By ByteBot
Your AI agents are running as you. Same user account, same permissions, same access to your SSH keys, API tokens, and every file your terminal can reach. If a model-generated tool call misbehaves — or a prompt injection convinces your agent to exfiltrate something — the blast radius is your entire dev machine. Microsoft’s answer, announced June 2 at Build 2026, is the MXC SDK: a TypeScript npm package that lets you declare exactly what your agent can touch, enforced at the OS level before any code executes.
What MXC Actually Is
MXC (Microsoft Execution Containers) is a cross-platform sandboxing system for agentic workloads. It sits between your agent runtime and the OS, enforcing a JSON-defined policy that specifies which filesystem paths the agent can read or write, whether it can make outbound network calls, and whether it gets access to the clipboard and display. The same policy schema runs on Windows (24H2+), Linux, and macOS — though macOS support is still experimental.
Installing the TypeScript SDK is a single command:
npm install @microsoft/mxc-sdkFrom there, you define a policy and run agent code through it:
import { createConfigFromPolicy, provisionSandbox, execInSandboxAsync } from '@microsoft/mxc-sdk';
const config = createConfigFromPolicy({
version: '0.6.0-alpha',
filesystem: {
readonlyPaths: ['/usr', '/lib'],
readwritePaths: ['/tmp/agent-workspace'],
},
network: { allowOutbound: false },
timeoutMs: 30_000,
});
const sandbox = await provisionSandbox(config);
await execInSandboxAsync(sandbox, 'node', ['agent-tool.js']);The lifecycle is explicit: provision → start → exec → stop → deprovision. That explicitness is the point — no ambient access, no leftover state between runs.
Three Isolation Levels: Pick by Risk
MXC offers a composable spectrum of isolation, which is the right design. A summarization task and a code execution task have wildly different risk profiles — you do not want hypervisor overhead on the former.
Process isolation is the lightweight option: restricts file and network access for dynamically-generated code without creating a separate session. GitHub Copilot CLI ships with this in production today. It is the right default for most tool calls.
Session isolation goes further: it separates the agent’s execution from your desktop entirely — no clipboard access, no UI visibility, no input injection surface. Use this for anything that touches credentials, handles customer data, or makes decisions your employer would not want attributed to you personally.
Micro-VMs and Linux containers are on the roadmap, backed by hypervisor isolation for maximum containment. They are not available yet, but the policy model you write today will translate when they ship.
This Is Not Docker
The Docker mental model will lead you astray here. MXC has no container daemon, no image registry, no compose file. It is OS-native: processcontainer on Windows, bubblewrap on Linux, seatbelt on macOS. The underlying binary layer is written in Rust — the TypeScript SDK is just the policy API on top.
This matters practically. Docker-for-Windows carries a real performance tax from the WSL2 layer. MXC process isolation on Windows is native, which matters when your agent is spinning up sandboxes per tool call. The tradeoff: MXC is not a general-purpose container system. It is purpose-built for tool-call granularity in agent loops, and that specificity is a feature, not a limitation.
One current gap worth noting: outbound network filtering is not yet supported on Windows — only Linux. If your threat model includes agents making unauthorized outbound calls from Windows, that is a hole for now.
Who Is Already On It
Microsoft named five launch partners at Build 2026: OpenAI, Nvidia, Manus, Nous Research (makers of the Hermes agent), and the OpenClaw project. OpenAI’s David Wiesen described the goal as combining Codex’s capabilities with MXC to help developers “move from intent to reliable execution faster.” Nvidia is bringing its OpenShell autonomous agent framework to Windows on MXC. GitHub Copilot CLI already uses process isolation in production.
That is meaningful signal. When the teams building the most widely-used coding agents are adopting a sandboxing primitive, it is worth paying attention.
The Honest Caveat
Microsoft’s own documentation is unambiguous: “No MXC profiles should be treated as security boundaries currently.” Known cases of overly permissive policies exist and will be addressed before broader availability. The schema is versioned at 0.6.0-alpha. This is early preview software, and the underlying sandboxes are expected to change.
That does not mean ignore it. It means integrate it now — get familiar with the policy model, test it in non-production agent loops, and do not rely on it as your sole containment layer yet. Pair it with least-privilege service accounts, secret management, and network-level controls while MXC matures. If you want to understand the class of attacks MXC is designed to stop, our earlier coverage of TrustFall and SymJack covers the threat model in detail.
Bottom Line
MXC is the first OS-native SDK designed specifically for the access-control problem that every AI agent developer knows exists but few have addressed with anything more rigorous than “hope the model behaves.” It is alpha, it is Windows-first in production maturity, and it has a real gap on outbound network filtering. But the design is right, the partners are credible, and npm install @microsoft/mxc-sdk works today. Start integrating it. Watch for micro-VM support and Windows network filtering. This is where agent security on Windows is going.
