a one-shot. Outputs are checked against the plan. Failures route back through the loop with the context of what went wrong. The user in the loop reviews the plan and only inspects diffs when the higher-order artifacts already say something is wrong.

Observability and audit

Every model invocation, every capability use, and every state transition produces a structured trace. You are not sending work into the void and hoping it returns. You are running an instrumented pipeline, and the trace is the receipt.

The governance properties fall out of the shape rather than being layered on. A plan that violates policy fails before a model is invoked. A step that tries to reach a capability it was not granted fails at the runtime boundary. A run that costs more than its budget hits a hard limiter. None of this requires after-the-fact monitoring to enforce. It simply requires the runtime to mean what it says. That’s exactly what a Wasm component runtime is designed to do.

Agentic AI security and outputs

The six stages above describe the governance path. But what do the governed agents actually do? Agent outputs tend to fall into one of three shapes, and each shape demands a different grant.

risks and outputs

Producing artifacts

Most coding work ends in some sort of artifact, such as a signed image that could be executed. The artifact will be acted on later, by a different system, under a different identity. The capability grant for this kind of step could be a filesystem scoped to a build output directory, optionally a signing key scoped to a single artifact, or a registry push capability scoped to one package. Nothing about producing a manifest gives a step the right to run that manifest, to push outside its namespace, or to sign anything else.

Acting on existing systems

Some steps cause a side effect in the world. Running a piece of code in a runner. Writing to a database. Calling an API. Mutating a configuration store. The capability shape here is the most varied because the systems being acted on are varied: wasi:http with an egress allow-list and required headers; wasi:keyvalue with a specific bucket and rate limit; a typed RPC handle for an internal service; wasi:filesystem with a per-session path. Each grant is named, scoped, and reviewable before the step runs.

Model calls fall under this category, by the way. A frontier-model API call is an action against an external system, governed the same way any other HTTP egress would be: through a capability scoped to a vendor, a key, and an allow-listed endpoint. The supervisor wrapping that call sees every byte going in and out, and it can redact, log, or refuse. The reason this is worth flagging is that the runtime treats the LLM as one more system to govern. Other models, and other vendors, plug in the same way.

Triggering downstream workflows

Some steps do not produce an artifact and do not act on a system directly. They start more work somewhere else, sending their non-deterministic output to the be input of the next workflow. Kicking off a build pipeline. Routing to another agent. Spawning a subordinate plan. The capability grant is a workflow-trigger handle scoped to a target set, with constraints on rate, depth, and what kinds of intents it can spawn. Recursion is bounded by the runtime: a step cannot spawn unbounded children because the trigger capability says it cannot.

The three shapes cover most of what a coding agent actually does. Laying them out is useful because each shape maps cleanly onto a typed, scoped capability grant in the runtime. An agent never needs generic authority to act in the world. It needs a specific kind of grant for a specific kind of act, and the runtime enforces that distinction at the boundary.

What runs after the agent finishes

The pipeline I've described so far ends with a concrete artifact: a code change, a binary, a deployment manifest, or a service ready to ship.

Once the artifact is out in the world, it works in existing systems. It calls your existing APIs; it reads and writes against your existing databases. But it was not crafted by hand, and we need to be clear-eyed and intentional about what that means. While more and more code is generated by LLMs, do we fully trust the outputs of these workflows?

The author of intent still owns the outcomes of their authorship. Among other things, that means we're responsible for security and behavior under load. And that means we need a sandbox for the artifact itself.

The substrate for the artifact is the same substrate the agent workflow ran on. The artifact runs in the same kind of Wasm sandbox an agent step ran in. It holds capabilities for the systems it is allowed to reach, and nothing else. The principle of least authority that governed the artifact's creation governs the execution too.

In practice, the data center where your agent runs is probably not the data center where the produced artifact runs. The capabilities granted at planning time are not the capabilities granted at runtime. The two phases live on different infrastructure under different identities. What is not siloed is the unit of compute. A WebAssembly component is the unit of compute for an agent's step, for a tool invocation made along the way, and for the final artifact running in production. Same shape. Same boundary. Same audit trail.

AIOps, end to end

With that thread held, the rest of the picture follows.

Most of the gates that matter in an AIOps pipeline are automated rather than manual. The quality attributes that we desire in software are enforced as a part of the process of software construction. Policy is encoded. Capability grants are encoded. Budgets are encoded. The human in the loop approves the encoded version, and from there the pipeline runs without a person holding it open at every step. If user attention is required at a particular gate, this is surfaced as an exception; everything else goes into the audit trail. That is the only way you can run thousands of autonomous workers without governance becoming the bottleneck.

From there, it should be easy to picture how AIOps dovetails with continuous delivery, with AI agent access control at every step.

Imagine a workflow that releases its next version, runs as a canary against live traffic, and watches the metrics. The infrastructure does not make an A/B cut. It performs a percentage-based rollout. If the metrics signal degradation, the rollout halts and rolls back automatically. The result is reported back to the ticket the work originated from, with the audit trail attached.

Every step is reviewable after the fact. Every step is bounded by what the platform was allowed to do. The human in the loop reviewed the intent and the plan, and the audit trail closes the gap on everything else.

That is the kind of process you can achieve with an AIOps cycle. The work consists in wiring intent capture, planning, scheduling, sandboxed execution, and observability into a single pipeline that engineers can drive without leaving the platform in which they author intent.

We are drawing the map

WebAssembly components are OCI artifacts. They distribute through the registries you already operate. They run on a control plane that orchestrates sandboxes the same way Kubernetes orchestrates pods, with the sandbox boundary expressed as a typed capability grant.

We have built that control plane. It is called Cosmonic Control, and it is the operational substrate underneath the AIOps vision described above. You can try it out for free.

Cosmonic Control changes what is possible at the infrastructure layer. Components start in microseconds. There are no cold starts. Components are small enough that a single node can hold thousands of them, so density stops being a tradeoff against isolation. Every component carries its own typed capability boundary, so isolation stops being something you bolt on after the fact. There is no ambient authority anywhere in the system, by construction.

Put together, that is a runtime for ultra-dense, capability-bounded functions running at massive scale. It is what you need if you want to give every prompt, every plan, every pipeline step, and every produced artifact its own private sandbox without paying for a container per request.

It is also what lets you move quickly: spinning up bounded execution for thousands of autonomous workers in parallel, without governance, infrastructure cost, or cold-start latency becoming the bottleneck.

Download the whitepaper

Read our free whitepaper, Securing the Vibe-Coded Enterprise, to learn how Cosmonic Control enables your teams to vibe code at full speed while enforcing deny-by-default execution, the principle of least authority, and zero-trust isolation across every phase of the AI software development life cycle, from prompt to production.

Every existing governance and security control system you already run, from policy bundles to identity to attestation to audit sinks, slots in over the same substrate. Nothing is asked of you that you do not already have a place for. The substrate just stops fighting your controls and starts expressing them.

The componentized world is not a thought experiment. It is the most direct path to AI agent security security and running autonomous coding work safely at scale, and it is the only path I have seen that does not require the cartographer to keep redrawing the map.