37 comments

[ 2.7 ms ] story [ 59.8 ms ] thread
(comment deleted)
I do believe it’s time for systems folks to take a hard look at building systems abstractions on top of LLMs as they did 50 years ago on top of CPUs. LLMs are the new universal computing machines, but we build with them like we built computers in the 1950s - one computer at a time.
I would say we need a webassembly VM/runtime.
A million years ago in AI time, AKA yesterday, there was a HN post from John Carmack talking about how Meta wasted a ton of time and money making XROS and how nowadays it doesn’t make any sense to write a new OS [1].

And then this post today which makes a very strong case for it. (Yes, a VM isn’t an entire OS, Yes, it would be lighter weight than a complete OS. Yes, it would be industry-wide. Yes, we’d likely use an existing OS or codebase to start. Yes, nuance.)

[1] https://news.ycombinator.com/item?id=45066395

I know this is not really what they mean, but in case you want to give AI a literal VM, I have a service that deploys a VM with an open source AI agent on it that can act as a sysadmin. Also gets it's own IP address. https://mindroot.io
If you look at how the most advanced commercial models are deployed they already have much of this, including isolation. This post is essentially sketching much of what I know already exists. Not in the literal OS sense, but in terms of all of the features suggested. It still isn’t enough. Agents need powerful access to things you care about to do their job. Granting them just enough permissions on the things you care about is much harder than containing the LLM, and that is already difficult. The right model for LLM security is an untrusted userspace, not an entire “OS”.
If you're interested in running agents (specifically for software dev) inside a sandbox, OpenHands [1] runs in Docker by default, and can run on Kubernetes or on a raw VM. It gets access to the standard tools (e.g. file ops, bash) as well as a web browser and a Jupyter notebook.

[1] https://github.com/All-Hands-AI/OpenHands

It feels like I'm getting more jaded everyday because the moment I started reading this article I was convinced it was written by an AI.

From a hosting perspective which the article talks about I would worry more about just keeping the AI agent functional/alive in a whatever environment a big challenge, using AI a great but stability in any basically use-case has been rough for me personally.

From a developer perspective I've been using devcontainers with rootless docker via wsl and while I'm sure there's some malware that can bypass that (where this VM approach would be a lot stronger) I feel a lot safer this way than running things on the host OS. Furthermore you get the same benefits like reproducibility and separation of concerns and whenever the AI screws something up in your environment you can simply rebuild the container.

Fuchsia seems like a potentially practical OS for constraining the operations of AI models. As an object capability operating system, each component (and hence the process that one is instantiated in) has access only to the capabilities that it is explicitly granted.
When you use ChatGPT and it executes code, i.e. when you tell it to do something with a CSV file, it seems to run in a VM with certain tools and libraries available to it, and a sandboxed disk access; no internet access though. So it's kind of already there.
If only we had examples of lightweight, embeddable, portable, simple-bytecode-driven virtual machines.

It's just too bad tcl, lua, forth, js, wasm, etc just aren't AI-scale.

That is the wrong abstraction to think at. The problem is not _which_ tools you give the LLM, the problem is what action it can do.

For example, in the book-a-ticket scenario - I want it to be able to check a few websites to compare prices, and I want it to be able to pay for me.

I don't want it to decide to send me to a 37 hour trip with three stops because it is 3$ cheaper.

Alternatively, I want to be able to lookup my benefits status, but the LLM should physically not be able to provide me any details about the benefits status of my coworkers.

That is the _same_ tool cool, but in a different scope.

For that matter, if I'm in HR - I _should_ be able to look at the benefits status of employees that I am responsible for, of course, but that creates an audit log, etc.

In other words, it isn't the action that matters, but what is the intent.

LLM should be placed in the same box as the user it is acting on-behalf-of.

I don't think your benefit example is too much a problem in practice, we already have the access setup for that (ie its the same one for you).

For the other example, I think a nice compromise is to have the AI be able to do things only with your express permission. In your example it finds flights that it thinks are appropriate, sends you a notification with the list and you can then press a simple yes/no/more information button. It would still save you a ton of money, but it would be substantially less likely to do something dangerous/damaging.

Does AI need a vm OR can AI emulate a vm all in one shot? I think the latter is going to happen.
I'm not reading a article on a web site that hijacks scroll.
You don't need a VM for your agent, just a separate user account is plenty.
Very wrong headed. If all of the routers and checks worked: you could transmit pure noise into them and get safe useful actions at some rate. I.e.: the check system as least as hard as the original problem.
This article is so devoid of specifics, I'm not entirely sure I know what they are proposing. A VM implies an instruction set of some kind with control flow, registers, etc. but they spend the whole article on authorization, which seems orthogonal to the concept. I think what they really mean is a sandbox, jail, or container where a "syscall" equivalent let's the model interact with the outside world.
I read VM and immediately took it to be very adjacent to sandboxing. The article says “isolation”. To me there was neither ambiguity nor a lack of detail.

The problem is the author’s point is obvious and solution imperfect. Okay you’re in a sandbox at the OS or let’s even say hardware level. Whoops the agent found AWS CLI with IAM not setup right. The remote boundaries are at least as complex though not unique to automated agents. I don’t see any new insights. The terminology was not the issue.

I don't see the case for, what IMO is, more complexity by creating a virtual machine.

We have user accounts, Read/Write/Exec for User/Groups. Read can grant access tokens which solves temporary+remote requirements. Every other capabilities model can be defined in those terms.

I'd much rather see a simplification of the tools already available, then re-inventing another abstract machine / protocol.

I hope we'll eventually get a fundamental shift in the approach to software as a whole. Currently, everybody is still experimenting with building more new stuff, but it is also a great opportunity to re-evaluate and, at acceptable cost, try to strip out all the cruft and reduce something to its simplest form.

For example - I found an MCP server I liked. Told Claude to remove all the mcp stuff and put it into a CLI. Now I can just call that tool (without paying the context cost). Took me 10 minutes. I doubt, Claude is smart enough to build it back in without heavy guidance.

After reading this more closely and following some of the links I think this post is really pointing to something more foundational than the "VM for AI" summary implies.

The VM analogy is simply insufficient for securing LLM workflows where you can't trust the LLM to do what you told it to with potentially sensitive data. You may have a top-level workflow that needs access to both sensitive operations (network access) and sensitive data (PII, credentials), and an LLM that's susceptible to prompt injection attacks and general correctness and alignment problems. You can't just run the LLM calls in a VM with access to both sensitive operations and data.

You need to partition the workflow, subtasks, operations, and data so that most subtasks have a very limited view of the world, and use information-flow to track data provenance. The hopefully much smaller subset of subtasks that need both sensitive operations and data will then need to be highly trusted and reviewed.

This post does touch on that though. The really critical bit, IMO, is the "Secure Orchestrators" part, and the FIDES paper, "Securing AI Agents with Information-Flow Control" [1].

The "VM" bit is running some task in a highly restricted container that only has access to the capabilities and data given to it. The "orchestrator" then becomes the critical piece that spawns these containers, gives them the appropriate capabilities, and labels the data they produce correctly (taint-tracking: data derived from sensitive data is sensitive, etc.).

They seem on the right track to me, and I know others working in this area who would agree. I think they need a better hook than "VMs for AI" though. Maybe "partitioning" or "isolation" and emphasize the data part somehow.

[1]: https://arxiv.org/pdf/2505.23643

No, they do not need one. The article paints VM as a very broad definition, mostly revolving around permissions for accessing things or executing actions.
AI agents don't need a virtual machine, the play is to do an inversion of control. AI dispatches intents to a queue, and executors map intents to actions with whitelists and static analysis.
Basically, this is about implementing core AI primitives (chat completion, tool calling, context management) at the system layer, instead of the application or framework layer like it is today.

If you're curious to see one real-life implementation of this (I'm sure there are others), we're pretty far along in doing this with Dagger:

- We already had system primitives for running functions in a sandboxed runtime

- We added the ability for functions to 1) prompt LLMs, and 2) pass other functions to the LLMs as callbacks.

- This way, a function can call LLMs, a LLM can call functions, in any permutation.

- This allows exploring the full spectrum from fully deterministic workflows, to autonomous agents, and everything in between - without locking yourself in a particular programming language, library or framework.

- We've also experimented with passing objects to the LLM, and mapping each of the object's methods to a tool call. This opens interesting possibilities, since the objects can carry state - effectively extending the LLM's context from text only, to arbitrary structured data, without additional dependencies like complex databases etc.

Relevant documentation page: https://docs.dagger.io/features/llm