Microsoft wants to keep your AI agents from going rogue

Microsoft has introduced Microsoft Execution Containers (MXC), a cross-platform, policy-driven execution layer for AI agents on Windows and Windows Subsystem for Linux (WSL), now available in early preview.

Microsoft Execution Containers

Updated Agent 365 platform (Source: Microsoft)

Developers can define constraints for their applications and agents, and Windows enforces them at runtime through MXC. The SDK provides an abstraction layer over isolation primitives, eliminating the need for developers to manage low-level isolation details.

“Containment bounds what agents can access and do, so non-deterministic behavior doesn’t translate into uncontrollable risk. Agent behavior is dynamic and often generated at runtime. The agent often uses models to generate complex code for each prompt that can read, act and chain multiple operations,” Dana Huang, Corporate VP, Windows Security, and Logan Iyer, Corporate VP, Windows Platform + Developer at Microsoft, explained.

How MXC contains AI agents

Windows applies isolation and containment through the composable sandbox in MXC, which provides a single SDK and policy model that maps workloads to the appropriate isolation mechanism. Agent 365 natively integrates with the SDK, using Microsoft Entra and Intune to enforce constraints on specific AI agents.

Multiple containment options enable organizations to match security controls to the risk level of each workload. Microsoft plans to expand the framework in future releases.

Process and session isolation

The early preview includes process isolation and session isolation.

Process isolation runs AI-generated code in a separate environment with restricted access to files and network resources. The approach helps contain risky actions without disrupting development workflows. GitHub Copilot CLI already uses MXC process isolation to limit what AI-generated code can access and execute.

Session isolation separates AI agents from the user’s desktop, clipboard, input devices, and active sessions to reduce the risk of data leakage and interface attacks. Each session runs under its own identity, enabling organizations to enforce least-privilege access, audit agent activity, and manage policies through Microsoft Entra and Intune.

“Our initial release will support non-interactive sessions, with additional capabilities planned for future releases,” Microsoft added.

The company also plans to add more containment options for AI agents. One is micro-VM support, which uses hardware-backed virtualization to provide stronger isolation for high-risk workloads, including processing sensitive data and running untrusted code. Another is Linux container support through WSL, extending the same containment model to Linux-based AI development environments.

Partner support

Microsoft is partnering with Hermes, Manus, NVIDIA, OpenAI, and OpenClaw to help developers build and deploy AI agents with MXC.

OpenClaw now uses MXC to secure its node and gateway, alongside a Windows companion app for deploying and managing agents. NVIDIA has integrated MXC into OpenShell to help developers securely deploy autonomous AI agents on Windows. Hermes Agent also plans to add OpenShell and MXC support to its Windows application.

“Working with Microsoft on Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code. By combining Codex’s capabilities with MXC’s execution environment, we aim to help developers move from intent to reliable execution faster while maintaining the security and control enterprises need,” said David Wiesen, Member of Technical Staff at OpenAI.

MXC is available on Github.

More about

Don't miss