AI Agents Sandbox: Outcome of Trial and Emerging Considerations

On 20 May 2026, the outcome of the global-first Artificial Intelligence (“AI“) Agents Sandbox that was launched in August 2025, was published. Results showed strong potential for automation and citizen services, while highlighting risks in oversight, cybersecurity, privacy, and governance for future agentic AI systems.

The sandbox was a collaboration between Google and the Singapore Government, specifically the Cyber Security Agency of Singapore (“CSA“), Government Technology Agency of Singapore, and the Infocomm Media Development Authority. It aimed to better understand how agents operate in real-world settings, and to use those insights to inform how they are developed, deployed, and governed. The sandbox was conducted over approximately four months.

Outcomes from the Sandbox

1. Automated quality assurance: The sandbox explored how AI agents could support and automate quality assurance testing of government digital services, thereby improving reliability and freeing up engineering resources.
   • Outcome: The agent successfully evaluated government websites, testing response times, search functionality, and page integrity. Using natural language understanding, it correctly identified intentionally seeded inactive pages, filler text, and staging Uniform Resource Locator (URL) mismatches. This demonstrates the broader potential of agentic AI in software quality assurance.

2. AI safety testing: The sandbox explored automating the safety testing of AI software like chatbots to ensure that they meet the government’s requirements prior to deployment.
   • Outcome: The trial showed that AI agents can reliably perform large-scale safety testing across various languages and formats, significantly reducing the manual effort needed for chatbot assessments. While the implementation was not entirely error-free, this approach offers a more scalable and consistent way to strengthen AI assurance as the technology evolves.

3. Social assistance applications: The sandbox explored assisting citizens in navigating and applying for social assistance programmes, thereby helping to streamline complex processes.
   • Outcome: The trial demonstrated the agent’s ability to guide applicants or social workers through complex social assistance application processes, potentially reducing the need for substantial resources devoted to in-person assistance, helplines, and manual follow-ups to address errors, omissions, and incomplete submissions.

Risks and Challenges that Emerged from the Sandbox

1. Human oversight: A key risk lies in ensuring sufficient control and accountability, particularly where decisions have real-world consequences for individuals.

2. Customisation and control: Another challenge includes balancing flexibility with safeguards, especially in testing or evaluation environments.

3. Cybersecurity risks: These risks include, most prominently, indirect prompt injection, where an agent could be deceived into performing unintended actions.

4. Data protection and privacy: Risks arise where agents interact directly with personal data, including potential privacy breaches or data leakages.

Preparing for a Future with AI Agents

Two broad sets of considerations emerged for AI agent use, including: (i) near-term considerations, e.g. the kinds of concrete measures, controls, and design choices that organisations may want to consider; and (ii) longer-term issues that may require deeper study as agentic technologies evolve.

1. Strengthening trust and resilience for AI agents today
   • Choosing where to start with AI agents: The sandbox highlighted the importance of controlled testing and incremental real-world deployment as a means of building confidence and trust in AI agents.
   • Calibrating the level of human oversight: Oversight should be risk-based to balance control and autonomy, with safeguards distributed across the system, the organisation, and the user. Higher-risk actions may require pre-approval, while lower-risk actions can proceed with post-hoc review where outcomes are reversible and redress mechanisms exist.
   • Keeping AI agents secure: Developing and deploying AI agents securely is a shared responsibility. Safeguards should be distributed across the platform/model, system/organisational, and end-user levels, depending on which actors are best placed to anticipate and manage different risks.
   • Balancing flexibility and control in AI agents: Systems should be safe and secure by default, while allowing for calibrated flexibility and customisation if appropriate. Such flexibility should, however, remain bounded so that experimentation does not inadvertently introduce new risks.

2. Exploring the horizons of an agentic future
   • Addressing current technical limitations: The sandbox demonstrated both the potential of agentic systems and what may become possible as the technology matures. It also highlighted areas for further exploration, e.g. how screenshot-based perception could be complemented by alternative techniques in scenarios requiring higher accuracy, particularly when handling information-dense content.
   • Potential of multi-agent approaches: During the sandbox, participants discussed the potential for multiple agents to collaborate to review, critique, and refine outputs. Such approaches could unlock new capabilities but also bring interoperability and governance challenges into sharper focus. If agents developed by different organisations are expected to interact, coalition-led open standards and common foundations will be increasingly important.
   • Building the digital infrastructure for agentic AI: The sandbox highlighted a mismatch between today’s digital environment that is largely designed around human users, and one that could reliably support agentic interaction at scale. Elements of the underlying ecosystem, from identity and authentication frameworks to permission and access controls, may need to evolve to accommodate more autonomous, agent-driven interactions.
   • Balancing privacy and personalisation with AI agents: As AI agents become more autonomous and gain greater access to users’ personal context, the tension between the benefits of personalisation and privacy becomes more pronounced. The challenge is in ensuring that agents can continue to leverage data to deliver value, while maintaining meaningful user control, minimising unnecessary data use, and exploring privacy-enhancing approaches that move beyond a zero-sum trade-off between utility and protection.

Click on the following link for more information:

• CSA Press Release titled “AI Agents: Insights from the Singapore Government and Google Sandbox” (available on the CSA website at www.csa.gov.sg)