← Back to Blog
Threat Explainer

Sandboxing Is Not Security: What Perplexity Computer Gets Wrong

Marc Taylor·
Illustration showing a compromised AI agent inside a sandbox container with data flowing out through authorized service connections

Perplexity just launched a product that coordinates 19 AI models, runs on its own for months, connects to hundreds of services, and manages its own credentials. Their security story? It runs in a sandbox.

I've spent three decades in global logistics managing complex systems where a single misconfiguration can reroute cargo worth millions. So when I see a company hand an AI agent the keys to 400 services and call a sandbox a security strategy, I pay attention. Because that's a containment strategy. And the difference between containment and security is where the real risk lives.

What Perplexity Computer actually is

On February 25, Perplexity unveiled Computer — a platform that breaks complex projects into pieces and assigns each piece to whichever AI model is best at that specific job. Need code written? Claude Opus 4.6 handles it. Deep research? Gemini. Quick tasks? Grok. Images? Nano Banana. Video? Veo 3.1. Nineteen models in total, working in parallel, running for hours, days, or months without you watching.

It's available now to Perplexity Max subscribers at $200 per month. The platform remembers everything across sessions and connects to over 400 services. CEO Aravind Srinivas described it as a system that "unifies every current capability of AI into a single system."

None of that is the problem. The problem is what happens when something inside that system breaks at 2 AM on a Tuesday and nobody is looking.

What went wrong with OpenClaw

Perplexity Computer didn't launch in a vacuum. It arrived at a moment when the autonomous AI agent space is genuinely nervous about its own credibility.

OpenClaw, an autonomous AI assistant built by Austrian programmer Peter Steinberger, went viral earlier this month. It managed your email, your files, your messaging apps — basically your entire digital life. OpenAI hired Steinberger almost immediately.

Then things got ugly. Meta AI security researcher Summer Yue posted screenshots showing her trying to stop OpenClaw from deleting her entire email inbox. The agent had kicked off a cleanup process and wouldn't stop. "I had to RUN to my Mac Mini like I was diffusing a bomb," she wrote.

The part worth paying attention to is what happened next. OpenClaw worked perfectly on a small test inbox. When Yue moved it to her real inbox with years of email, the agent got overwhelmed by the sheer volume. Its solution for dealing with that overload? Start ignoring her original instruction — the one that said don't take action without my permission.

“The agent didn't malfunction. It optimized. And its optimization overrode the human.”

Perplexity is positioning Computer as a direct response to this kind of failure, though they don't name OpenClaw specifically. Every task runs inside what they call "a safe and secure development sandbox." If something goes wrong, it stays contained. It can't spread to your main network or device.

Fair enough. But that only solves half the problem.

A lock on a room with no walls

Think of it this way.

A sandbox is a lock on a room. If someone inside does something dangerous, the damage stays in that room. You want that lock. I'm not arguing against it.

But the lock doesn't tell you whether the person inside the room is trustworthy. It doesn't check if their instructions got tampered with before they walked in. It doesn't test whether they'll make good decisions after three months of unsupervised work. And it doesn't verify that the 400 tools they have access to inside that room are actually safe.

Perplexity solved for containment. Limiting damage when something goes wrong. That's necessary. But it's not the same thing as finding the vulnerabilities before something goes wrong. Nobody has cracked that part yet.

Cisco's State of AI Security 2026 report backs this up. Published February 19, it found that 83 percent of organizations planned to deploy autonomous AI agents. Only 29 percent felt ready to do so securely. And the report documents how AI vulnerabilities that were once theoretical have shown up in production systems — real companies, real incidents, real consequences.

The gap between deployment speed and security readiness isn't closing. If anything, products like Computer are about to blow it wide open.

More models, more problems

Multi-model orchestration makes this whole problem worse in ways most people haven't thought through yet.

A single AI agent is hard enough to secure. Computer runs nineteen of them at once, passing work back and forth, each model with its own weaknesses and blind spots. Every handoff — where one model's output becomes the next model's input — is a point where things can quietly go wrong. A bad result in step two of a twelve-step workflow doesn't just affect step two. It corrupts everything downstream.

And because the system remembers everything across sessions, a mistake made in the first week can silently degrade results for months. Nobody notices because the outputs still look reasonable. They're just wrong.

The field data tells you everything you need to know. A Gravitee survey of over 900 practitioners found that 88 percent of organizations reported confirmed or suspected AI agent security incidents in the past year. Only 14.4 percent said all of their AI agents went live with full security approval.

And more than half of deployed agents are running with no security oversight and no logging. Nobody watching. No record of what the agent did or why.

You can't manage a risk you don't even know you have.

The layer nobody is testing

I think about AI agent security in three layers.

First — what the agent says. The conversation. Most existing security tools live here. Content filters, output guardrails, prompt injection detection.

Second — what the agent does. The execution. Perplexity's sandbox addresses this layer. It contains the damage. That matters.

Third — how the agent is set up. The configuration. What it connects to, what permissions it carries, what happens when those permissions interact across nineteen models and hundreds of services over months of autonomous operation. This is the highest-consequence layer, and it's almost entirely unaddressed. Not just by Perplexity. By the entire industry.

NIST — the federal agency responsible for technology standards — clearly sees this gap. In January, they published a formal Request for Information on securing AI agent systems, specifically calling out hijacking, backdoor attacks, and the risks that come with agents taking autonomous actions. The comment period closes March 9. When the U.S. government is publicly asking for help figuring out how to secure these systems, that tells you where the industry actually stands.

What I keep coming back to

Perplexity Computer is impressive engineering. Orchestrating nineteen models at consumer prices with persistent memory and hundreds of integrations is a real achievement. The sandbox was a responsible design choice.

But here's what keeps nagging at me. The question was never whether autonomous AI agents would fail — OpenClaw already showed us they will. The question is whether anyone is testing how they fail. Systematically. Adversarially. Before they're handed the keys to your workflows, your data, and your credentials for months at a time.

I've looked. Almost nobody is. And that's the gap I can't stop thinking about.

Marc Taylor is CEO and Managing Director of TYR-X, a technology company building AI agent security infrastructure.

Sources

  • Perplexity AI, "Introducing Perplexity Computer," perplexity.ai, February 25, 2026
    Implicator.ai, "Perplexity Launches Computer, an Agent Platform Orchestrating 19 AI Models at Once," February 25, 2026
  • TechCrunch, "Perplexity's new Computer is another bet that users need many AI models," February 27, 2026
  • VentureBeat, "Perplexity launches 'Computer' AI agent that coordinates 19 models," February 26, 2026
  • Summer Yue (@summeryue0), X post documenting OpenClaw inbox deletion incident, February 2026
  • Cisco, "State of AI Security 2026," published February 19, 2026
  • Gravitee, "State of AI Agent Security 2026 Report: When Adoption Outpaces Control," February 2026
  • NIST CAISI, "Request for Information Regarding Security Considerations for Artificial Intelligence Agents," Federal Register, January 8, 2026 (Docket NIST-2025-0035)

Related posts

Illustration showing business data flowing into a managed AI platform and being distributed to competing businesses on the same system

Your AI Agent Is Learning Everything About Your Business. So Is Everyone Else's.

Managed AI agent platforms promise to handle your operations. What they don't tell you: every decision those agents make trains models that serve your competitors on the same platform. Before you connect your systems, understand what you're really signing up for.

Illustration showing a credential chain failure where a revoked OAuth token triggers cascading suspension of Gmail, Google Drive, YouTube, Workspace, Calendar, and Cloud APIs linked to a single Google account

Thousands Lost Their Google Accounts This Month. Their AI Agents Were the Reason.

A popular AI agent framework crossed a provider's Terms of Service. Users didn't just lose their AI tools — they lost Gmail, Workspace, Drive, and YouTube. The configuration layer is the security surface nobody's testing.