For agents executing AI-generated or untrusted code, the 2026 baseline is a Firecracker microVM (via managed providers like Vercel Sandbox or E2B), because Docker's shared kernel is insufficient isolation; relax to gVisor or containers only when the threat model allows. Pair it with non-root execution, network egress filtering, read-only mounts, and strict per-task timeouts. For credentials, issue temporary scoped tokens per task and separate read-only from write access, so a compromised run can't reuse keys or exceed its blast radius.