The Balkanization of Execution-Security Research for AI Coding Agents: Isolation, Access Control, and Time-of-Check-to-Time-of-Use Vulnerabilities
Summary
A systematic review of 39 papers published between 2023 and 2026 addresses the "balkanization" of execution-security research for AI coding agents. These agents operate with limited human oversight, reading repositories, calling tools, and executing shell commands. The review categorizes the literature into 17 distinct areas, including sandbox isolation, capability and access control, policy enforcement, and time-of-check-to-time-of-use (TOCTOU) vulnerabilities. The analysis confirms four disclosed and patched CVEs affecting production agent harnesses. Five cross-cutting gaps are identified: lack of shared benchmarks for isolation architectures, policy enforcement studies not re-evaluating defenses under adversarial settings, separate analysis of TOCTOU and Model Context Protocol (MCP) threats despite shared state-validation issues, unaddressed policy-authoring errors, and neglect of benign but out-of-scope agent actions (up to 17.1%) in access-control research. This work aims to consolidate the fragmented field and proposes a research agenda for these gaps.
Key takeaway
For AI Security Engineers developing or deploying AI coding agents, you must recognize the fragmented state of execution security research. Your current isolation and access control mechanisms likely have unaddressed vulnerabilities, including policy authoring errors and benign out-of-scope actions occurring at rates up to 17.1%. You should prioritize evaluating your defenses against adversarial policy settings and consider TOCTOU and Model Context Protocol threats as unified state-validation problems.
Key insights
Execution security research for AI coding agents is fragmented, revealing five critical, unaddressed gaps.
Principles
- Isolation and capability models lack shared benchmarks.
- Policy enforcement failure rates range from 69% to 98%.
- TOCTOU and MCP threats are instances of state-validation.
Method
The paper systematizes 39 papers (2023-2026) into 17 categories, verifying each against its source and confirming four CVEs, then identifies five cross-cutting gaps.
Topics
- AI Coding Agents
- Execution Security
- Sandbox Isolation
- Access Control
- TOCTOU Vulnerabilities
- Policy Enforcement
- CVEs
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, AI Security Engineer, Research Scientist
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.