# Security & Permissions

Ship faster without sacrificing control. The server-side sandbox ensures every command runs in an isolated execution environment — never on your local machine.

Note
The AI executes all commands and queries inside a sandboxed execution environment with restricted network access and filesystem scope. Your Treasure AI credentials are managed server-side and are not stored in the browser.

## Objective

Understand the security boundaries that protect your data when using Treasure AI Studio — the server-side sandbox, network audit logging, and your responsibilities when working with AI-generated output.

## Prerequisites

- Signed in to Treasure AI Studio ([Getting Started](/products/ai-studio/getting-started))
- **Admin role** required for Network Audit Log access


## Server-Side Execution Environment

Unlike Treasure Studio Labs — which ran commands directly on your local machine — Treasure AI Studio executes all CLI commands and queries in an isolated server-side sandbox.

This means:

- **No local filesystem access.** The AI cannot read or write files on your computer. File operations happen in a managed server environment.
- **Sandboxed execution.** Each session runs in its own isolated worker with restricted network and filesystem access. If a sandbox crashes unexpectedly, you'll see the message: "The sandbox environment crashed unexpectedly and is restarting. Please wait a moment and try again."
- **Credential isolation.** Your Treasure AI credentials are managed server-side and are not stored in the browser. The AI accesses your Treasure AI account through a server-side access token — you do not need to provide credentials directly.


## Network Audit Log (Admin Only)

Account administrators can monitor all network activity through the **Network Audit Log** in Settings.

### How to Access

1. Open **Settings** (click your user avatar in the sidebar footer)
2. In the left navigation, under the **Organization** section, click **Network Audit Log**


### Audit Log Features

| Feature | Description |
|  --- | --- |
| **Time range** | Filter by duration: 1h, 6h, 24h, 3d, 7d, 14d, 30d |
| **Sort order** | Newest first or Oldest first |
| **Filters** | Domain, IP, Port, Chat ID, Action type ("Any" for all) |
| **Columns** | Timestamp, Chat, Action, Domain, IP, Port, Protocol |
| **Stats** | Shows matched count, scanned count, and bytes scanned |


Network Audit Log showing time range selector, filter controls, and activity table
Note
The Network Audit Log tab is only visible to account administrators. Regular users will not see the "Organization" section in Settings.

## AI-Generated Output Disclaimer

Studio uses AI to generate outputs including queries, configurations, segments, and recommendations. These outputs:

- **May be incorrect or incomplete.** Always review generated SQL, segment rules, and configurations before deploying to production.
- **Should be validated.** Use the `sql-skills:trino-optimizer` skill to check query performance, ask the AI to run `tdx sg validate` to validate segment definitions, and `tdx journey validate` for journeys.
- **Are your responsibility.** Review and approve all AI-generated changes before pushing them to your Treasure AI account.


## Best Practices

### For Administrators Rolling Out to Teams

1. **Use projects to enforce guardrails.** Create projects with instructions like "Always validate before pushing" and "Never modify production segments directly."
2. **Monitor via Network Audit Log.** Review network activity regularly, filtering by time range and domain to identify unexpected API calls.


### For Individual Users

1. **Review tool calls.** Every action the AI takes is visible in the chat stream. Watch for queries and API calls as they execute.
2. **Leverage skills for validation.** Skills like `validate-segment` and `validate-journey` catch configuration errors before they reach your account.


## Security Responsibility

You are responsible for:

- Reviewing and validating all AI-generated outputs before deployment
- Not embedding secrets, passwords, or access tokens directly into chat messages
- Reporting any security concerns to [security@treasure-data.com](mailto:security@treasure-data.com)


Note
Penetration testing, vulnerability scanning, or other security assessments of Treasure AI Studio require Treasure AI's prior written consent.

## Verification

- [ ] (Admins) Access the **Network Audit Log** under Settings > Organization


## Troubleshooting

| Issue | Solution |
|  --- | --- |
| "The sandbox environment crashed unexpectedly and is restarting" | Wait a moment and retry your message. If persistent, start a new chat — the operation may exceed sandbox resource limits |
| Audit log shows no entries | Audit log access requires admin permissions. Confirm your account role with your organization administrator |


## Next Steps

- [Access Control](/products/ai-studio/security/access-control) — PBP, IP allowlists, and AI feature access
- [Getting Started](/products/ai-studio/getting-started) — Set up Studio on your platform
- [SSO Login](/products/ai-studio/security/sso-login) — Authentication details
- [Core Concepts](/products/ai-studio/concepts) — Projects, models, and credits