Quick answer

An AI sandbox is an isolated computing environment where AI agents can take actions without touching your real data, files, or accounts. OpenAI Operator runs in OpenAI's cloud sandbox. Anthropic Computer Use runs in a Docker container you set up yourself. Sandboxes are the reason "let AI control my computer" doesn't mean "let AI delete my computer."

When AI agents move from "answer questions" to "click buttons on your behalf," safety stops being theoretical. An agent that can read your screen and click your mouse can also delete your files, send terrible emails, and buy things you didn't want. The answer the industry has converged on is sandboxing.

Three kinds of AI sandbox

  • Cloud sandbox: a virtual browser/desktop running in the provider's cloud, with no access to your local machine. OpenAI Operator uses this.
  • Container sandbox: a Docker container on your machine with restricted file/network access. Anthropic Computer Use ships an opinionated container.
  • Process sandbox: the agent runs as a sub-process with reduced OS permissions. Used by Browser-Use and some open agents.

What sandboxes actually protect against

  • Accidental data deletion (agent decides to "clean up" your Downloads folder)
  • Credential theft (agent reads your keychain or stored passwords)
  • Unauthorised purchases (agent fills out and submits a credit card form)
  • Lateral movement (agent uses your machine to attack your network)
  • Privacy leaks (agent uploads your screenshots to its own server)

What sandboxes don't protect against

  • Phishing inside the sandbox (the agent can still fall for fake login pages)
  • Wrong-but-not-malicious actions (booking the wrong flight in the sandbox is still a real booking)
  • Side-channel data exfiltration (agent describes your screen in its logs)
  • You giving it credentials voluntarily (sandboxes won't save you from yourself)

How to set one up

For Operator: nothing — OpenAI runs the sandbox for you. For Computer Use: clone Anthropic's reference Docker container, build it, run with port forwarding. For Browser-Use: install with Playwright, run with the default isolation settings. Most open agent frameworks ship sane defaults — use them.

Never run an AI agent with your real OS user account. Always run it in a sandbox, a container, or at minimum a separate user account with restricted permissions. The cost of "I forgot to sandbox it" is high.

Bottom line

AI sandboxes are the missing safety layer that finally makes agentic AI usable. If you build with Operator, Computer Use, or any other "AI controls a computer" tool, the sandbox model is non-negotiable. Don't deploy agents without one.