Hope Is Not a Security Strategy: Why Secure-by-Default Beats Hardening
Summary
The article argues that secure-by-default architecture beats traditional hardening for non-deterministic AI and automation workloads. It advocates isolating workloads by default through sandboxing technologies (MCP, WASM) and runtime sandboxes (gVisor, Firecracker) to reduce reliance on policy alone, and highlights the risks of shared kernels in containers.