Docker sandboxes are a neat way to contain AI agents. It spins a dedicated microVM and its Docker daemon for each agent container together with a flexible egress proxy to go with it. I've spent some time reverse engineering it and it's an interesting piece of implementation.