Mark Manning

https://t.co/ihPg1bKOZj often ends up in comparison articles where its pitched against microVMs, within a very loose rag-tag bunch known as "Agent Sandboxes" - but the truth is, this is like comparing the fly-by-wire limits built into an aircraft control system to an end-of-runway concrete barrier - one governs every control input from within, in real time; the other stops things outside from going wrong when the plane runs out of runway. A microVM guards the host. What happens inside, is not really its concern or duty to protect . If data is exfiltrated to unknown endpoints, destructive tool calls are made, an agent malfunctions and racks up eye-watering LLM api costs, and then deletes your database - you can't really blame the VM. You got what you signed up for - strong, monolithic, isolation. Not internal governance. So nono operates at a completely different point in the security model: inside. It enforces capability-based, fine-grained policy, to intercept sensitive or destructive operations, and it audits what the agent is actually doing with tamper resistant , cryptographic claims (the blackbox recorder!). The question isn't "how contained is the damage" - it's "does the agent get to do this at all, in this particular context." They answer different questions entirely: A VM answers, "if malicious code executes, how do we contain the blast radius from breaching the host and adjacent tenants?" nono answers, "how do I give the agent some authority to use a tool to access AWS credentials and call its APIs, but not allow the same access when its curl using the POST method to send your production credentials in a payload to a public github issue. Docker not long back announced "we launched Docker Sandboxes with a bold goal: to deliver the strongest agent isolation in the market." That's Great! However, it's not really what your AI weary CISO needs to sleep better at night. Instead, it's resolving a problem that's already mostly solved - in a claimed, much stronger way. AI agents aren't highly focused on breaking isolation, something very difficult to achieve; they want to steal keys and cause wreckage from the inside. Want to see what the future malicious agent looks like? Go check out TeamPCP and their recent pursuits - they aren't bypassing hardware-level isolation with a zero-day, they're letting npm install do the job by executing a post-install scripts to exfiltrate your CI tokens. BUT - they also harmonise and are formidable when combined - which is why teams and orgs are now deploying nono directly onto AWS Fargate / Firecracker, and hardened Kubernetes bound images - one holds the perimeter; the other governs what runs inside it. You get to sleep a bit easier at night. If you interested in learning more and working with us to help shape a new approach for a new threat - we are now accepting a limited number of design partners to help us shape the future of AI Agent Security.

I think AI coding hype follows roughly four stages: 1. Amazement You try it and can’t believe how much code it generates from a few prompts. 2. Expansion You start more and more projects because shipping suddenly feels cheap and fast. This is also the phase where people start convincing everyone around them: - coworkers - management - friends in other companies because nobody wants to “fall behind” in 6–12 months. That creates a massive snowball/FOMO effect. 3. The grind phase You realize the generated code has architectural issues, sloppy mistakes, weird abstractions, duplicated logic, broken edge cases, etc. So you start: - re-prompting - switching models - increasing reasoning effort - reviewing fixes - generating fixes for previous fixes And suddenly you spend your days reviewing AI-generated pull requests instead of building software. 4. Realization You realize AI coding increases output much faster than it increases certainty. The code still needs: - review - testing - ownership - architectural understanding - long-term maintenance Usually by expensive senior engineers. And the interesting thing is: this whole cycle can take many months or even more than a year because people become socially and professionally invested in the narrative themselves. Once teams, managers, and entire companies have been convinced that this is the future, it becomes psychologically and politically very hard to later say: “Actually, the ROI is much lower than we expected.”