On March 16, NVIDIA quietly released NemoClaw — an open-source reference stack for running always-on AI agents with enterprise-grade sandboxing. If you've been following the AI agent space, this is a big deal. Not because of what it does, but because of what it signals.
What NemoClaw Actually Is
Let's cut through the press release language.
NemoClaw is a wrapper around OpenClaw, the open-source always-on AI assistant platform. It adds three things:
- NVIDIA OpenShell sandboxing — Landlock filesystem isolation, seccomp syscall filtering, and network namespaces. Every agent runs in a container that can't touch the host system or reach the internet without explicit operator approval.
- NVIDIA Nemotron inference — Agent traffic routes through NVIDIA's cloud-hosted Nemotron 3 Super 120B model (a mixture-of-experts architecture with 12B active parameters). No OpenAI or Anthropic API keys required.
- Declarative network policy — Egress rules defined in YAML. Unknown hosts get blocked and surfaced to a human operator for approve/deny. The agent literally cannot phone home to a domain you haven't whitelisted.
One CLI. One curl | bash. You get a sandboxed, always-on AI agent running on NVIDIA's own models.
Why This Matters More Than It Looks
Here's the thing most people will miss: NVIDIA didn't build a new agent framework. They took an existing one — one that people are already running in production — and wrapped it in the security and governance layer that enterprises have been asking for.
That's not a tech demo. That's a deployment strategy.
Think about what NVIDIA is really saying:
- Always-on AI agents are a real pattern. Not a weekend project. Not a demo. A thing that enterprises will run 24/7 on their infrastructure.
- The bottleneck isn't the model — it's trust. Companies want agents that can take action, but they need guardrails. Sandboxing. Network policy. Operator approval flows. NemoClaw addresses the "but what if it goes rogue?" question that kills every enterprise AI agent pilot.
- Open-source models are good enough for agent workloads. NVIDIA is betting that Nemotron 120B can handle agentic tasks that most people assume require GPT-4 or Claude. If that bet pays off, the cost structure for running always-on agents drops dramatically.
The Security Model Is Actually Good
I've been doing infrastructure security for 25 years, so let me geek out on this for a second.
NemoClaw's sandbox uses three layers of Linux kernel isolation:
- Landlock — restricts which filesystem paths the agent can access. Write access limited to
/sandboxand/tmp. Everything else is read-only. - Seccomp — filters which system calls the agent process can make. No arbitrary code execution paths.
- Network namespaces — the agent can't make outbound connections except through explicitly approved routes. Inference calls go to
inference.localand get proxied by the host.
This is the same security philosophy behind container runtimes like gVisor, but purpose-built for AI agents. The agent never touches the host's credentials directly — the host owns the API keys and proxies inference requests.
For compliance people: this is the kind of isolation model that makes auditors less nervous. The agent has a defined blast radius. You can demonstrate exactly what it can and can't do.
What I'm Running Today (And How It Compares)
Full disclosure: I run an OpenClaw agent on my own infrastructure right now. It handles everything from email triage to LinkedIn content to system monitoring for my fractional CISO practice.
My setup uses a different security model — Tailscale network isolation, AppArmor profiles, encrypted vault for secrets, and careful access controls. It works, but it's hand-built. I spent weeks hardening it.
NemoClaw packages that same security posture into a one-command install. That's the difference between "a senior engineer can secure this" and "any team can deploy this safely."
Where NemoClaw wins:
- Zero-config sandboxing (kernel-level, not just AppArmor profiles)
- Network policy with operator approval flow (my setup doesn't have this)
- No external API key dependency (Nemotron vs. Anthropic/OpenAI)
- Reproducible setup via versioned blueprints
Where my setup still wins:
- Production-tested with real workloads (NemoClaw is alpha — "do not use in production")
- Multi-model routing (Opus for complex work, Sonnet for routine, Flash for heartbeats)
- Integrated with real business tools (Telegram, Slack, Google Calendar, LinkedIn)
- Context optimization and memory management tuned over weeks of daily use
The Bigger Picture
We're watching the "AI agent" category split into two lanes:
Lane 1: Cloud-hosted agent platforms — Anthropic's Claude, OpenAI's assistants, Google's agent frameworks. You rent compute, you rent the model, you rent the guardrails. Vendor lock-in with a friendly API.
Lane 2: Self-hosted agent runtimes — OpenClaw, NemoClaw, and whatever comes next. You own the infrastructure, you pick the model, you define the policies. More work upfront, but more control.
NVIDIA just placed a massive bet on Lane 2. And when NVIDIA bets on something, the ecosystem follows.
What to Watch
NemoClaw is alpha software. Don't deploy it to production tomorrow. But do watch:
- Model quality — Can Nemotron 120B actually handle complex agentic workflows? Tool use, multi-step reasoning, code generation? That's the real test.
- OpenShell maturity — The sandbox runtime is the foundation. If it stabilizes quickly, expect other agent frameworks to adopt it.
- Enterprise adoption — The first Fortune 500 company that runs an always-on AI agent on NemoClaw will be the tipping point.
- DGX Spark support — NVIDIA already has a setup guide for Spark. They're targeting on-prem GPU hardware. That's an enterprise play, not a hobbyist play.
Bottom Line
NVIDIA just told the market: always-on AI agents are real, they need real security, and you should be running them on our hardware with our models.
If you're already running AI agents — or thinking about it — this is validation. The pattern works. The question is no longer should we run AI agents but how do we run them safely.
And if your compliance program doesn't have an answer to "what happens when the AI agent goes rogue," NemoClaw just gave you a framework to start with.
Running AI Agents? Let's Talk Security.
Whether you're evaluating NemoClaw or building your own agent stack, I can help you get the security and compliance model right from day one.
Book a Strategy Session →Peter Hallen is a fractional CISO helping small and mid-sized companies navigate compliance, security, and the rapidly evolving AI landscape.