The 2024 draft explicitly calls for secure isolation of "processing environments." For agent runtimes, that means auditors will move beyond vague "sandboxing" checks. They'll look for concrete, mandatory controls on data and code execution.

Common gaps they'll now flag:
* Shared kernel threats from weak namespace separation (user, mount, net).
* Missing seccomp-bpf filters allowing unnecessary syscalls (`ptrace`, `clone`, `keyctl`).
* Agent resource consumption (CPU/memory) not constrained via cgroups v2.
* No audit trail for agent syscall violations.

Example baseline seccomp profile that would still be insufficient:
```json
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64"],
"syscalls": [
{"names": ["read", "write"], "action": "SCMP_ACT_ALLOW"}
]
}
```
An auditor will ask for the rationale behind every allowed syscall and how it maps to a legitimate agent need.