Agent security architectures emerge

An artificial intelligence agent is useful only if it can touch real systems, and that means giving it passwords, tokens, or other keys to email, code repositories, databases, and cloud tools. In most early agent setups, those keys sit in the same running box as the code the agent just wrote itself, so one bad prompt or one poisoned connector can turn into a full break-in. (venturebeat.com) That is the problem two new designs are trying to fix. Anthropic rolled out Claude Managed Agents this week, and Nvidia has been pushing NemoClaw and OpenShell as a safer runtime for always-on agents, both built around the idea that the “brain” should not also be holding the master keys. (anthropic.com) (docs.nvidia.com) Anthropic’s version starts by splitting an agent into three parts. It separates the session, which is the running log of what happened, the harness, which is the loop that calls Claude and routes tool use, and the sandbox, which is the isolated place where code runs and files get edited. (anthropic.com) That split matters because Anthropic says its first design put everything in one container, and that created a “pet” server that could not fail without losing the session. The new hosted service keeps those parts swappable, so the code-running box can be treated as disposable instead of becoming the one place where memory, logic, and credentials all pile up together. (anthropic.com) Anthropic’s public docs show the product as a beta that uses a new Managed Agents application programming interface header dated 2026-04-01. The docs define separate objects for an agent, an environment, and a session, which is a concrete sign that Anthropic wants companies to deploy agents as controlled infrastructure rather than as one giant script. (platform.claude.com) Nvidia’s design comes from a different direction. NemoClaw is an open source reference stack for running OpenClaw assistants more safely, and it installs OpenShell, which Nvidia describes as a runtime with sandbox containers, credential-storing gateway functions, inference proxying, and policy enforcement. (docs.nvidia.com 1) (docs.nvidia.com 2) Nvidia’s default posture is blunt: block first, allow later. Its security guide says NemoClaw ships with deny-by-default controls across network, filesystem, process, and inference layers, and blocks all outbound connections unless an endpoint is explicitly approved. (docs.nvidia.com) That means an agent can be boxed in the way a debit card can be boxed in. Instead of handing it a card with no spending limit, the operator can decide which websites it may contact, which binaries may make those calls, which files it may touch, and which models it may use. (docs.nvidia.com) Nvidia also says NemoClaw handles infrastructure-layer protection while OpenClaw handles application-layer protection. Its docs list sandbox isolation, network policy, filesystem restrictions, server-side request forgery validation, and credential handling on the runtime side, while tool-call policy pipelines and prompt-injection defenses sit on the agent side. (docs.nvidia.com) The timing is not random. VentureBeat reported on April 10, 2026 that multiple RSA Conference 2026 security keynotes converged on the same warning: zero trust has to extend to agents, because companies are already deploying them faster than they can govern them. (venturebeat.com) The numbers in that report show the gap. PwC’s 2025 survey found 79% of organizations already use artificial intelligence agents, while a Gravitee report cited by VentureBeat said only 14.4% had full security approval for their whole agent fleet, and a Cloud Security Alliance survey found only 26% had artificial intelligence governance policies. (venturebeat.com) Neither company is saying the problem is solved. Nvidia’s own quickstart labels NemoClaw as alpha software available in early preview since March 16, 2026 and says not to use it in production, while Anthropic is offering Managed Agents in beta rather than as a finished platform. (docs.nvidia.com) (platform.claude.com) What changed this week is that the industry finally has concrete blueprints for a basic enterprise rule: the code an agent writes should not automatically inherit every credential the company owns. Anthropic is packaging that rule as a hosted service, and Nvidia is packaging it as a locked-down runtime, which is how agent security starts moving from slide decks into actual products. (anthropic.com) (docs.nvidia.com)