Search papers, labs, and topics across Lattice.
This paper systematically reviews 39 recent studies on execution security for AI coding agents, categorizing them into 17 distinct areas while highlighting critical gaps in the literature. It reveals that many studies fail to evaluate isolation architectures against shared benchmarks and overlook significant vulnerabilities such as time-of-check-to-time-of-use (TOCTOU) and Model Context Protocol (MCP) threats, which are often treated separately despite their interrelated nature. The authors propose a research agenda to address these gaps, emphasizing the need for a more cohesive approach to execution security in AI systems.
A staggering 69% to 98% failure rate in real denylist policy enforcement highlights a critical vulnerability in AI coding agents that remains largely unaddressed.
AI coding agents now read repositories, call tools, and execute shell commands with limited human oversight, and a fast-growing body of work studies whether the execution layer around them is actually safe. That literature is scattered. Papers on sandbox isolation, capability and access control, policy enforcement, time-of-check-to-time-of-use (TOCTOU) races, Model Context Protocol (MCP) threats, identity delegation, execution provenance, network egress control, and static analysis of agent-generated code are published independently and rarely cite one another. We systematize 39 papers published between 2023 and 2026 into 17 categories, each verified directly against its source. The same verification protocol also confirms four disclosed, patched CVEs directly affecting production agent harnesses. Reading across categories surfaces five cross-cutting gaps that no single paper addresses. (1) Isolation architectures and capability models are almost never evaluated against one another on a shared benchmark. (2) Policy-enforcement studies report failure rates from 69% to 98% of real denylists, yet no isolation paper re-evaluates its own defense under that adversarial setting. (3) TOCTOU and MCP threats are analyzed as separate literatures despite both being instances of the same state-validation problem. (4) Every enforcement mechanism assumes an honest policy author, leaving policy-authoring error itself unaddressed. (5) Benign but out-of-scope agent actions occurring at rates up to 17.1% under realistic prompting are addressed by no access-control or capability paper in the corpus. Existing broader surveys of agentic AI security discuss sandboxing only as one item among many defenses, leaving execution security without a dedicated systematization. This paper is written to fill that gap. We conclude with a research agenda directed at the five gaps.