Autonomous coding agents resemble powerful malware: they can write, execute, and modify code, access secrets, and call services—often opaquely.

Building on pioneering work from a year ago on safely applying AI to legacy codebases, this session extends that proven approach to the even riskier setting of autonomous agents. The agent itself is treated as untrusted and clamped down with tightly hardened containers and strict network firewalls that isolate execution, constrain file and tool access, and restrict communication to a minimal allowlist, drastically limiting blast radius and data-exfiltration paths.

The architecture mitigates core risks such as prompt injection, model misuse, and supply-chain abuse, while still enabling meaningful automation for real-world systems. Finally, the session outlines upcoming layers—fine-grained policy engines, runtime behavior monitoring, and end-to-end supply-chain verification—to build a robust, defense-in-depth stack for secure coding agents.