GitHub Copilot’s March/April release notes for VS Code deserve a close read, not because of any headline feature in particular, but because of what two features together signal about where the platform is headed.
The first is Autopilot mode, now in public preview. The second is sandboxed execution of MCP servers. At first glance, they seem like two separate changelog items. They’re not.
Three Levels of Agent Control
Before Autopilot, Copilot’s agent mode required manual approval at each significant action — executing commands, editing files, making external calls. It’s the right default behavior for most developers who are just getting started with agentic workflows. But for teams that have already built trust in their setup, it creates unnecessary friction.
The March releases introduce three explicit levels of permissions:
- Default — Copilot asks before taking consequential actions. The current behavior.
- Bypass Approvals — Copilot skips confirmation prompts but doesn’t manage itself completely.
- Autopilot — Agents approve their own actions, automatically retry on errors, and run until the task is complete. No human intervention required.
Autopilot is in preview for a reason. GitHub is being deliberate: this isn’t a checkbox you flip by accident. It’s a mode you choose per session, with full awareness of what you’re granting. That’s the right design. Autonomous agents shouldn’t be the default — they should be opt-in, scoped, and revocable.
The practical benefit is real. For well-defined tasks on established codebases — fixing a failing test suite, refactoring a module with known scope, running a pre-validated database migration — Autopilot eliminates the back-and-forth that turns a 10-minute agentic task into a 45-minute approval chain. The agent works. You review the result.
MCP Sandbox: The Security Feature Nobody Asked For, But Everyone Needs
Here’s what I think is the really important announcement.
MCP (Model Context Protocol) adoption accelerated faster than anyone’s security posture. Developers are connecting agents to filesystems, APIs, databases, and internal services through MCP servers — and mostly trusting that everything will be fine. On a personal project, that’s okay. In a team environment with a shared codebase, it’s a risk vector.
The new sandbox capability allows you to run local MCP servers in a restricted environment that limits both filesystem and network access. Currently available on macOS and Linux.
It’s a quiet but significant move. It’s GitHub acknowledging that the MCP ecosystem — which now includes hundreds of servers covering everything from GitHub itself to Slack and database clients — needs a security model, not just a plugin marketplace. The sandbox puts a boundary between what an MCP server can actually read and write versus what it claims it needs to access.
For teams running AI-assisted development at scale, this is the feature that actually lets you say yes to MCP adoption without accepting an unlimited blast radius. That’s a real unlock for governance.
Why These Two Features Together Matter
The pattern is deliberate. GitHub is expanding agent autonomy (Autopilot) while simultaneously tightening the security perimeter around the tools agents can use (MCP Sandbox). They’re not in tension — they’re complementary. You can trust Autopilot more when the MCP servers it’s calling can’t exfiltrate your entire filesystem.
That’s what a production-ready agentic platform looks like. Not just capability expansion, but capability expansion with a corresponding security story. It’s more mature than the “turn everything on and see what happens” approach that characterized the first wave of AI coding tools.
Worth noting that MCP configuration in VS Code now carries over to both Copilot CLI and Claude agent sessions. That’s integration depth that reduces configuration sprawl — you set it once and it applies across all surfaces. Combined with the sandbox, it means the MCP servers you configure are both more portable and more scoped.
The Practical Takeaway
If you’re using Copilot in VS Code, there are three things worth paying attention to now:
First, get familiar with the permission levels before Autopilot comes out of preview. Understanding when to escalate from Default to Autopilot — and more importantly, when not to — is a judgment you’re better off developing deliberately than under deadline pressure.
Second, audit which MCP servers your team is running locally and what access they require. The sandbox is available now. Turning it on doesn’t cost you anything and limits your exposure to a misconfigured or compromised MCP server.
Third, if your MCP configuration lives in VS Code, verify it works in Copilot CLI. The portability exists — but you have to test it, not assume it.
The direction GitHub is moving Copilot in is increasingly clear: more autonomy, better scoped, with security guardrails that grow alongside the capability surface. For teams that want to adopt agentic development seriously, this release is a significant step in the right direction.
Are you already trying out Autopilot mode? Or is your team still cautious about full agent autonomy? Let us know where you’re drawing the line. 