Agents Don't Commute
The last post ended with a promise: the agents are coming to the laptop, and they will need a governed Linux waiting when they arrive. Ten days after Build, Microsoft published the guest list.
The Guest List Is Already Public
Agent 365’s registry exists to discover unmanaged local agents, more than twenty types of them, and the coding names are the ones already in your developers’ terminals: Claude Code, GitHub Copilot, Codex, OpenClaw. A vendor does not build a discovery tool for a problem that has not happened yet.
The agent vendors themselves agree. Anthropic, maker of one of the agents on that list, published Zero Trust for AI Agents, a manual for distrusting its own product class. When the people shipping the robot tell you to fence it, the fence is not paranoia. It is the spec.
So the fork from the last post sharpens. Institutions that built the paved road, the governed CI-built WSL distro, are about to get governed agents. Institutions that did not will get agents anyway, in the shadows, on personal API keys. What follows is a blueprint, not a warning, and the rule from last time carries over: no new control planes.
Eyes See Hands, Not Minds
The last post conceded that WSL visibility was eyes, not hands: the Defender plug-in and CrowdStrike’s WSL2 plugin can see into the distro but cannot act inside it. The agent inverts the problem. Now the eyes see hands and nothing else.
An agent working inside a developer’s WSL session is the developer’s process tree. Same user, same shell, same parentage. When it reads a thousand files, the sensor records the developer reading a thousand files. To be fair to the EDR, this is not a failure; the telemetry is doing exactly what it was built to do. Intent was never in scope.
The behavioral layer fares no better. UEBA baselines normal behavior for users, servers, devices, bots. Creatures of habit, all of them. An agent has no habits. It has instructions, and the instructions change with every prompt.
Picture the alert from the SOC’s side: a developer account starts reading four hundred files an hour at two in the morning. Breach, batch job, or coding agent doing exactly what it was asked that afternoon? The telemetry cannot say, and the developer is asleep. Anthropic’s guide names the condition precisely: without distinct identities, agents operate in an attribution gap. Detection assumes you can tell actors apart, and on today’s laptop you cannot. The layer that can hold is not detection. It is containment.
The Most Persuadable User on the Network
The threat model that matters is not a malicious agent. It is a credulous one. Agents do what text tells them, and the text comes from everywhere: READMEs, issue threads, package docs, pages fetched mid-task. A README is now an attack surface.
The research is past the speculative stage. The AIShellJack study drove agentic coding editors like GitHub Copilot and Cursor to execute attacker commands seeded through poisoned development resources, with success rates as high as 84 percent, mapped across MITRE ATT&CK techniques from credential theft to exfiltration. The IDEsaster research found more than thirty flaws and two dozen CVEs across the AI coding tools by chaining prompt injection with autonomous tool calls and legitimate IDE features. OWASP now maintains a Top 10 for agentic applications, the surest sign a threat class has gone industrial.
Anthropic’s guide calls sandboxing table stakes for any agent handling untrusted input. A coding agent handles almost nothing else. And when the persuaded agent acts, the previous section applies: the EDR sees the developer doing it.
Credentials Built for People Who Log Off
What the persuaded agent finds is the third problem. A developer environment accumulates ambient credentials: SSH keys, cloud profiles, tokens in dotfiles, all long-lived, all readable by anything running in the session. Anthropic’s sandboxing doctrine is blunt that filesystem and network isolation are each insufficient alone: without egress control, a compromised agent walks the SSH keys out; without filesystem control, it works around the network fence.
The zero-trust guide goes further: a credential that can be grepped out of a lockfile is no longer a legitimate posture at any maturity tier, and short-lived, narrowly scoped tokens issued by an identity provider are the new baseline. CI internalized this years ago with OIDC exchange: a token scoped to one job, dead when the job ends. The workstation never caught up. It still hands the robot the family keychain.
The OS Learned to Say No
Containment is where the story turned this month. At Build, Microsoft shipped MXC, hypervisor-backed, policy-driven sandboxing baked into Windows and WSL, and ran the demo I wrote about in the verdict: OpenClaw with its own safety layers disabled, told to wreck the desktop, blocked anyway by an OS boundary the agent cannot reach, let alone negotiate with.
Here is where that stands in June 2026. The SDK is in early preview, MIT-licensed, declaring read-only paths, writable workspaces, and network egress in a policy the host enforces. Process and session isolation are with Windows Insiders, shipping first to Windows 11 24H2 Enterprise and Pro. Intune can require MXC isolation by policy, and the Agent 365 integration that brings Defender, Entra, Intune, and Purview down onto the contained agent previews in July.
But primitives ship off by default. Containment you did not turn on is a press release, not a control. The OS learned to say no. Whether it ever does on your fleet is a property of your golden image and your Intune policy, not of Microsoft’s roadmap.
The v2 Image: From Paved Road to Workcell
Factories did not wait for safe robots. They built workcells: fences, light curtains, interlocks around the machine. Software is getting the safe robot and skipping the cell.
The blueprint is zero trust, the same doctrine examiners already accept for networks (NIST SP 800-207 is the spine of Anthropic’s guide), scoped down to one subsystem. The v1 distro from the last post is the floor. Five layers make it a workcell:
- MXC policy in the image. Workspace read-write, everything else read-only, declared in the artifact rather than in any config an agent can edit.
- Egress at a fence the agent cannot move. A proxy allowlist: model endpoints, package registries, source control. Nothing else resolves.
- A credential broker instead of dotfiles. Short-lived, narrowly scoped tokens on the CI pattern. Nothing grep-able, nothing that outlives the task.
- Provenance hooks. Sessions marked agent-driven at the source and emitted into the SOC plane the institution already runs. No new control planes, just new columns.
- Versioned like software. Built in CI, hashed, published, so
wsl --install bank-devships the workcell with the floor.
None of this is exotic. Every layer is a current vendor feature or a twenty-year-old pattern. The assembly is the work, and the assembly needs the same owner the penguin needed.

What I Cannot Promise You
The honest part, by series tradition. The WSL backend of MXC is the experimental leg of the stack, and Microsoft’s own repository warns that current policies may be overly permissive until general availability. July is a preview date, not a deployment date. The churn rule from the last post applies double: whoever owns this image absorbs a platform that moves monthly.
And containment does not close the attribution gap; it bounds it. The workcell limits what a persuaded agent can reach. It still cannot tell you which actions were the agent’s and which were the developer’s. That requires agent-native identity, the thread Microsoft is pulling with Entra-backed agent IDs, and it is not closed. Eyes still see hands. The robot is fenced, not named.
The Shadows Are Also Hiring
There is no version of next year in which the agents do not arrive. There is only the version in which you cannot see them. The unowned gap fills the way it filled before, with workarounds and personal API keys, except this occupant types at machine speed and believes what it reads.
The cheapest control is still the paved road, and for an agent the paved road is a runtime: governed, versioned, waiting. The penguin needed an owner. The robot needs a workcell. They are the same yes, owned by the same person. The question that remains open is who the agent is when it acts, and that identity thread is where this story goes next.
If this resonated, the companion read is WSL Is Not Optional, which builds the paved road this post fences in.
If you are assembling an agent workcell at your institution, especially if you have solved session provenance better than new columns in old logs, I want to hear it. Find me on X @orestesgarcia or LinkedIn /in/setsero.