A framework for drawing security boundaries in agentic architectures. Most agents run with zero isolation between the agent and the code it generates. Learn where to draw the boundaries, from secret injection to full application sandboxing.

Vercel is a platform for deploying modern web applications with speed and simplicity, offering developers a seamless experience for hosting and scaling their projects. With features like instant deployment, serverless functions, and global CDN, Vercel empowers developers to focus on building great user experiences without worrying about infrastructure management.

Vercel

Most coding agents today run generated code in the same security context as the agent harness and its secrets, creating serious risks from prompt injection attacks. A framework for thinking about security boundaries in agentic systems identifies four distinct actors—the agent, agent secrets, generated code execution, and the filesystem—each deserving different trust levels. Three architectures are compared: zero boundaries (today's default), secret injection without sandboxing, and full separation of agent compute from sandbox compute. The strongest approach combines ephemeral isolated VMs for generated code with a secret injection proxy that injects credentials at the network level, preventing generated code from ever reading or exfiltrating raw secrets. Vercel's Fluid compute and Vercel Sandbox are presented as concrete implementations of this pattern.

Security boundaries in agentic architectures

All agents are starting to look like coding agents

Separating agent compute from sandbox compute

Application sandbox with secret injection