The constraint Microsoft buried in its Build keynote

AI agents have a containment problem. An agent that can write code, manage files, and call APIs is, by design, unpredictable — and every capability it gains expands what security professionals call attack surface. Until Tuesday, no major OS vendor had proposed a kernel-level answer to that problem.

At its annual Build developer conference, Microsoft introduced **Microsoft Execution Containers (MXC)**: a policy-driven execution layer built into Windows and the Windows Subsystem for Linux that lets developers and IT administrators declare exactly what an AI agent can and cannot access, with those boundaries enforced at runtime by the OS kernel.

MXC is not a product you purchase. It is an SDK and a policy model — a foundational primitive that Microsoft describes as a "composable sandbox spectrum."

What the sandbox actually does

The spectrum runs from fast process isolation (already used by GitHub Copilot's CLI) up through Linux containers, micro-virtual machines, and full cloud instances running on Windows 365. A developer chooses the isolation level appropriate to the workload's risk profile; the same SDK and policy model governs all of them.

Session isolation is the feature with the most immediate security relevance. MXC separates an agent's execution from the user's desktop, clipboard, UI, and input devices — directly blocking UI spoofing, input injection, and cross-session data leakage, three attack classes that security researchers have repeatedly demonstrated against AI agents.

Every container is bound to a strong identity: either a local ID or a cloud-provisioned identity backed by Microsoft Entra. That binding means every action the agent takes can be attributed, audited, and governed — a distinction that matters enormously in regulated industries where human and agent activity on the same machine must be separable for compliance purposes.

A pre-briefing demo made the enforcement concrete: an agent running inside MXC was instructed to delete all files on a developer's desktop. The sandbox blocked it. The files were untouched.

The enterprise layer: Agent 365

For IT departments, the more consequential piece arrives in July. **Agent 365** layers Entra identity management and Intune device policy on top of MXC, so administrators can govern agent containment centrally while developers choose isolation levels per workload. Microsoft Defender adds runtime threat protection; Microsoft Purview extends data governance and compliance to agent activity.

The practical result: enterprises could allow employees to run autonomous agents on corporate machines while maintaining the same centralized visibility they currently have over traditional applications — without replacing existing infrastructure.

Who is already building on it

Platform announcements at developer conferences are frequently aspirational. MXC's launch partner list is specific enough to be meaningful:

- **OpenAI** is integrating MXC with Codex, its code-generation agent, to provide what OpenAI technical staff member David Wiesen described as a path from "intent to reliable execution" with enterprise-grade security. - **Nvidia** is bringing its OpenShell framework to Windows on top of MXC for "always-on" autonomous agents. - **Manus**, the autonomous agent startup, is using MXC's policy model to enable safer enterprise deployments. - **Nous Research** is integrating its Hermes agent, with CEO Dillon Rolnick noting that continuously running local agents require "intentional isolation" and controls that "will hold." - **OpenClaw**, an open-source agent framework, served as the internal proving ground; Microsoft contributed to its Windows companion app and donated the project back to the open-source community.

The hard part isn't the sandbox

MXC is available now in early preview. The engineering is credible: kernel-level enforcement, a scalable isolation spectrum, and an identity layer that plugs into infrastructure already managing hundreds of millions of Windows devices.

The harder problem is organizational. Containment is only as good as the policies written to govern it. Defining appropriate access rules for autonomous agents — across diverse workloads, data types, and risk tolerances — is a discipline that enterprise IT departments have not yet developed. An empty sandbox is just an empty box.

Microsoft has built the enforcement layer. The industry still has to figure out what to put in it.