The fundamental architecture of enterprise software, meticulously crafted over decades to serve human operators, is facing a paradigm shift. This existing stack, built on assumptions of human-speed interactions, human-managed credentials, and human oversight, is ill-equipped to handle the burgeoning capabilities of autonomous AI agents. Nvidia, a leading force in AI hardware and software, argues that this entire foundation needs to be rebuilt from the ground up to accommodate these advanced agents. At the forefront of this ambitious undertaking is OpenShell, an open-source secure runtime environment designed by Nvidia to enable trustworthy and secure operation of autonomous AI agents within enterprise infrastructures.
The genesis of this architectural reevaluation stems from the inherent differences between human users and AI agents. Unlike humans, AI agents operate at machine speeds, can execute tasks continuously without fatigue, and possess an unprecedented ability to process and act upon vast amounts of data. These characteristics challenge traditional security models, identity and access management systems, and governance frameworks that were primarily designed with human limitations and behaviors in mind. Ali Golshan, Senior Director of AI Software at Nvidia, and his team have dedicated the past six months to developing OpenShell as a crucial component of Nvidia’s broader Agent Toolkit, aiming to provide enterprises with a secure and controlled environment for AI agent deployment.
"If you want to give more and more autonomy to an agent, the lowest level of the stack should really be a sandbox," Golshan articulated in a recent discussion with The New Stack. "That agent should not be interacting directly with your operating system or host or network or infrastructure." This "sandbox-first" philosophy underscores Nvidia’s vision for an agent-native software stack, where security and isolation are paramount from the initial stages of development and deployment.
The Architectural Imperative: Addressing the Agent-Native Paradigm
The core problem Nvidia aims to solve with OpenShell is deeply architectural. Current enterprise tooling often treats the human user as the sole trusted actor, responsible for controlling, monitoring, and navigating complex environments. This model breaks down when faced with autonomous agents that can perform these functions with far greater speed and scale. Applying traditional security and management paradigms to these agents not only leads to inefficiencies but also introduces significant security vulnerabilities. Agents, by their nature, can bypass human-centric controls if not properly contained.
OpenShell tackles this challenge through a meticulously designed layered approach. Each autonomous agent, along with its associated harness and model, is encapsulated within its own dedicated sandbox. This isolation ensures that any malicious activity or unintended consequence within an agent’s operation remains contained, preventing lateral movement and unauthorized access to critical systems.
Positioned outside each agent’s sandbox is a robust gateway. This gateway acts as a secure intermediary, managing credentials and session states. When an agent requires interaction with external enterprise services – such as those offered by industry leaders like ServiceNow, Salesforce, or Workday – the gateway handles the authentication process. It then securely passes the established session into the sandbox, ensuring that the agent itself never directly handles sensitive keys or credentials. This "least privilege" principle, applied at a fundamental level, significantly mitigates the risk of credential leakage or unauthorized access, even in the event of a security breach like a prompt injection attack or an attempt to execute arbitrary commands. The "blast radius" of any compromise is thus confined to the individual agent’s sandbox.
Policy Enforcement: A Foundationally Secure Approach
A critical differentiator of OpenShell is its approach to policy enforcement, which is situated below the application layer. By leveraging low-level Linux kernel primitives such as seccomp, eBPF, and Landlock, OpenShell establishes a robust and unbypassable security framework. This contrasts sharply with "bolted-on" security models, where each application or component within the stack implements its own, often conflicting, enforcement mechanisms.
Golshan emphasizes this distinction: "Policy enforcement occurs below the application layer… This is the distinction Golshan draws between security that is baked in versus bolted on." In the bolted-on model, the proliferation of disparate security controls can lead to collisions, reliability issues, and gaps in coverage. OpenShell’s horizontal enforcement layer, however, ensures that policies are applied consistently and at a foundational level that agents cannot circumvent.
"The ability to enforce policies below the application layer – at the same time, you don’t want every single user to be able to do that, because it’s a tricky place to do that," Golshan explained. "So, you want the right level of abstraction and the right level of enforcement." This carefully calibrated approach ensures that while agents can operate with a high degree of autonomy, their actions remain strictly governed by enterprise-defined security and operational policies.
OpenShell’s design prioritizes flexibility and broad compatibility. It is engineered to run seamlessly across diverse environments, including desktops, Kubernetes clusters, micro-virtual machines, and various cloud infrastructures. Furthermore, it maintains an agnostic stance towards specific AI models, agent harnesses, and frameworks. This means that leading tools such as Claude Code and Codex can be integrated and executed securely within the OpenShell environment, offering developers and enterprises a versatile platform for innovation.
Gaining Momentum: Enterprise Adoption and Open Contributions
The OpenShell project is rapidly gaining traction within the enterprise AI ecosystem. LangChain, a prominent developer tools company whose frameworks are instrumental in a significant portion of enterprise agent development, has announced its commitment to contribute openly to the OpenShell GitHub repository. This collaboration signifies a growing industry consensus around the need for secure and standardized runtime environments for autonomous agents.
A pivotal moment for OpenShell’s enterprise adoption occurred recently at the ServiceNow Knowledge 2026 conference in Las Vegas. Nvidia Founder and CEO Jensen Huang shared the stage with ServiceNow Chairman and CEO Bill McDermott to announce an expanded collaboration, with OpenShell positioned at the core of their joint security architecture. This partnership underscores the growing recognition of OpenShell’s potential to address critical security and governance challenges in enterprise AI.
Project Arc and the Action Fabric: A Concrete Use Case
ServiceNow is set to introduce Project Arc, an ambitious autonomous desktop agent designed to empower knowledge workers, including developers, IT teams, and administrators. Project Arc will leverage OpenShell as its secure runtime environment. ServiceNow’s commitment extends to actively contributing to the OpenShell project and building upon it as a foundational layer for enterprise-grade agent execution.
Project Arc will integrate with ServiceNow’s Action Fabric, a system designed for robust governance and auditability. It will also connect to ServiceNow AI Control Tower for comprehensive oversight across the entire agent lifecycle, from deployment to ongoing operation.
"Project Arc represents the next step in our ongoing collaboration with Nvidia, bringing autonomous execution to the desktop," stated Jon Sigler, Executive Vice President and General Manager of AI Platform at ServiceNow. "By combining OpenShell’s runtime layer with ServiceNow AI Control Tower, and powered by ServiceNow Action Fabric, we’re delivering the governance and security that enterprise AI requires." This integration highlights a practical application of OpenShell’s capabilities, demonstrating how enterprises can deploy sophisticated autonomous agents with the necessary security and compliance measures.
The partnership between ServiceNow and Nvidia also advances NOWAI-Bench, an open benchmarking suite for enterprise AI agents. Developed in conjunction with Nvidia’s NeMo Gym library, NOWAI-Bench includes EnterpriseOps-Gym, a demanding benchmark designed to test the capabilities of enterprise agents. Currently, Nvidia’s Nemotron 3 Super ranks highest among open-source models on this benchmark, showcasing the performance potential of advanced AI models within these secure frameworks.
The Future of Enterprise: An Agent-Native Stack
Nvidia’s commitment with OpenShell extends beyond a single product; it represents a broader vision for an "agent-native" stack. Golshan articulated this vision as a fundamental rebuilding of core software primitives – including identity management, credential handling, and policy enforcement – with the explicit assumption that the agent, not the human, is the primary actor.
"You can have an agent, and then you can have a whole bunch of specialized agents that know your business, and you can’t treat these traditionally like a human team from an identity or access standpoint," Golshan elaborated. "All those primitives and constructs need to be rebuilt." This reimagining is crucial for enterprises operating in highly regulated industries such as healthcare, finance, and government, where stringent controls and auditability are non-negotiable.
The advent of autonomous agents is no longer a question of "if" but "when," and more importantly, "how" enterprises can deploy them safely and effectively in sensitive sectors. OpenShell and the broader Nvidia Agent Toolkit are designed to bridge this critical gap, providing the necessary tooling to ensure trust and compliance.
"Developers are really trying to understand: if I’m working in a regulated industry, what is the stack I need to build that one works for autonomous agents, and two, is trusted?" Golshan observed. "The biggest question they’re trying to answer is, what won’t change on me? What can I count on that will be underneath me and stable?"
OpenShell is now publicly available under the permissive Apache 2.0 license on GitHub, inviting broader community involvement and accelerating the development of a secure and scalable future for autonomous AI agents in the enterprise. The platform’s open-source nature is expected to foster rapid innovation and adoption, paving the way for a new era of intelligent automation that is both powerful and trustworthy.
