Precisely! There's a fundamental tension:
1. Agents need to interact with the outside world to be useful
2. Interacting with the outside world is dangerous
Sandboxes provide a "default-deny policy" which is the right starting point. But, current tools lack the right primitives to make fine grained data-access and data policy a reality.
Object-capabilities provide the primitive for fine-grained access. IFC (information flow control) for dataflow.
the permission definition problem is real - you can't anticipate what an agent will try. I've been thinking about this from a different angle: instead of defining permissions upfront, what if you track risk dynamically? like, monitor what the agent touches (files, network, syscalls) and score the blast radius in real-time. then you can interrupt on high-risk patterns even if you didn't explicitly deny that exact behavior. still have the ocap primitives for the known stuff, but add a behavioral layer for the unknown unknowns. not sure how practical it is though - adds latency and you need good heuristics.
Sandboxes provide a "default-deny policy" which is the right starting point. But, current tools lack the right primitives to make fine grained data-access and data policy a reality.
Object-capabilities provide the primitive for fine-grained access. IFC (information flow control) for dataflow.