{"id":8365,"date":"2026-06-03T11:31:14","date_gmt":"2026-06-03T11:31:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8365"},"modified":"2026-06-03T11:31:14","modified_gmt":"2026-06-03T11:31:14","slug":"microsoft-wants-to-put-ai-agents-on-a-short-leash","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8365","title":{"rendered":"Microsoft wants to put AI agents on a short leash"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

As enterprises race to adopt AI agents across software development workflows, Microsoft is rolling out new controls aimed at keeping the transformation from becoming a security headache.<\/p>\n

At its annual developer conference, Microsoft Build, the company unveiled a set of initiatives, including a brand new runtime containment offering, Microsoft Execution Container (MXC), for agentic AI workloads, and improvements to its recently launched multi-agent vulnerability research system MDASH, among others.<\/p>\n

\u201cAI is accelerating development and introducing new issues around insecure code, opaque models, data exposure, and compliance,\u201d Ale\u0161 Hole\u010dek<\/a>, chief architect at Microsoft Security, said in a blog post<\/a>. The new tools and capabilities will \u201cgive developers clear guidance in real time, scale with the complexity of tasks, and provide security teams with a consistent view across the full lifecycle,\u201d he added.<\/p>\n

The idea of sandboxing untrusted code is obviously not new. Containers, VMs, browser sandboxes, and GitHub Codespaces all exist. What\u2019s new is that Microsoft is positioning MXC as a dedicated runtime containment environment for agentic AI workloads, where autonomous agents can take actions, invoke tools, modify code, and access resources.<\/p>\n

A lot is said and seen about what could happen when these agents have a little too much autonomy. Coding agents today can access files<\/a> they shouldn\u2019t, leak secrets<\/a>, make unauthorized network calls, and execute other unexpected actions<\/a>.<\/p>\n

<\/a>Microsoft puts AI agents in a security sandbox<\/h2>\n

Microsoft Execution Containers are a new containment technology intended to place guardrails around autonomous AI agents. It is a policy-driven execution workflow that lets developers specify what an AI agent can access, such as files, networks, resources, credentials, and then enforces those boundaries at runtime.<\/p>\n

\u201cMXC is a sandboxed code execution system for running untrusted code (model output, plugins, tools) on Windows, Linux, and macOS,\u201d Microsoft\u2019s official description<\/a> of the offering reads. \u201cIt provides multiple containment backends \u2014 from OS-native process sandboxes to full VMs \u2014 behind a unified JSON configuration schema and TypeScript SDK.\u201d<\/p>\n

Build announcements also included Microsoft\u2019s two new offerings made public in May 2026. These included the Agent 365 SDK<\/a>, which provides developers with tools to build, deploy, and manage AI agents, and Windows 365 for Agents<\/a>, a managed environment intended to give autonomous agents dedicated cloud-based workspaces.<\/p>\n

Microsoft also revealed <\/a>its plans for MXC, serving as a security foundation for several agent platforms. Agent 365 will integrate with the framework to bring controls from Defender, Entra, Intune, and Purview to agent environments, while OpenClaw and NVIDIA\u2019s OpenShell are already adopting MXC to run AI agents within isolated execution containers designed to limit risk and improve runtime security.<\/p>\n

<\/a>MDASH moves beyond a research project<\/h2>\n

While MXC fell under Microsoft\u2019s \u201csecure your agents\u201d initiative at Build, the \u201csecure your code\u201d drive had the company announce updates to its Security Multi-model Agentic Scanning Harness (MDASH). The system claims to use more than 100 specialized AI agents operating across multiple models to identify vulnerabilities, assess exploitability, and reduce false positives before findings reach security teams.<\/p>\n

At Build, Microsoft positioned MDASH as part of a broader enterprise security workflow, announcing expanded preview availability and integration with Microsoft Defender.<\/p>\n

MDASH was first introduced in May, when it was revealed<\/a> to have helped uncover multiple Windows vulnerabilities, including critical remote code execution flaws.<\/p>\n

<\/a>Open-source controls aim to govern agent behavior<\/h2>\n

Microsoft also used Build to introduce<\/a> two open-source initiatives designed to address the governance challenges around AI agents.<\/p>\n

The first, Adaptive Spec-driven Scoring for Evaluation and Regression Testing (ASSERT), is intended to help organizations evaluate agent behavior against defined security and operational requirements.<\/p>\n

The second, the Agent Control Specifications (ACS), provides an open standard framework for defining and enforcing governance policies in a portable manner, capable of moving with the agent across different frameworks, platforms, and runtimes instead of being tied to a specific vendor\u2019s technology stack. Together, MXC, MDASH, ASSERT, and ACS sum up Microsoft\u2019s attempt at securing AI models\u2019 entire lifecycle, from the code they generate to the actions they take later.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

As enterprises race to adopt AI agents across software development workflows, Microsoft is rolling out new controls aimed at keeping the transformation from becoming a security headache. At its annual developer conference, Microsoft Build, the company unveiled a set of initiatives, including a brand new runtime containment offering, Microsoft Execution Container (MXC), for agentic AI […]<\/p>\n","protected":false},"author":0,"featured_media":8366,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8365"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8365"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8365\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8366"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}