Agent Brains: Why Devin Separates AI from Your Secrets

Building an AI agent that works in your dev environment? You're likely facing a foundational choice: where does the agent's core logic, its 'brain,' actually live? This isn't just about system design; it's about protecting your company's deepest secrets.

Walden Yan and Cole Murray, discussing the architecture of AI coding agents like Devin, zeroed in on this critical decision point. They highlight a simple truth: AI, by its very nature, can be unpredictable. This unpredictability turns what seems like a minor architectural detail into a major security risk.

When the agent's 'harness' runs directly inside the sandbox environment it manipulates, what Yan calls the 'in-box' approach, you risk exposing sensitive data. As Yan puts it, “Unless you otherwise design it, all of your secrets need to go into that box as well.”▶ 12:29 A single AI misstep could leak credentials, API keys, or proprietary code.

Cole Murray confirms Devin's design choice: they “separate the brain from the machine.”▶ 13:42 This 'out-of-box' strategy means the agent's intelligence runs on a separate control plane. The sandbox then becomes merely the agent's 'hands,' receiving narrowly scoped permissions only for the tasks it needs to perform. This method, while more complex to set up, offers superior security and allows you to reuse existing dev infrastructure without creating new boxes loaded with brain dependencies and secrets. It's “the better architecture of the two,”▶ 15:28 Yan confirms, even if it adds a "bit of complexity."

Key Takeaways

• Building an AI agent requires a core architectural decision: running the agent's 'brain' either 'in-box' (within the sandbox) or 'out-of-box' (in a separate control plane).
• The 'in-box' approach introduces significant security risks because the AI's unpredictability can easily lead to accidental exposure of all secrets stored within that sandbox.
• Devin, the AI coding agent, adopts an 'out-of-box' architecture, separating its 'brain' from the 'machine' it operates on to minimize secret exposure and reuse existing dev infrastructure.
• While more complex to implement, the 'out-of-box' design provides stronger security by isolating sensitive data and is considered the superior architecture for AI background agents.
• Founders should evaluate their agent systems using the Harness In-Box vs. Out-of-Box Architecture framework to manage security and complexity tradeoffs.

The Harness In-Box vs. Out-of-Box Architecture

This framework helps you decide where your AI agent's control logic (its 'harness' or 'brain') should reside relative to the environment it operates within.

• In-Box (Agent within Sandbox): The agent is running in that box. Unless you otherwise design it, all of your secrets need to go into that box as well. And given the nature of AI, it can be unpredictable and you could very easily end up accidentally x-filling your secrets or you know other kind of unintended behavior... all of the state of that agent is actually in the box and yes it's you could persist it elsewhere but it's all kind of localized and you have less concerns to worry about.

• Out-of-Box (Agent outside Sandbox): The idea that we are going to have the actual agent running not directly in the sandbox and we'll have quote unquote the brain of the agent running in some type of worker control plane. That sandbox then is going to serve as the hands where the brain is basically operating and making tool calls into that environment to manipulate it... running it out of the box is much more complex because you have state that has to be managed.

When This Works (and When It Doesn't)

The 'out-of-box' approach shines when security is paramount, especially when the agent interacts with sensitive data or needs access to credentials. It allows for reusing existing infrastructure for dev boxes, avoiding the need to provision new environments with all brain dependencies and secrets. This separation simplifies secret management by only exposing narrowly scoped secrets to the machine, keeping the agent's 'brain' inaccessible from the execution environment. While it adds complexity, it's considered the 'better architecture' for flexibility and security in production-grade AI agent systems.

Conversely, the 'in-box' approach might be acceptable for very early prototypes, isolated tasks with no sensitive data, or when the cost of additional complexity truly outweighs the minimal security risk. For example, an agent doing simple, public-facing web scraping might not require the overhead of an 'out-of-box' system. However, any interaction with internal company data, customer information, or private codebases makes the 'out-of-box' design a non-negotiable.

What to Do With This

This week, if you're building an AI agent to automate internal tasks (like code linting, bug reporting, or deploying small features), map out its required access. For instance, if your agent needs to read and write to your private GitHub repositories and deploy to your cloud staging environment, consider the Harness In-Box vs. Out-of-Box Architecture. Choosing 'in-box' means your agent's brain and all your GitHub tokens and cloud credentials would live within the same sandbox it operates in. One AI hallucination, and those secrets could be exposed. Instead, opt for 'out-of-box.' Set up a separate control plane for your agent's 'brain' and grant the sandbox only temporary, least-privilege access to specific repo branches or cloud resources. This means more upfront setup, but it’s a critical security investment that will save you headaches—and potential breaches—down the line.