Topic 4 of 9 · Level 2: Agent-assisted work
LLM Sandboxing
Risk appetite determines how far to take sandboxing. It is the set of safety measures between your data and a model. Options range from no boundary through Git worktrees, containers and virtual machines, to a dedicated isolated machine. Git worktrees are the common middle ground; AgentOS is a notable LLM-oriented virtualisation project.
A sandbox is a boundary for action
Sandboxing gives a model a defined box in which to act. If that box is absent or poorly defined, the model can potentially perform destructive actions against important files or data. More capable models make unrecoverable damage less likely, but the risk still exists.
Choose the lightest boundary that protects the work
- Git worktrees. Git-based projects can give the model a copy of the real files, so it works against the copy rather than the live source. Many harnesses now support this automatically.
- Containers and virtual machines. These provide a more substantial virtual boundary. AgentOS is another boundary designed around LLM workflows.
- Physical isolation. A dedicated isolated machine is technically the safest option. It is the approach I use, but it requires the hardware and technical confidence to run it.
Choose the level you are comfortable with. For many tasks, a Git worktree is perfectly adequate and a model can use it simply by being asked.