The Balkanization of Execution-Security Research for AI Coding Agents: Isolation, Access Control, and Time-of-Check-to-Time-of-Use Vulnerabilities

· Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Expert, quick

Summary

A systematic review of 39 papers published between 2023 and 2026 addresses the "balkanization" of execution-security research for AI coding agents. These agents operate with limited human oversight, reading repositories, calling tools, and executing shell commands. The review categorizes the literature into 17 distinct areas, including sandbox isolation, capability and access control, policy enforcement, and time-of-check-to-time-of-use (TOCTOU) vulnerabilities. The analysis confirms four disclosed and patched CVEs affecting production agent harnesses. Five cross-cutting gaps are identified: lack of shared benchmarks for isolation architectures, policy enforcement studies not re-evaluating defenses under adversarial settings, separate analysis of TOCTOU and Model Context Protocol (MCP) threats despite shared state-validation issues, unaddressed policy-authoring errors, and neglect of benign but out-of-scope agent actions (up to 17.1%) in access-control research. This work aims to consolidate the fragmented field and proposes a research agenda for these gaps.

Key takeaway

For AI Security Engineers developing or deploying AI coding agents, you must recognize the fragmented state of execution security research. Your current isolation and access control mechanisms likely have unaddressed vulnerabilities, including policy authoring errors and benign out-of-scope actions occurring at rates up to 17.1%. You should prioritize evaluating your defenses against adversarial policy settings and consider TOCTOU and Model Context Protocol threats as unified state-validation problems.

Key insights

Execution security research for AI coding agents is fragmented, revealing five critical, unaddressed gaps.

Principles

Method

The paper systematizes 39 papers (2023-2026) into 17 categories, verifying each against its source and confirming four CVEs, then identifies five cross-cutting gaps.

Topics

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, AI Security Engineer, Research Scientist

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.