Microsoft has introduced a new security framework designed to contain AI agents running on Windows devices. Called Microsoft Execution Containers (MXC), the system lets developers and IT administrators define precisely what an AI agent is allowed to do — and enforces those rules at the level of the operating system kernel. Michael Nuñez reports for VentureBeat that OpenAI and Nvidia are already building on the new platform, alongside agent startups Manus and Nous Research. The announcement was made at Microsoft’s annual Build developer conference.
MXC is not a standalone product. It is a software development kit (SDK) and policy model built into Windows and the Windows Subsystem for Linux. Developers write a policy file that specifies which files, folders, and network resources an agent may access. The operating system then enforces those boundaries at runtime, regardless of what the agent attempts to do.
Why this matters for businesses
AI agents are software programs that receive a goal in plain language and then take actions to achieve it: opening files, executing code, calling web services, or interacting with other applications. Unlike traditional software, agents are by design unpredictable in how they go about completing a task. That unpredictability has made enterprises cautious about deploying them on corporate networks, where sensitive data and regulated information are at stake.
MXC addresses this by separating an agent’s execution environment from the user’s desktop, clipboard, screen, and input devices. It also assigns every agent a verified identity, either a local ID or one backed by Microsoft’s Entra cloud service, so that every action can be traced back to a specific agent rather than a human user. Microsoft says this audit trail could become a compliance requirement in regulated industries such as finance and healthcare.
During a demonstration ahead of the announcement, a Microsoft developer instructed an AI agent running inside MXC to delete all files on his desktop. The agent attempted to comply. The sandbox blocked it. The files remained untouched.
A spectrum of containment options
MXC is designed to scale with the level of risk a given task involves. The containment options range from lightweight process isolation for simple assistants up to full micro-virtual machines for agents that execute arbitrary code. Microsoft describes this as a “composable sandbox spectrum.” The appropriate level of isolation can be adjusted based on what an agent is actually doing.
For corporate IT departments, Microsoft is integrating MXC with its existing enterprise tools under the name Agent 365, scheduled for preview in July. The integration connects MXC with Microsoft Defender for threat protection, Entra for identity management, Intune for device-level policy enforcement, and Purview for data governance. This means companies could in principle allow employees to run powerful autonomous agents on corporate machines while retaining centralised oversight through tools they already use.
Alongside MXC, Microsoft also announced an open source standard called Agent Control Specification (ACS). It gives developers a consistent way to define rules for agent behaviour across different frameworks. Policies written in ACS specify what an agent may do, what it must not do, when a human must approve an action, and what should be logged. The specification works with popular agent frameworks including LangChain, AutoGen, CrewAI, and the OpenAI and Anthropic agent SDKs.
Pavan Davuluri, Microsoft’s Executive Vice President for Windows and Devices, said at the briefing that the containment primitives now built into Windows are what will make agents safe enough for both consumer and enterprise use. MXC is available in early preview now. Whether enterprises will have the organisational sophistication to write effective policies for complex deployments remains an open question.
Sources
- Microsoft launches MXC, an OS-level sandbox for AI agents, with OpenAI and Nvidia already on board – VentureBeat
- Microsoft offers devs a better way to control AI agent behavior – TechCrunch
Stay up to date
AI for content creation: the latest tools, tips and trends. Every two weeks in your inbox:
