Context Graph vs Agent Sandbox: Execution vs Decision Boundary

Q: What is the difference between an agent sandbox and a context graph?

An agent sandbox is an execution boundary: it isolates where an agent runs and what technical resources it can touch. A context graph is a decision boundary: it validates whether a proposed agent action is applicable, scoped, current, and allowed before execution.

Q: Does an AI agent sandbox make agents safe for production?

A sandbox improves technical safety by isolating execution, but it does not validate business legitimacy. An agent can stay inside a sandbox and still approve the wrong refund, run a stale KYC decision, or update the wrong CRM field.

Q: Why do production agents need a decision boundary?

Production agents need a decision boundary because access is not authority. The system must validate applicability, scope, temporal validity, policy compliance, and traceability before an action reaches external systems.

Patrick Joubert; Patrick Joubert

Context Graph vs Agent Sandbox

Execution Isolation Is Not Decision Governance

AI agent sandboxes are becoming standard infrastructure. Managed agents run in controlled environments with isolated files, browser access, tool execution, credentials, and network rules.

That is progress. It is also easy to misread. A sandbox protects the runtime from agent behavior. A context graph protects the business from invalid agent decisions.

The distinction is simple: a sandbox answers where an agent can run. A context graph answers whether the proposed action is valid before it reaches the real world.

Sandbox protects the machine. Decision boundary protects the business.

The Core Difference

A sandbox is an execution boundary. It constrains the process. It can prevent tenant escape, unsafe filesystem access, uncontrolled network calls, and host-level damage.

A context graph is a decision boundary. It evaluates the proposed action against structured context: scope, policy, temporal validity, applicability, provenance, and prior decision traces.

Layer	Question	Protects	Does not solve	Artifact
Agent sandbox	Can this agent run safely here?	Machine, tenant, filesystem, network, process boundary	Business validity, applicability, decision scope, policy version	Execution log
Context graph	Is this proposed action valid now?	Customer, contract, policy, data scope, regulated workflow	Host-level isolation and process containment	Causal decision trace

Why Sandboxes Still Fail Business Logic

Refund approval

A support agent can run in a sandbox and call only the approved refund API. It can still approve a refund outside the return window, after entitlement changed, or under a regional exception that does not apply to the customer.

KYC screening

A financial agent can access sanctioned-party data and beneficial ownership records safely. The harder question is which jurisdiction, policy version, threshold, and source authority govern this decision right now.

CRM account changes

A revenue agent can update Salesforce from a constrained runtime. It can still assign the wrong owner, expose a scoped field, trigger renewal before legal review, or overwrite a superseded contract state.

The Four-Layer Agent Stack

Production agent architecture now has four distinct layers. Most teams are investing in transport, execution, and reasoning. The missing layer is decision governance.

Layer	Function	Example primitive
Transport	Connect agents to tools and data	MCP, APIs, connectors
Execution	Run agents in controlled environments	Sandbox, worktree, browser, remote runtime
Decision	Validate the proposed action before execution	Decision context graph
Reasoning	Propose the next action	LLM, planner, agent harness

The decision layer is where pre-execution enforcement lives. The agent proposes an action. The context graph checks whether the action is applicable, scoped, current, policy-compliant, and traceable. Only then does execution proceed.

When You Need Both

Sandboxes and context graphs are complementary. A sandbox should contain the agent runtime. A context graph should govern the action that runtime is trying to take.

If the agent only drafts text for human review, a sandbox and audit log may be enough. If the agent mutates systems of record, sends external messages, approves transactions, changes customer state, or touches regulated workflows, the sandbox is not the control point. The decision boundary has to sit before execution.

That is why an accountable agent is not just an autonomous agent in a safer runtime. It is an agent whose actions are validated before they become real.

Related memo

A Sandbox Is Not a Decision Boundary

The memo that introduced this frame for managed agents, Codex enterprise deployments, and agent runtime sandboxes.

Read the memo →

FAQ

Is an agent sandbox a governance layer?

No. It is an execution isolation layer. Governance requires validating whether a proposed action is authorized, applicable, current, and traceable before execution.

Can a context graph replace a sandbox?

No. A context graph does not isolate processes or protect the host environment. Production systems need both: sandbox for execution isolation, context graph for decision governance.

What is the shortest way to remember the distinction?

A sandbox protects the machine. A decision context graph protects the business.

Related Resources

Context Graph vs MCP

Transport connects. Governance decides.

Read →

Context Graph vs LangGraph

Orchestration manages flow. Context graphs govern decisions.

Read →

Agent Sandbox Definition

Canonical glossary entry for agent sandbox and decision boundary.

Read →