Run Autonomous, Self-Evolving Agents More Safely with NVIDIA OpenShell

2026-03-19 · Source: NVIDIA Technical Blog · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Intermediate, quick

Summary

NVIDIA announced NemoClaw at GTC, an open-source stack designed to safely run autonomous AI agents, referred to as "claws." These agents can independently achieve goals and self-evolve, posing new security risks due to their persistent context, code-writing capabilities, and tool usage. NemoClaw addresses these risks by incorporating policy-based privacy and security guardrails, enabling agents to operate securely in cloud, on-prem, NVIDIA RTX PCs, and NVIDIA DGX Spark environments. The stack utilizes open-source models like NVIDIA Nemotron and the NVIDIA OpenShell runtime, which is part of the NVIDIA Agent Toolkit. OpenShell provides out-of-process policy enforcement, sandboxing, a policy engine for granular oversight, and a privacy router to manage data handling, ensuring agents operate within defined boundaries even if compromised.

Key takeaway

For AI Architects and CTOs deploying autonomous AI agents, NVIDIA NemoClaw and OpenShell offer a critical infrastructure solution to mitigate inherent security and privacy risks. Your teams can now deploy self-evolving agents with confidence, leveraging out-of-process policy enforcement and sandboxing to ensure controlled, auditable operations. Prioritize integrating OpenShell to establish robust governance for long-running agents, safeguarding enterprise data and systems from potential agent-borne threats.

Key insights

NVIDIA NemoClaw and OpenShell provide an open-source, secure runtime environment for autonomous, self-evolving AI agents.

Principles

• Out-of-process policy enforcement is critical for agent security.
• Safety, capability, and autonomy must coexist for effective agents.
• Granular oversight is essential for self-evolving agents.

Method

OpenShell enforces policies by isolating agent sessions in sandboxes, verifying permissions before actions, and routing data based on cost and privacy policies, all outside the agent's control.

In practice

• Run OpenClaw, Claude Code, or Codex agents unmodified in OpenShell.
• Use OpenShell for enterprise-wide AI agent deployments.
• Develop new agent skills within the sandbox with policy controls.

Topics

• Autonomous Agents
• NVIDIA NemoClaw
• OpenShell
• AI Security
• Sandboxing

Code references

• NVIDIA/OpenShell

Best for: CTO, AI Architect, VP of Engineering/Data, AI Engineer, MLOps Engineer, Software Engineer

Related on AIssential

• NVIDIA OpenShell: 18+ Practical Tips to Run AI Agents Without Losing Sleep — NVIDIA OpenShell provides kernel-level sandboxing for AI agents using declarative YAML policies.
• OpenClaw Just Got WAY Easier to Install — Nemoclaw simplifies OpenClaw setup and enables secure, on-device AI with a 120B parameter model.
• How Autonomous AI Agents Become Secure by Design With NVIDIA OpenShell — NVIDIA OpenShell provides a secure, sandboxed runtime for autonomous AI agents, enforcing system-level security policies.
• Deploy Self-Evolving Agents for Faster, More Secure Research with a Hermes Agent and NVIDIA NemoClaw — Self-evolving AI agents can securely synthesize public and private data for research, learning new skills that persist across deployments.
• NVIDIA and SAP Bring Trust to Specialized Agents — Secure, governed autonomous AI agents are critical for enterprise adoption and operational trust.
• I Gave an AI Agent Root Access to a Sandboxed Linux Box. It Didn’t End How I Expected. — NVIDIA has released NemoClaw, an open-source stack enabling always-on, self-evolving AI agents to run within a hardened sandbox on local machines with a single command.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by NVIDIA Technical Blog.