Back to Blog
Technical February 2026 · David Steel

Isolated Agents, Isolated Failures: The Case for Sandboxed Operations

When an agent makes a mistake, the blast radius matters more than the mistake itself. A typo in a draft email is harmless. A bad database query that corrupts production data is catastrophic. The single most important architectural decision in agent deployment is isolation.

Blast Radius Thinking

Every agent failure has a blast radius. The question is whether you designed for it or discovered it after the damage was done.

Sandbox thinking comes from software engineering, but it applies to every agent operation. Each agent should have a defined blast radius: the maximum damage it can cause if it fails completely. If you cannot answer "what is the worst thing this agent can do?" for every agent in your system, you are not ready for production.

This is not paranoia. This is engineering discipline. The same discipline that puts circuit breakers in electrical panels and bulkheads in ships. You design for failure because failure is inevitable.

The All-Powerful Agent is a Liability

The instinct is to give agents broad permissions. Read everything. Write everywhere. Access all systems. It feels efficient. It is, until something goes wrong.

An agent with read-write access to your production database, your email system, and your CRM simultaneously is a catastrophe waiting to happen. Not because the agent is malicious. Because agents make mistakes, just like humans do. The difference is agents make mistakes at machine speed.

A human employee who accidentally deletes a row in a spreadsheet is an annoyance. An agent that accidentally runs a bulk update on a production database in 200 milliseconds is a disaster. The velocity of the mistake is what makes isolation non-negotiable.

Deliberate Limitation

The best agent architectures are deliberately limited. Each agent can do less, but the system as a whole does more. Safely.

Here is what this looks like in practice. Our email agent (Pepper) can read emails and draft responses. It cannot send emails without approval. Our analytics agent (Dash) can read performance data. It cannot modify campaigns. Our calendar agent reads events. It cannot delete or modify them.

Every permission is a choice. Every capability is granted, not assumed. The default is no access, and we add permissions one at a time, with explicit justification for each one.

This runs counter to the "all-powerful AI" narrative. But the narrative is selling a fantasy. Production systems require constraint.

Rollback is Non-Negotiable

If an agent takes an action, you need to be able to undo it. Full stop. Design every agent interaction to be reversible.

This means agents should write to staging areas, not production. Agents should create drafts, not final outputs. Agents should flag recommendations, not execute decisions. The pattern is: agent proposes, human (or supervisory system) approves, then the action becomes permanent.

The cost of this pattern is latency. The benefit is sleep. I have never once regretted adding an approval gate. I have regretted removing one.

Failure Containment in Practice

At Sneeze It, we use a principle called "separate blast radius." Tuning one agent never breaks another. Each agent operates in its own context, with its own state files, its own tools, and its own error handling.

When our CRO agent (Dirk) had a data quality issue with pipeline records, it did not affect our analytics agent (Dash) or our project manager (Crystal). Dirk's failure stayed in Dirk's domain. We fixed it without touching anything else.

Compare that to a monolithic super-agent where a pipeline data issue could cascade into bad analytics, wrong project priorities, and incorrect client communications. The blast radius of a single error in a single domain could touch every part of the business.

Isolation is not overhead. It is insurance. And the premium is far cheaper than the claim.

The Hard Lesson

The cost of isolation is overhead. More agents, more state files, more coordination mechanisms. The cost of not isolating is catastrophe. Organizations that skip sandboxing learn this the hard way. Usually once.

I have never heard someone say "I wish we had given our agents more permissions." I hear "I wish we had contained that failure" regularly.

What OTP Enables

OTP's architecture enforces isolation at the protocol level. Each organization's OOS is its own artifact. Merge operations are previewed, reviewed, and approved. No agent can overwrite another organization's intelligence. The protocol is the sandbox.

This is not a feature. It is a design philosophy. Organizational intelligence is too valuable to trust to unconstrained automation. Every interaction is bounded, reversible, and auditable.

Audit Your Blast Radius

For every agent in your system, answer one question: what is the worst thing it can do if it fails? If you cannot answer that, you have a sandboxing problem. Fix it before it fixes you.

Publish Your OOS See Who's Publishing