NeFut Logo NeFut
Admin Login

[CS.AI] Fragmentation of Execution-Security Research for AI Coding Agents

Published at: 2026-07-09 22:00 Last updated: 2026-07-10 03:15
#AI #Research #Security

AI coding agents now read repositories, call tools, and execute shell commands with limited human oversight, leading to a growing body of work examining the safety of the execution layer around them. However, this literature is fragmented, with studies on sandbox isolation, capability and access control, policy enforcement, time-of-check-to-time-of-use (TOCTOU) races, Model Context Protocol (MCP) threats, identity delegation, execution provenance, network egress control, and static analysis of agent-generated code published independently and rarely citing one another.

We systematize 39 papers published between 2023 and 2026 into 17 categories, each verified directly against its source. The same verification protocol confirms four disclosed, patched CVEs directly affecting production agent harnesses. Reading across categories surfaces five cross-cutting gaps that no single paper addresses:

  1. Isolation architectures and capability models are almost never evaluated against one another on a shared benchmark.
  2. Policy-enforcement studies report failure rates from 69% to 98% of real denylists, yet no isolation paper re-evaluates its own defense under that adversarial setting.
  3. TOCTOU and MCP threats are analyzed as separate literatures despite both being instances of the same state-validation problem.
  4. Every enforcement mechanism assumes an honest policy author, leaving policy-authoring error itself unaddressed.
  5. Benign but out-of-scope agent actions occurring at rates up to 17.1% under realistic prompting are addressed by no access-control or capability paper in the corpus.

Existing broader surveys of agentic AI security discuss sandboxing only as one item among many defenses, leaving execution security without a dedicated systematization. This paper is written to fill that gap and concludes with a research agenda directed at the five gaps.

Blogger's Review: This paper provides an in-depth analysis of the fragmentation in AI coding agent execution security research, identifying critical gaps that have been overlooked. It calls for the academic community to address these issues to foster more systematic safety assessment methodologies.

Original Source: https://arxiv.org/abs/2607.05743

[h] Back to Home