Autonomous agents mark a new inflection point in AI. Systems are no longer limited to generating responses or reasoning through tasks. They can take action: Agents can read files, use tools, write and run code, and execute workflows across enterprise systems, all while expanding their own capabilities. The sub-agents they create become specialized — experts in one domain or a specific task.
Application-layer risk grows exponentially when agents continuously improve and evolve. The NVIDIA OpenShell runtime is being built to address this.
Part of NVIDIA Agent Toolkit, OpenShell is an open source, secure-by-design runtime for developing, deploying and governing autonomous agents. It works by ensuring each agent runs inside its own sandbox, separating application-layer operations from infrastructure-layer policy enforcement.
This means security policies are out of reach of the agent — they’re applied at the system level. Instead of relying on behavioral prompts, OpenShell enforces constraints on the environment the agent runs in — meaning the agent cannot override policies, or leak credentials or private data, even if compromised.
With OpenShell, enterprises can separate agent behavior, policy definition and policy enforcement. Organizations gain a single, unified policy layer to define and monitor how autonomous systems operate. Coding agents, research assistants and agentic workflows all run under the same runtime policies regardless of host operating system, simplifying compliance and operational oversight.
This is the “browser tab” model applied to agents: Sessions are isolated, resources are controlled and permissions are verified by the runtime before any action takes place.
Securing autonomous systems requires an integrated ecosystem. OpenShell is designed to add privacy and security controls for AI agents. NVIDIA is collaborating with security partners, including Cisco, CrowdStrike, Google Cloud, Microsoft Security and TrendAI, to align runtime policy management and enforcement for agents across the enterprise stack.
OpenShell Provides an Enterprise-Grade Sandbox for Building Personal AI Assistants
OpenShell will run across form factors on all major enterprise operating systems, including Canonical Ubuntu, Microsoft Windows and RedHat OpenShift. Additionally, it will be integrated into enterprise software platforms provided by ecosystem partners such as SAP and ServiceNow to secure agents running within enterprises.
Because policies are enforced at the infrastructure layer (the “shell”) rather than the application layer, the agent doesn’t have the technical permission to move data outside of its sandbox unless the policy explicitly allows it. This prevents credential theft and private data exfiltration.
OpenShell enforces security with three key components:
- Individual agent sandboxes: Designed specifically for long-running, self-evolving agents. They handle skill development and verification, programmable system and network isolation, and isolated execution environments that agents can break without touching the host. Policy updates happen live at sandbox scope as developer approvals are granted, with a full audit trail of every allow and deny decision.
- Policy enforcement engine: Enforces constraints on the agent’s environment across the filesystem, network and process layers. Self-evolving agents require granular oversight to be trusted when installing packages, learning skills at runtime and spawning scoped subagents. By evaluating every action at the binary, destination, method and path level, the engine ensures an agent can install a verified skill but cannot execute an unreviewed binary.
- Gateway: The control point where autonomous agent actions are evaluated before they reach the host environment. It translates policy rules into runtime enforcement decisions, governing what an agent can read, write, execute, access over the network or delegate to external tools. By centralizing policy management, the gateway gives operators a clear place to define trust boundaries, audit decisions and adapt permissions as an agent’s task evolves, while preserving the isolation guarantees that make OpenShell safe for long-running autonomous work.
OpenShell is in early preview. NVIDIA is building in the open with the community and its partners to enable enterprises to scale self-evolving, long-running autonomous agents safely, confidently and in compliance with global security standards.
Get started with NVIDIA OpenShell and launch a ready‑to‑use environment on NVIDIA Brev, or explore the open source project on GitHub.
