AI agents need a safe place to act

Safe AI

The Microsoft announcement of Azure Container Apps Sandboxes caught my attention, especially because Mo Cherif from SitecoreAI is quoted in it. For me, that is more than a nice Sitecore mention. It is an architectural signal.

AI is moving from suggestion to action. Agents are no longer only helping us write text or generate code snippets. They can inspect repositories, call tools, run scripts, interact with APIs and eventually support real DXP work such as content assembly, personalisation, campaign optimisation, and workflow automation.

Quote by Mo Cherif, VP of AI and Innovation
Source document by Microsoft

The real risk

The risk is not only the AI model itself. The bigger risk is often the environment around it. An MCP server can expose powerful tools. A local model can still access files or credentials if we connect it to the wrong runtime. A rogue skill, plugin or prompt injection can influence what an agent executes.

So the key question is not only:
Can the agent do this?

The better architectural question is:

Where is the agent allowed to do this, what can it access, and how do we contain the blast radius if something goes wrong?

The solution direction

The answer is a controlled execution layer. A simple model could be:

Secure AI workflow

In practice, that means we should run AI-generated code in isolated environments, give agents only the tools they need, restrict filesystem, network and secret access, log what happens, validate the output and keep human approval for destructive actions or production changes.

This is where sandboxed execution becomes interesting. Not because it magically solves AI security, but because it gives agents a safe place to work.

Why this matters for DXP

For DXP platforms, this matters a lot. A modern DXP touches content, assets, customer data, analytics, campaigns, APIs and frontend applications. Agents can add real value there, but only if we design the guardrails around them.

My takeaways

AI agents must be allowed to help, but they should not automatically inherit unlimited trust. Running AI locally is not automatically safe if the tools around it still have broad access.

Sandboxed execution, policy, observability and controlled promotion will become important building blocks for serious agentic DXP architectures. That is why I like this direction. It moves the conversation from “what can AI generate?” to “where can AI safely act?”