8 Key Things to Know About OpenShell and Secure Enterprise AI Agents

As autonomous AI agents begin to take on critical roles in enterprise workflows, the software stack designed for human operators is showing its limits. The systems we rely on for security, identity, and governance were built assuming a human in the loop — someone who works at human speed, manages credentials manually, and approves every significant action. Autonomous agents break all those assumptions. They operate at machine speed, run indefinitely, and interact with services without human oversight. Nvidia and its partners argue that the entire stack must be rebuilt from the ground up. At the heart of this transformation is OpenShell, an open source secure runtime for autonomous agents. Here are eight things you need to know about this breakthrough project and why industry leaders like Jensen Huang and Bill McDermott are backing it.

1. The Core Problem: Human-Centric Stack Fails Autonomous Agents

Traditional enterprise software stacks were designed with the human user as the trusted actor. Identity and access management (IAM) systems assume a person is controlling the session, monitoring actions, and moving through environments at human speed. Agents turn this model upside down. They are faster, can execute tasks continuously, and don't fit neatly into human-centric identity models. Lifting an existing stack and applying it to autonomous agents doesn't just create inefficiency — it opens critical security gaps. As Nvidia's Ali Golshan explains, an agent should never interact directly with the operating system, host, network, or infrastructure. That's why a new approach is needed.

8 Key Things to Know About OpenShell and Secure Enterprise AI Agents — Source: thenewstack.io

2. OpenShell: A Secure Runtime Built for Machine-Speed Operations

OpenShell is an Apache 2.0 open source project developed over the past six months by Nvidia's senior director of AI software, Ali Golshan, and his team. It is a secure runtime for autonomous agents that provides a trusted environment where agents can operate at machine speed without compromising host infrastructure, leaking credentials, or bypassing governance controls. The project is a core component of Nvidia's broader Agent Toolkit. By sandboxing each agent and its associated tools, OpenShell ensures that the lowest level of the agent stack is isolated from the underlying system — a fundamental shift from traditional architectures.

3. Sandbox-First Architecture: Every Agent Gets Its Own Isolation

At the heart of OpenShell is a sandbox-first architecture. Every autonomous agent, along with its harness and model, runs inside its own dedicated sandbox. This containment strategy ensures that if something goes wrong — such as a prompt injection attack or an attempt to execute arbitrary commands — the blast radius is limited to that individual sandbox. The agent cannot touch the host operating system, network, or infrastructure directly. This design is crucial for giving agents increasing levels of autonomy while maintaining enterprise-grade security. As Golshan puts it, “If you want to give more and more autonomy to an agent, the lowest level of the stack should really be a sandbox.”

4. The Gateway Model: Credentials Never Reach the Agent

Outside each sandbox sits a gateway that manages credentials and session state. When an agent needs to interact with an external service — such as ServiceNow, Salesforce, or Workday — the gateway handles authentication and passes the session into the sandbox. The agent itself never holds keys, tokens, or passwords. This separation of duties means that even if an agent is compromised, an attacker cannot steal credentials. The gateway acts as a policy enforcement point, ensuring that every external interaction follows enterprise governance rules. This model is a significant departure from traditional architectures where credentials are embedded in code or stored alongside the agent.

5. Policy Enforcement Below the Application Layer

OpenShell enforces security policies below the application layer, using low-level Linux kernel primitives. This is the distinction Ali Golshan draws between security that is baked in versus bolted on. In a bolted-on model, every product in the stack brings its own enforcement mechanism, creating complexity and fragmentation. OpenShell instead applies a unified policy layer at the kernel level, ensuring consistent enforcement regardless of which agent or service is involved. This approach reduces the attack surface and simplifies compliance, because policies are defined once and applied system-wide.

6. Leveraging Linux Kernel Primitives: seccomp, eBPF, and Landlock

The specific technologies used for policy enforcement include seccomp, eBPF, and Landlock. Seccomp (secure computing mode) restricts the system calls an agent can make, limiting its ability to interact with the kernel. eBPF (extended Berkeley Packet Filter) allows dynamic tracing and filtering of system events at runtime. Landlock provides a fine-grained access control mechanism for file system and network operations. By combining these primitives, OpenShell creates a multi-layered security model that is both powerful and lightweight. This approach is designed to scale across thousands of agent instances running in a production environment.

7. Part of Nvidia's Broader Agent Toolkit

OpenShell is not a standalone product; it is an integral part of Nvidia's Agent Toolkit, a comprehensive framework for building, deploying, and managing autonomous AI agents. The toolkit includes tools for agent orchestration, model serving, monitoring, and now secure execution. By integrating OpenShell into this ecosystem, Nvidia provides a complete solution that addresses not just runtime security but also the entire lifecycle of enterprise agents. This alignment with Nvidia's hardware and software stack gives enterprises a path to production that is both performant and secure — a critical factor as agent adoption accelerates.

8. Backed by Industry Leaders: Jensen Huang and Bill McDermott

The project has attracted high-profile support from Jensen Huang, CEO of Nvidia, and Bill McDermott, CEO of ServiceNow. Their bet on OpenShell signals a major shift in how enterprise software should be architected for the age of autonomous agents. Huang has long advocated for rebuilding the entire stack to support AI-native workflows, while McDermott's backing highlights the need for secure agent-to-service integration — especially relevant given ServiceNow's extensive use of AI agents in enterprise IT and customer service. Their involvement gives OpenShell not only credibility but also a clear path to adoption across the Fortune 500.

Conclusion: A New Foundation for Enterprise AI

OpenShell represents a fundamental rethinking of enterprise security for the autonomous agent era. By moving from a human-centric to an agent-native stack — with sandboxing, gateway-controlled credentials, and kernel-level policy enforcement — it addresses the core vulnerabilities that arise when agents operate at machine speed. As more organizations deploy AI agents for critical tasks, solutions like OpenShell will become essential. The backing of Jensen Huang and Bill McDermott underscores the urgency and the opportunity: the enterprise stack of tomorrow must be built differently, and OpenShell is leading the way.