NemoClaw, OpenShell, and the infrastructure layer that was missing from the agentic stack
Jensen Huang took the stage at GTC 2026 today and said something that should make everyone building agentic AI sit up straight:
“Claude Code and OpenClaw have sparked the agent inflection point, extending AI beyond generation and reasoning into action.”
Let that land. The CEO of the world’s most valuable company just named two open-source tools, a coding agent and a personal AI assistant, as the catalysts for a generational shift. Not a chip. Not a model. Tools that do things.
And then he announced the infrastructure to make them trustworthy.
If you’ve been anywhere near tech Twitter in the past two months, you know OpenClaw. Created by Austrian developer Peter Steinberger as a side project (his 44th AI experiment since 2009), it went from zero to GitHub’s most-starred project in weeks. Originally called Clawdbot (Anthropic’s lawyers had thoughts), then MoltBot, it finally landed on OpenClaw. The premise was irresistible: an AI personal assistant that actually *does things*. Manages your calendar. Books flights. Sends emails. Runs on your hardware, stores memories in local Markdown files.
Then OpenAI acquired it. Steinberger joined Sam Altman’s team in mid-February. OpenClaw moved to a foundation model of governance, remaining open source. And the claw ecosystem (the community now calls autonomous AI assistants “claws”) kept growing.
But there was a problem. A big one.
Gartner rated OpenClaw an “unacceptable cybersecurity risk.” Researchers hijacked agents in under two hours. Meta reportedly banned employees from running claws on work devices after an agent autonomously deleted someone’s emails. The architecture that made claws powerful (deep system access, persistent operation, autonomous decision-making) was exactly what made them dangerous.
This is the gap NVIDIA walked into today.
NemoClaw is an open-source stack that sits on top of OpenClaw and adds what was missing: a security and privacy layer. One command installs it:
curl -fsSL https://nvidia.com/nemoclaw.sh | bashThat single line pulls down three things:
1. NVIDIA OpenShell, a new open-source runtime that sandboxes agent execution with declarative YAML policies. It governs what an agent can see, what it can do, and where its inference runs. Credentials are injected as environment variables at runtime, never touching the sandbox filesystem. Think of it as the *permissions layer* for autonomous AI.
1. NVIDIA Nemotron models, open models that can run locally on your machine for enhanced privacy and cost efficiency. No cloud dependency required.
1. A privacy router, an intelligent switchboard that lets agents tap local open models for sensitive tasks and cloud-based frontier models for complex reasoning, all within defined guardrails.
The positioning is unmistakable. Huang put it bluntly: “Mac and Windows are the operating systems for the personal computer. OpenClaw is the operating system for personal AI.”
NVIDIA just built the kernel security module for that OS.
The most consequential piece of the announcement isn’t NemoClaw itself. It’s OpenShell. This is where the real thinking lives.
OpenShell introduces policy-based governance for autonomous agents. Instead of binary on/off permissions, developers write declarative YAML policies that define exactly what an agent can and cannot do. File access, network activity, data exfiltration, all governed by human-readable configuration.
A few things stand out:
Agent-first architecture. OpenShell is designed assuming your first collaborator is an AI agent. The documentation explicitly says: “Before opening issues or submitting code, point your agent at the repo.”
Credential isolation. API keys, tokens, and service accounts are managed as “providers,” named bundles injected at runtime. The system auto-discovers credentials for recognized agents (Claude, Codex, OpenCode) from your shell environment.
GPU passthrough for local inference. Agents can access host GPUs inside sandboxes for local model execution. This is where NVIDIA’s hardware story meets its software play. DGX Spark, DGX Station, RTX workstations all become dedicated compute for always-on agents.
CrowdStrike integration from day one. In a parallel announcement, CrowdStrike unveiled a “Secure-by-Design AI Blueprint” that embeds Falcon endpoint protection directly into the OpenShell runtime. This isn’t theoretical enterprise security. It’s runtime behavioral monitoring for autonomous agents, including identity-based governance for agent access controls.
Here’s where I’ll put on the Agentic Experience Design hat.
We’ve been talking about the shift from interfaces to agents, from screens people navigate to systems that navigate for them. The missing piece was never the intelligence. The models are smart enough. The missing piece was trust infrastructure.
You can’t build an agentic experience if the agent can’t be trusted to operate within boundaries. And you can’t define boundaries without a governance layer that’s as designable as the experience itself.
That’s what YAML policy files are. They’re the new design material.
Think about it. A declarative policy that says “this agent can read my calendar but cannot send emails without confirmation” is an experience decision expressed as infrastructure. The permission model is the interaction model.
This has implications across every domain:
Luxury and retail. Agents that manage client relationships need strict data compartmentalization. NemoClaw’s privacy router means a personal shopping agent can reason about preferences using cloud models while keeping purchase history and personal data local.
Financial services. Regulatory compliance isn’t optional. Policy-based guardrails that are auditable, version-controlled, and human-readable are exactly what compliance teams need to greenlight autonomous agents.
Public administration. Citizen-facing agentic experiences need this kind of governance backbone. No government entity is deploying agents that can’t demonstrate policy enforcement.
Industrial enterprises. Factory floors and supply chains are already running predictive maintenance models and digital twins. But autonomous agents that can act on those predictions, rerouting logistics, adjusting production schedules, triggering procurement, need sandboxed execution with strict operational boundaries. OpenShell’s YAML policies map naturally to the safety-critical constraints that industrial operations demand. NVIDIA’s partnerships with Siemens, Dassault Systèmes, and Cadence signal exactly this direction: agents that plan, optimize, and verify complex workflows within enforceable guardrails.
Energy and resources. Grid operators, utilities, and extraction companies deal with highly regulated environments where autonomous decision-making carries physical consequences. An agent monitoring energy distribution or optimizing resource allocation needs to operate within precise policy constraints, with full auditability. The local inference capability is particularly relevant here: sensitive operational data (grid topology, asset performance, reservoir models) can stay on-premise while agents still access frontier reasoning through the privacy router.
Telecommunications. NVIDIA already flagged network operations as a key use case for autonomous agents. Telcos managing millions of endpoints need agents that can diagnose issues, optimize traffic, and provision services without human intervention. But those agents also need identity-based access controls and behavioral monitoring at scale. The CrowdStrike integration matters most in this context: runtime security for agents operating across distributed network infrastructure, with governance that matches the complexity of the environment they manage.
What NVIDIA announced today isn’t just a product. It’s a declaration of stack position.
The enterprise partners tell the story: Adobe, Atlassian, Salesforce, Cisco, CrowdStrike, SAP, ServiceNow, Siemens, Red Hat. These aren’t early adopters experimenting with chatbots. These are the platforms that run the enterprise world, committing to build on NVIDIA’s agent toolkit.
NVIDIA is making the same play it made with CUDA for GPUs: own the runtime layer, and you own the ecosystem. OpenShell for agents is what CUDA was for parallel computing, the abstraction that becomes the standard.
The fact that it’s open source is strategic, not altruistic. Open source is how you become infrastructure. It’s how Linux won. It’s how Kubernetes won. And it’s how NVIDIA plans to ensure that the agentic era runs on their stack, even when it’s running on someone else’s hardware.
If you’re building anything with autonomous agents, here are three concrete next steps:
Read the OpenShell documentation. Understanding policy-based agent governance is going to be as important as understanding API design was a decade ago. The docs are at docs.nvidia.com/openshell.
Try the NemoClaw install. If you have an NVIDIA GPU, the one-command install is real. Get a feel for what “deploying a claw” actually means in practice.
Start thinking about permission as a design material. The next wave of agentic products isn’t about what an agent can do. It’s about what it should do, and that’s a product question as much as an engineering one.
The claw era just got its trust layer. The real building starts now.