Skip to content
← Blog
Engineering

Every AI Platform Lets Agents Run Code. Only One Lets Admins Approve It.

Code execution for AI agents is becoming commodity. The differentiator isn't whether your agents can run code. It's who decides what code they run.

JT
JieGou Team · · 4 min read

AI agents can now run code. Anthropic ships a sandbox runtime. OpenAI Codex offers isolated worktrees. E2B and Modal provide dedicated sandbox infrastructure. Code execution for AI agents is everywhere.

But here’s the question no one is asking: who approves the code your AI agents run?

The risk surface

When an AI agent executes code, it can:

  • Access data it shouldn’t have access to
  • Consume resources beyond what’s reasonable (CPU, memory, network)
  • Produce side effects that affect production systems
  • Exfiltrate information through network calls or output channels
  • Violate compliance requirements by processing regulated data in unapproved ways

In a developer’s sandbox, these risks are manageable. In an enterprise production environment with regulated data, customer PII, and compliance obligations? They’re dealbreakers.

How competitors handle code execution

Anthropic’s sandbox runtime

Anthropic offers a sandbox runtime in beta — filesystem and network isolation without container overhead. It’s designed for developer workflows: run code, see results, iterate. There are no admin approval gates. The developer running the sandbox is the one who decides what code runs.

OpenAI Codex

OpenAI Codex provides parallel agents with isolated worktrees and reviewable diffs. It’s a developer tool for code generation and review. The isolation is at the worktree level — each agent gets its own working directory. There are no enterprise admin approval workflows.

E2B, Modal, and sandbox providers

E2B, Modal, and similar services provide generic sandboxed execution environments. They’re infrastructure, not governance. They isolate code execution from the host system, but they don’t provide any mechanism for approving what code runs in the first place.

The governance gap

All of these solutions answer the question: “How do we safely execute code?” None of them answer the harder question: “Who decides what code should be executed?”

In an enterprise context, the answer isn’t “the AI agent decides” or “the developer decides.” It’s “the admin decides.” The person responsible for compliance, security, and operational risk needs to:

  1. Review what code templates are available to AI agents
  2. Approve new code templates before agents can use them
  3. Audit every code execution with full input/output logging
  4. Limit resource consumption (CPU time, memory, output size)
  5. Revoke approval if a code template causes issues

JieGou’s approach: Governed Code Execution

JieGou’s Code Step treats code execution as a governed workflow step, not a developer sandbox. Here’s how it works:

Admin code approval

Before any AI agent can execute a code template, an admin must approve it. The code template is reviewed, tested, and then added to the approved palette. Agents can only select from approved templates — they cannot write and execute arbitrary code.

V8 sandbox with resource limits

Code runs in a V8 isolate with configurable limits:

  • CPU time: Maximum execution time (default: 5 seconds)
  • Memory: Maximum heap size (default: 128 MB)
  • Output size: Maximum output payload

If a code template exceeds any limit, execution is terminated immediately.

Audit logging

Every code execution is logged with:

  • Who approved the code template
  • What inputs were provided
  • What output was produced
  • How long execution took
  • How much memory was consumed

This creates a complete audit trail for compliance review.

Governance integration

The Code Step fits into JieGou’s 10-layer governance stack. It respects:

  • Graduated Autonomy: In “supervised” mode, code steps require per-execution approval
  • RBAC: Only users with appropriate permissions can create or approve code templates
  • Department scoping: Code templates can be scoped to specific departments

Who this matters to

If you’re a CISO or compliance officer being asked to approve AI agent code execution in your organization, ask your platform vendor these questions:

  1. Can I review and approve code templates before agents use them?
  2. Are code executions logged with full input/output audit trails?
  3. Can I set resource limits on code execution?
  4. Can I revoke approval for a code template?
  5. Does the code execution integrate with my existing governance framework?

If the answer to any of these is “no,” you don’t have governed code execution. You have a developer sandbox that someone is trying to put in production.

The bottom line

The question isn’t whether your AI agents can run code. Every platform offers that now. The question is who decides what code they run — and whether you have the governance controls to make that decision responsibly.

Learn more about JieGou’s governance stack or take the Governance Assessment to see how your current setup compares.

code-execution governance security enterprise

Explore more

📖 What is AI Governance? ⚙️ Governance Score ⚙️ Enterprise Plan 🏢 Engineering Department
Share this article

Related articles

MCP Governance: Why 10 Layers Beat 1

Microsoft, OpenAI, Zapier, and JieGou all connect AI to tools via MCP. Only one provides 10-layer governance. Here's why that matters for enterprise AI deployment.

Agent Threat Detection — Securing AI That Takes Actions in the Real World

Production AI agents accept arbitrary input, wield tools, and take actions. JieGou's 4 inline threat detectors — prompt injection, data exfiltration, privilege escalation, and resource abuse — block attacks during execution, not after.

MCP Is Everywhere. MCP Governance Is Not.

Everyone connects MCP tools. Nobody governs them. JieGou's 3-tier MCP certification — Verified, Certified, Enterprise-Ready — closes the governance gap that Microsoft, Zapier, and Google leave wide open.

Enjoyed this post?

Get workflow tips, product updates, and automation guides in your inbox.

No spam. Unsubscribe anytime.

← Back to all posts