Agent Safety: Sandboxes and Human-in-the-Loop

Giving an AI the keys to your computer is a big deal. Learn the two simplest ways to keep an agent safe: wall it off from things it shouldn't touch, and put a human in the decision path.

34 min · Reviewed 2026

Why safety is not optional

An agent with filesystem access can delete your thesis. An agent with email access can send 'you're fired' to your entire team. An agent with credit card access can order 400 rubber ducks. These are not hypothetical — every one has happened in production in the last 18 months. Safety isn't a feature, it's infrastructure.

Defense one: sandbox

A sandbox is a walled space where the agent can only see and touch specific things. Outside the wall, the agent has no power. Modern options in 2026:

Vercel Sandbox — Firecracker microVMs for running untrusted code.
Docker containers with bind-mounted folders only (classic and free).
Anthropic's Claude Code with scoped permissions (per-directory, per-tool).
Browser-only agents (Browser Use, Operator) — can't touch your filesystem.
Virtual machines (VirtualBox, UTM, Parallels) — full isolation if you're paranoid.

{ "agent": "cleanup-bot", "sandbox": { "filesystem": { "read": ["~/Downloads", "~/Desktop"], "write": ["~/Downloads/archive"], "deny": ["~/Documents", "~/Library", "~/.ssh"] }, "network": "none", "shell": false } }An example permission config. Deny by default. Allow exactly what's needed.

Defense two: human-in-the-loop

For any action that's destructive (delete, send, pay, push), require a human to approve before the agent proceeds. Yes, it slows things down. Yes, it's worth it. Every serious platform — Claude Code, Devin, OpenClaw Mission Control — has an approval gate feature.

AGENT: I want to run: rm -rf ~/old_project Reason: You asked me to clean up old projects. Impact: Deletes 1.2 GB, 847 files. AWAITING APPROVAL (y/n/details):What an approval gate should look like: action, reason, impact, pause.

Tiered approval

Risk	Approval policy	Examples
Low (read-only)	Auto-approve.	List files, read a page, query an API.
Medium (reversible)	Batch-approve with review.	Create a branch, draft an email.
High (destructive)	Per-action human approval.	Delete files, send emails, make payments.
Critical (irreversible)	Two-person approval + logging.	Deploy prod, wire money, delete users.

Good agent design is mostly about building the safe envelope, not the clever prompt. Get the envelope right and you can run bold experiments. Get it wrong and one bad run can ruin a week.

End-of-lesson check

8 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-agentic-safety-sandbox-builders

What is the main idea of "Agent Safety: Sandboxes and Human-in-the-Loop"?
1. Giving an AI the keys to your computer is a big deal.
2. Use AI as the final authority for the whole decision
3. Avoid checking the answer once it sounds polished
4. Focus only on speed instead of judgment
Which concept is most central to "Agent Safety: Sandboxes and Human-in-the-Loop"?
1. human-in-the-loop
2. sandboxing
3. least privilege
4. approval gates
Which use of AI fits this topic best?
1. Let the AI decide what matters without your review
2. Use the answer before checking whether it fits the situation
3. Vercel Sandbox — Firecracker microVMs for running untrusted code.
4. Use the first answer without checking it
What should a careful learner remember about "Assume the agent will mess up"?
1. Use AI to draft or organize ideas about sandboxing, then verify before acting.
2. Skip the context so the tool can guess faster
3. Treat the output as private even after sharing it online
4. Use the answer without checking the source
You want to use AI after this lesson. What is the safest next step?
1. Act immediately because the AI answer is written clearly
2. Use the AI answer as a draft, then check it against a reliable source.
3. Hide uncertainty so the final answer looks cleaner
4. Use private or sensitive details before checking permission
How should AI output about sandboxing be treated?
1. As proof that no other source is needed
2. As a replacement for context, consent, or expert review
3. As a draft or helper output that still needs human judgment and verification
4. As something that becomes correct when it sounds confident
Name one way to verify an AI answer about sandboxing.
Which action would help you apply "Agent Safety: Sandboxes and Human-in-the-Loop" responsibly?
1. Use the tool to avoid thinking through the tradeoff
2. Keep going even if the output conflicts with a trusted source
3. Use the first answer without checking it
4. Docker containers with bind-mounted folders only (classic and free).

← Back to interactive lesson

Tendril · Builders · Agentic AI

Agent Safety: Sandboxes and Human-in-the-Loop

Giving an AI the keys to your computer is a big deal. Learn the two simplest ways to keep an agent safe: wall it off from things it shouldn't touch, and put a human in the decision path.

34 min · Reviewed 2026

Why safety is not optional

Defense one: sandbox

A sandbox is a walled space where the agent can only see and touch specific things. Outside the wall, the agent has no power. Modern options in 2026:

Vercel Sandbox — Firecracker microVMs for running untrusted code.
Docker containers with bind-mounted folders only (classic and free).
Anthropic's Claude Code with scoped permissions (per-directory, per-tool).
Browser-only agents (Browser Use, Operator) — can't touch your filesystem.
Virtual machines (VirtualBox, UTM, Parallels) — full isolation if you're paranoid.

{ "agent": "cleanup-bot", "sandbox": { "filesystem": { "read": ["~/Downloads", "~/Desktop"], "write": ["~/Downloads/archive"], "deny": ["~/Documents", "~/Library", "~/.ssh"] }, "network": "none", "shell": false } }An example permission config. Deny by default. Allow exactly what's needed.

Defense two: human-in-the-loop

AGENT: I want to run: rm -rf ~/old_project Reason: You asked me to clean up old projects. Impact: Deletes 1.2 GB, 847 files. AWAITING APPROVAL (y/n/details):What an approval gate should look like: action, reason, impact, pause.

Tiered approval

Risk	Approval policy	Examples
Low (read-only)	Auto-approve.	List files, read a page, query an API.
Medium (reversible)	Batch-approve with review.	Create a branch, draft an email.
High (destructive)	Per-action human approval.	Delete files, send emails, make payments.
Critical (irreversible)	Two-person approval + logging.	Deploy prod, wire money, delete users.

Good agent design is mostly about building the safe envelope, not the clever prompt. Get the envelope right and you can run bold experiments. Get it wrong and one bad run can ruin a week.

End-of-lesson check

8 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-agentic-safety-sandbox-builders

What is the main idea of "Agent Safety: Sandboxes and Human-in-the-Loop"?
1. Giving an AI the keys to your computer is a big deal.
2. Use AI as the final authority for the whole decision
3. Avoid checking the answer once it sounds polished
4. Focus only on speed instead of judgment
Which concept is most central to "Agent Safety: Sandboxes and Human-in-the-Loop"?
1. human-in-the-loop
2. sandboxing
3. least privilege
4. approval gates
Which use of AI fits this topic best?
1. Let the AI decide what matters without your review
2. Use the answer before checking whether it fits the situation
3. Vercel Sandbox — Firecracker microVMs for running untrusted code.
4. Use the first answer without checking it
What should a careful learner remember about "Assume the agent will mess up"?
1. Use AI to draft or organize ideas about sandboxing, then verify before acting.
2. Skip the context so the tool can guess faster
3. Treat the output as private even after sharing it online
4. Use the answer without checking the source
You want to use AI after this lesson. What is the safest next step?
1. Act immediately because the AI answer is written clearly
2. Use the AI answer as a draft, then check it against a reliable source.
3. Hide uncertainty so the final answer looks cleaner
4. Use private or sensitive details before checking permission
How should AI output about sandboxing be treated?
1. As proof that no other source is needed
2. As a replacement for context, consent, or expert review
3. As a draft or helper output that still needs human judgment and verification
4. As something that becomes correct when it sounds confident
Name one way to verify an AI answer about sandboxing.
Which action would help you apply "Agent Safety: Sandboxes and Human-in-the-Loop" responsibly?
1. Use the tool to avoid thinking through the tradeoff
2. Keep going even if the output conflicts with a trusted source
3. Use the first answer without checking it
4. Docker containers with bind-mounted folders only (classic and free).

← Back to interactive lesson