Agent Execution Modes#
Where the agent process runs relative to the Lens Agents sandbox determines the governance scope. The sandbox technology, policy engine, credential isolation, and audit trail are identical in both modes — what differs is how much of the agent's behavior sits inside the trust boundary.
Mode 1: Agent runs outside the sandbox#
The agent runs on a user's laptop or in another cloud. It connects to Lens Agents via MCP to use tools and reach enterprise systems. Every tool call — shell commands, kubectl, aws, gh, HTTP requests, subprocess agents — executes inside a shell sandbox that Lens Agents provisions on demand. Credentials are injected by the platform; the agent never receives them.
What's governed: tool execution, system access, credentials, and the audit trail. Everything the agent reaches for lands inside the shell sandbox with full policy enforcement.
What's not governed: the agent process itself. Between tool calls the agent runs in its own environment — Lens Agents has no visibility into what it's doing there.
Used by: desktop AI tools (Claude Desktop, ChatGPT, Copilot, Cursor) and external agents.
Mode 2: Agent runs inside the sandbox#
The agent process itself runs inside an agent sandbox, typically packaged as part of a custom container image alongside the agent. The sandbox wraps the agent after privilege drop and network enforcement, so everything the agent does is governed — not just its tool calls.
What's governed: everything — code execution, network access, filesystem, credentials, and all interactions with external systems.
Used by: managed agents, local CLI execution, and platform-hosted sandboxes for external agents.
Comparison#
| Mode 1 (outside sandbox) | Mode 2 (inside sandbox) | |
|---|---|---|
| Agent execution | Outside Lens Agents | Inside Lens Agents sandbox |
| Tool execution | Inside sandbox | Inside sandbox |
| Network isolation | Tool calls only | Entire agent |
| Credential isolation | Tool calls only | Entire agent |
| Agent can access host | Yes (its own environment) | No (sandbox isolation) |
| Trust model | Trust the agent, govern its tools | Don't trust the agent, govern everything |
| Audit coverage | Tool calls and system access | All agent activity |
Both modes share the same sandbox technology, policy engine, credential isolation, and audit trail for governed actions. Mode 2 extends governance to the agent itself.
Related#
- Sandbox isolation — how the sandbox enforces boundaries
- How Lens Agents works — architecture and request flow
- Security model — trust boundaries and threat model