For the past two years, the technology industry has raced to make AI agents more capable — teaching them to write code, navigate software interfaces, manage files, and orchestrate multi-step workflows with increasing autonomy. What the industry has not done, at least not with any consistency, is answer the question that keeps chief information security officers awake at night: what happens when an agent goes wrong?

On Tuesday at its annual Build developer conference, Microsoft offered what may become the definitive answer. The company introduced Microsoft Execution Containers, or MXC — a policy-driven execution layer, built into the Windows operating system itself, that lets developers and IT administrators declare exactly what an AI agent can and cannot access, with those boundaries enforced at runtime by the OS kernel.

The announcement, buried within a sweeping set of developer-focused updates, is arguably the most consequential platform move Microsoft made at Build this year, and it has the potential to reshape how every enterprise on Earth thinks about deploying autonomous AI software.

MXC is not a product you buy. It is an SDK and a policy model — a foundational primitive embedded in Windows and the Windows Subsystem for Linux — that provides what Microsoft calls a "composable sandbox spectrum." That spectrum ranges from lightweight process isolation, already adopted by GitHub Copilot’s command-line interface, all the way up to micro-virtual machines, Linux containers, and full cloud instances running on Windows 365.

The system separates an agent’s execution from the user’s desktop, clipboard, user interface, and input devices. Critically, it binds every agent to a strong identity — either a local ID or a cloud-provisioned identity backed by Microsoft Entra — so that every action the agent takes can be attributed, audited, and governed.

The implications are enormous. Until now, the enterprise deployment of AI agents has been stuck in a paradox: the more autonomous and useful an agent becomes, the more dangerous it is to let it operate on a corporate network without guardrails. MXC is Microsoft’s attempt to break that paradox — not by making agents less capable, but by making the environment they operate in fundamentally more controlled.

Why every autonomous AI agent is a security incident waiting to happen

To understand why MXC matters, consider what an AI agent actually does when it runs on your computer. Unlike a traditional application, which operates within well-understood boundaries — a word processor reads and writes documents, a browser fetches web pages — an AI agent is, by design, unpredictable. It receives a goal in natural language, reasons about how to achieve it, and then takes actions: opening files, executing code, calling APIs, browsing the web, interacting with other software. Each of those interactions creates what security professionals call "attack surface."

Microsoft’s own blog post framed the challenge in stark terms. The company wrote that "as agents become more capable and autonomous, they’re delivering material productivity gains. But they’re also introducing new risk, and the issue isn’t just the agent. It’s the entire system the agent operates across." Every interaction between agents and humans, tools, applications, models, and other agents "exposes new attack surface and introduces different failure modes." Microsoft characterized this as "a multi-layer systems problem."

This is not a theoretical concern. In the months leading up to Build, security researchers demonstrated numerous ways that AI agents could be manipulated — through prompt injection, through malicious tool calls, through data exfiltration disguised as normal workflow. For enterprises that handle sensitive data, proprietary models, and regulated information, the absence of a trusted execution environment has been the single biggest barrier to moving agents from demo to deployment.

Microsoft’s answer is a sandbox that scales from a single process to a full virtual machine

MXC operates on a deceptively simple principle: declare what the agent can do before it runs, and let the operating system enforce those declarations at runtime. A developer or an IT administrator writes a policy that specifies which files, directories, and network resources an agent is allowed to access. MXC then creates a contained execution environment — a sandbox — that enforces those boundaries regardless of what the agent attempts to do.

What makes MXC unusual, and potentially very powerful, is the breadth of its isolation options. Microsoft designed the system so that a single SDK and policy model can map to the appropriate isolation construct for any given workload. For a lightweight coding assistant that just needs to read the current project directory, fast process isolation may be sufficient. For an autonomous agent that executes arbitrary code downloaded from the internet, a full micro-VM may be required. The system is designed to be "dynamically composable based on intent and risk," meaning that the level of isolation can be adjusted based on what the agent is actually doing, not just what category it falls into.

Session isolation is a particularly important feature. MXC separates the agent’s execution from the user’s desktop, clipboard, UI, and input devices. This directly mitigates several classes of attacks that security researchers have identified as particularly dangerous for AI agents: UI spoofing, where an agent manipulates what the user sees to trick them into approving a malicious action; input injection, where an agent sends keystrokes or mouse clicks to other applications; and cross-session data leakage, where information from one user’s session bleeds into another.

A live demo showed an AI agent trying to delete files — and failing, because the OS wouldn’t let it

During a pre-briefing with VentureBeat the night before the announcement, a Microsoft developer offered a vivid demonstration of the technology in action. He had set up the open-source agent framework OpenClaw running inside MXC’s sandbox on his personal development machine. He then instructed the agent to delete all the files on his desktop. The agent attempted to comply — but the sandbox prevented it. "If you look at my desktop here, you see how clean my desktop is," the developer said during the demo. "That’s a lie." The files, he explained, were completely safe because "the container won’t allow it."

The demonstration went further, showcasing the granularity of MXC’s controls. Users have the ability to designate specific files as read-only for the agent, limit access to the browser and screen capture, determine whether the agent can access location data, and have all of these permissions controlled centrally by an enterprise IT department using Intune policies. The agent functions within a one-way mirror setup, where it can only perform tasks within the boundaries set by its policy and cannot interact with anything outside of those boundaries.

Pavan Davuluri, Microsoft’s Executive Vice President for Windows and Devices, highlighted the importance of security, containment, isolation, and user control in making AI agents commercially feasible. He emphasized that these capabilities are not exclusive to OpenClaw and are essential for any agent operating on a Windows device. The existing primitives within the operating system surrounding security, containment, isolation, and user control are crucial for ensuring the safety of agents for both consumers and corporate environments.

The integration of MXC with Microsoft’s enterprise security stack, known as Agent 365, is a significant development for corporate IT departments. Agent 365 incorporates Microsoft’s Entra identity service and Intune device management platform on top of MXC, allowing IT administrators to centrally manage agent containment while developers can choose the level of isolation required for their workload. This integration also includes Microsoft Defender for threat protection, Entra for identity and access management, Intune for enforcing device-level policies, and Microsoft Purview for extending data governance and compliance capabilities to agent activity.

Partners such as OpenAI, Nvidia, Manus, and Nous Research are already leveraging MXC, highlighting the diverse applications of the technology. OpenAI is exploring new patterns for AI agents to generate and execute code safely, while Nvidia is bringing its OpenShell framework to Windows built on MXC for autonomous agents. Manus and Nous Research are also integrating MXC to enable developers to define and enforce boundaries for agent access in enterprise environments.

The collaboration with OpenClaw underscores the significance of MXC as a platform for AI safety on Windows. Microsoft developers have contributed to the OpenClaw Windows companion app, demonstrating the capabilities of MXC in securely containing agents with broad autonomy. The companion app showcases the comprehensive enterprise controls offered by MXC, including file permissions, network access, screen capture restrictions, and location data management through Intune policies. Microsoft has donated the project to OpenClaw as open source and plans to continue supporting it.

The Power of Microsoft’s MXC for AI Agents on Windows

During a recent briefing, a member of the Windows leadership team expressed enthusiasm for the inclusivity of Windows, stating that “All agents, all comers, everyone is welcome on Windows.” This sentiment underscores Microsoft’s commitment to providing a platform that is not only accessible but also optimized for running AI agents effectively. The foundational strength of Windows as an operating system is highlighted, with the base of the pyramid described as solid.

Microsoft’s Strategic Edge with MXC

The introduction of Microsoft’s MXC technology comes at a pivotal moment in the tech industry, where AI agents are emerging as a significant category of software. Companies are racing to develop these agents, but the infrastructure needed for secure deployment in enterprise settings is lacking. Microsoft’s approach stands out by integrating containment measures directly into the Windows operating system, rather than relying on external frameworks or security products.

This architectural decision ensures that security measures remain consistent regardless of the specific agent, model, or framework being used. By embedding containment within Windows, Microsoft enables seamless adoption of AI agents on existing devices managed through Intune and secured with Defender. This approach contrasts with Apple’s restrictive ecosystem and Google’s centralized cloud security model.

For enterprises with diverse toolchains and AI providers, Microsoft’s strategy offers practicality and flexibility. With industry players like OpenAI, Nvidia, and independent agent frameworks leveraging MXC, Windows is positioned as a trusted platform for running AI agents.

Challenges and Opportunities with MXC

While MXC is currently available for early preview, the true test will come when enterprises deploy agents at scale. The effectiveness of containment policies will be crucial, requiring a new level of organizational sophistication. Developing and implementing these policies for complex environments will be a significant challenge.

Microsoft’s proposal for kernel-level containment of AI software represents a groundbreaking step in the industry. By focusing on governance and security at the operating system level, Microsoft is addressing a critical need for responsible AI deployment. The technology is promising, but the real challenge lies in developing and enforcing effective policies for AI agents.

In conclusion, Microsoft’s MXC technology showcases the company’s commitment to innovation and security in the AI space. By integrating containment measures into Windows, Microsoft is paving the way for a new era of AI deployment. The industry may have mastered teaching agents to act, but Microsoft is now leading the charge in teaching operating systems to watch.