Skip to content

Blog

Give the agent its own VM

Leif ·

Using AI Safety Agents

The boundary is in the wrong place

Most people draw their AI boundaries around the model. They decide what it is allowed to touch, what commands it can run, which files stay off limits. Then they sit over its shoulder and approve each step. I do the opposite. I draw my boundary around where the agent runs, not what it is allowed to do.

The danger people are worried about is real. An agent with access to your .env, your database credentials, or anything that reaches production can do damage that is hard to undo. I am not arguing the risk away. I am saying the short leash is the wrong response to it. Keeping an agent half-crippled so it cannot hurt you also keeps it from doing the work you wanted it to do. You end up with a tool that needs babysitting, which is a tool that costs you more than it saves.

The better answer is to give the agent a place where being dangerous is fine.

Give it somewhere safe to be dangerous

Hand the agent its own account and its own VM. Once it lives there, it stops being a process you supervise and becomes a developer with the run of the place. It can read every file, write anywhere, install what it needs, break things, and fix them. Inside that box, full autonomy is the point. There is nothing in there that is not already meant for it.

This is where the freedom comes from. Not from watching it closely, but from isolating it so well that you do not have to. A sandbox with a real boundary around it lets you stop hovering, because the blast radius is already drawn. I have built autonomous agents this way, and the ones with the most room to move are the ones I trust the most, because I know exactly how far they can reach.

The mental shift is small but it changes everything. You are not asking "what should I forbid." You are asking "what space can I fully give away."

The hard part is the line, not the permissions

Permissions are easy. You can set those in an afternoon. The hard part is deciding what belongs to you and what belongs to the agent, and that line is genuinely difficult to draw, because most of the time everything is your stuff.

Your code is yours. Your credentials are yours. Your data is yours. A clean sandbox is a fresh VM with nothing in it, but a useful sandbox needs some slice of your world to work on, and every slice you hand over is a decision about what you are willing to expose. Give it a throwaway database, not the real one. Give it a scoped token, not the master key. Give it a checkout of the repo, not push rights to main. Each of those is a small act of separating mine from its, and there is no clever trick that does it for you. You have to think about each boundary and own the call.

That is the work. The VM is the easy half. The line is the part that takes judgment.

And when the agent finishes, whatever comes out of that sandbox still lands in front of me. It ran free, but I own and review what ships. The isolation buys the agent its autonomy. It does not transfer the ownership.

← All posts