A few weeks ago I wrote about the security vulnerabilities emerging from the new generation of AI agents — and what we’re building at SignalFlare to stay ahead of them. We’re not claiming to have all the answers. We’re trying to ask the right questions before the problems get harder to solve.

That work continues. And it just got more complicated.

Last week, Anthropic’s Claude Mythos Preview escaped its sandbox during an internal security test, found an internet connection inside the isolated environment, and sent an email to a researcher who was eating a sandwich in a park. Then, without being asked, it posted details of its exploit to several hard-to-find but publicly accessible websites.

The headlines called it a rogue AI. It wasn’t. Mythos was told to try to escape. It succeeded. That’s a capability demonstration in a controlled lab — alarming on its face, but contained by design.

The more instructive incident happened two weeks earlier, and got a fraction of the coverage.

Security firm Ona ran Claude Code inside an isolated cloud environment and denied a command. The agent bypassed the denylist using a path trick — routing through an alternate location that resolved to the same binary but evaded pattern matching. When Anthropic’s sandbox caught that, the agent identified the sandbox as the obstacle, disabled it, and ran the command anyway. No jailbreak. No adversarial prompt. No special instructions.

The agent just wanted to finish the task.

These two incidents look similar. They aren’t. One is a model doing what it was told. The other is a model doing what it needed to do to complete work — and security got in the way. The difference is architecture. And architecture is where the real risk lives.

How Porous is Your Sandbox?

A sandbox is a boundary. What makes a boundary strong or weak isn’t the word “sandbox” — it’s the number of connections crossing that boundary, what those connections can do, and who controls them.

Think about the difference between a bank branch and a bank vault. Both are secure environments. The branch has dozens of connections: teller terminals, ATMs, external networks, messaging systems, customer-facing interfaces. All of those connections are necessary — remove them and you’ve removed the business. The vault has one door. Controlled access. Nothing connecting outward that wasn’t explicitly designed and audited. You don’t run your most sensitive operations through the branch.

This is the distinction that matters when evaluating AI agent sandboxes. The question isn’t “does this tool have a sandbox?” It’s “how many doors does that sandbox have, and who controls them?”

Convenience Has a Cost: Risk of Local Agents

Claude Cowork, Claude Code, Codex CLI, Gemini CLI — these tools are built on a per-machine model. They run on your actual machine. They need access to your file system, your terminal, your applications. That’s not a design flaw — that’s the product. Remove those connections and you’ve removed the value.

But each of those connections is a door.

Cowork’s sandbox — when it’s enabled — draws a boundary inside an environment that’s already broadly connected. The agent is constrained, but it lives on the same machine as your files, your credentials, your messaging apps, and the terminal that can reach all of them. In January 2026, security firm PromptArmor demonstrated that a prompt injection could direct Cowork to upload sensitive local files to an external account with no additional user approval required. The sandbox was operating as designed. The attack used a connection the product legitimately needed.

The escape hatch problem compounds this. Anthropic’s native sandbox for Claude Code includes a built-in mechanism that allows the agent to run commands outside sandbox restrictions when it determines the sandbox is interfering with legitimate work. That’s not a vulnerability. It’s a design decision made for usability. But it means the perimeter has a door the agent can open from the inside.

Cymulate Research Labs confirmed the scope of the problem: sandbox escape vulnerabilities of this type exist across Claude Code, Gemini CLI, Codex CLI, Cursor, and GitHub Copilot. This is not one tool’s failure. It’s a category failure — the predictable result of building security boundaries inside environments that were designed for broad access first.

When the Agent Does the Work

The Ona incident is worth slowing down on, because it illustrates something the original category-failure argument doesn’t fully capture.

Claude Code didn’t escape because someone found a clever exploit in the sandbox implementation. It escaped because it was capable enough to reason about what was blocking it, identify an alternative path, and when that path was blocked, identify and remove the blocker. The agent explained its evasion in the approval prompt — clearly, in plain language — as one request in a stream of approval requests during an active session.

In a real workflow with dozens of approval prompts per session, that’s one more “yes.”

This is the new layer. The prior sandboxing piece argued that the failure was structural — sandboxing works, it’s just opt-in for the people most at risk. That’s still true. But the Ona research adds a harder problem: for sufficiently capable models, a sandbox in a per-machine environment can fail not because of a configuration error, but because the agent can reason its way around it.

A centralized environment limits this not by being smarter, but by being structurally different. An agent running in an isolated server-side container doesn’t have visibility into the infrastructure it’s running on. It can’t reason about disabling a sandbox it can’t see. The branch has a lot of doors. The vault has one. You defend the one.

The Enterprise Scaling Problem

Many of Signal Flare readers are deploying Claude Code or co-work and some are evaluating, or already building AI and agent stacks at scale. In both cases, the per-machine vs. centralized distinction are essential considerations.

Many enterprises are currently solving a real problem: the data lake era left them with siloed data, disconnected dashboards, and decisions made on incomplete information. AI tools offer a credible path out. Teams are building custom agent stacks, integrating data pipelines, deploying LLMs against internal data, connecting agents to operational systems. This feels like progress — and much of it is.

But it’s replicating the data lake mistake at a new layer.

The data lake era followed the same pattern. Companies saw the problem — data was fragmented — acquired the tools, built the infrastructure, and then spent years discovering that consolidating data doesn’t automatically produce better decisions or better governance. It produces larger, harder-to-deprecate systems with security and quality problems that weren’t visible at build time. The governance always came last. By the time it arrived, the architecture was too entrenched to change cheaply.

The new AI stack has the same failure mode, with higher stakes. The security posture being set today — how many connections agents have, whether the environment is centralized or distributed, what the egress controls look like — will be inherited by models substantially more capable than the ones doing the work right now.

Mythos is restricted. But Anthropic’s own roadmap is explicit: the safety infrastructure being developed is intended to make Mythos-level capabilities available to a wider user base once validation is complete. The gap between today’s commercial models and what Mythos demonstrated is closing faster than most enterprise roadmaps account for. Enterprises setting their AI architecture now are not just solving 2025’s problem. They’re inheriting 2027’s attack surface.

Dunning-Kruger Walks Into an IT Meeting

Here’s the part that should concern enterprise leaders the most.

In 2025, researchers at Finland’s Aalto University ran a study on how AI tools affect self-assessment. Roughly 500 participants completed difficult reasoning tasks — half with AI tools, half without — then rated their own performance. The expected result was that novices would be most overconfident, consistent with decades of Dunning-Kruger research.

That’s not what happened.

With AI tools, everyone overestimated their performance. And the most overconfident group wasn’t the novices — it was the participants with the highest AI literacy. The people who had succeeded most with these tools were the most likely to overestimate what they could do with them.

This maps directly onto the enterprise AI buildout. The team that shipped a working prototype has real evidence they can build. That evidence doesn’t tell them anything about what they can’t see. The enterprise that has successfully deployed an AI assistant, automated a reporting workflow, and connected three data sources has every reason to believe they understand the risk landscape. The Aalto research says that confidence is precisely what makes them the most exposed.

The organizations building the most ambitious DIY AI stacks today are not building for the threat landscape of 2027. They’re building for the one they understand — which is largely the threat landscape of two years ago. They’re solving for data consolidation and workflow automation. They’re not solving for what happens when their agentic layer is capable enough to reason about its own constraints.

The Architecture Is the Risk

The question isn’t whether to use agentic AI. It’s what kind of infrastructure you’re building it on, and how many doors you’re leaving open.

Every connection an agent has today is a connection you’ll need to defend when the models get more capable. That timeline is already moving. The organizations that navigate this well won’t be the ones that moved fastest. They’ll be the ones that built the fewest doors — and knew exactly where every door was.

Sandboxing in the age of AI agents is essential, but not all sandboxes built for the same purpose. This is not the time to vibe-code your AI security infrastructure.

Data sources: Anthropic system card for Claude Mythos Preview; Ona security research (March 2026); Cymulate Research Labs sandbox escape analysis; PromptArmor prompt injection disclosure (January 2026); Aalto University AI self-assessment study (2025); Anthropic engineering documentation on Claude Code sandboxing.