The concept that LLMs will need to have strong isolation and that this is done with the same sort of diligence normally applied to virtual machine design makes a ton of sense. It's exactly the same reason we enforce such behaviours in operating systems.

I took a first pass at enumerating some ideas a few weeks ago: https://davehudson.io/blog/2025-08-11

My thought was to try and define this in a slightly more concrete way by thinking about analogies between the way LLMs operate and more conventional OS processes/tasks.

Building some of the core abstractions isn't too hard - I already have one that unifies the chat and tool use interfaces for 8 different LLM backends. That lets tool approvals be managed in a centralized way. I've not yet implemented a capabilities model but it feels natural, and I worked with one back in the 90s (VSTa if anyone is interested in historical OSes). A key part will be to allow one LLM to delegate a subset of its current capabilities to another (I already built the delegation tooling)