Jensen Huang put Peter Steinberger — OpenClaw’s creator — on the GTC main stage. “The OpenClaw event cannot be understated,” Jensen said. NVIDIA ran “Build-a-Claw” all week in GTC Park, where attendees deployed OpenClaw agents on DGX Spark hardware. And yesterday, they revealed NemoClaw — their enterprise agent runtime, built on a new security primitive called OpenShell, tightly coupled to RTX PRO 6000 Blackwell workstations.

Three signals, one story: NVIDIA has decided the agent era is OpenClaw-shaped. And they’re betting on on-premises sovereignty as the enterprise unlock.

The framing Jensen used was direct: “It’s no different than how Windows allowed us to make personal computers.” He’s positioning OpenClaw + NemoClaw as the operating system layer for AI agents — the thing that makes agents as universal as personal computers became. That’s a significant claim. And it’s not wrong.

I’ve been watching NemoClaw surface in coverage for weeks. Here’s my read on what they got right, what they left open, and why the governance gap is the most important unsolved problem in agentic AI right now.

What NemoClaw Actually Is

Let me correct the pre-keynote narrative first. Early coverage positioned NemoClaw as hardware-agnostic. The keynote told a different story.

NemoClaw is NVIDIA’s enterprise agent runtime, built on top of a new component called OpenShell — described as “a secure environment for running autonomous agents and open source models.” It installs via a single command through the NVIDIA AI Agent Toolkit. It runs on RTX PRO 6000 Blackwell workstations — up to 4,000 TOPS of local AI compute, 96GB GPU memory. Dell, HP, and Lenovo are the hardware partners.

This is on-premises AI, not cloud AI. NVIDIA’s value proposition for NemoClaw is explicit: “the governance, control and privacy required to tackle complex business tasks entirely on premises.”

That’s a meaningful bet. They’re not competing with Azure or AWS for cloud AI workloads. They’re targeting the class of enterprise customer that can’t — or won’t — put sensitive data in the cloud. Healthcare, finance, defense, legal. The customer who needs the compute local and the data locked down.

The security story: NemoClaw ships OpenShell as a sandbox for agent execution, plus the NeMo Guardrails toolkit for model output filtering. This is real work. Enterprise teams already use NeMo Guardrails, and OpenShell as a process isolation layer for agent execution is a genuine step forward.

There’s also NeMo-Agent-Toolkit on GitHub, which ships FastMCP support — NeMo-powered agent workflows can now publish themselves as MCP servers. That means every NemoClaw deployment generates MCP endpoints. Keep that in mind.

But here’s the part that matters for enterprise buyers: none of this is a pre-authorization gate. And that’s the gap.

The Governance Gap

The security architecture NVIDIA shipped solves two problems well:

  1. Process isolation (OpenShell): agents run in a sandboxed environment, limiting what they can touch at the OS level
  2. Output filtering (NeMo Guardrails): model outputs are reviewed for safety violations, PII, policy violations before delivery

These are the right tools for what they do. But there’s a third problem neither of them addresses.

Here’s the problem with “security at the output layer.”

When a language model generates a response, the damage is often already done. The tool call already happened. The database query already ran. The external API already received the request. Output-layer filtering is like a smoke detector — it tells you the house is on fire. A governance layer is the sprinkler system that prevents the fire.

Let me make this concrete with two recent examples — both from the OpenClaw ecosystem, both from the past few weeks.

CVE-2026-25253 (Critical — OpenClaw ≤2026.3.10): An attacker exploited the WebSocket handshake to inherit operator.admin privileges from a trusted proxy. The origin bypass happens at the identity layer — before any model output is generated, before any guardrail fires. NeMo Guardrails would not catch this. OpenShell wouldn’t catch this. The privilege escalation is complete before the session begins.

CVE-2026-25252 (Moderate — OpenClaw ≤2026.3.8): OpenClaw’s exec approval allowlist used glob matching where ? could match the path separator /. An agent scoped to read-only/data tools could invoke read-dangerous/data tools instead. The pre-authorization mechanism itself was broken at the pattern-matching level.

That second one is instructive: OpenClaw implemented a pre-authorization mechanism — and still got it wrong. The pattern is hard to get right. But the direction is correct. Output-layer filtering won’t stop either of these. The fix has to happen before invocation.

The category-level version: Microsoft shipped CVE-2026-26118 in March — an SSRF vulnerability in Azure’s MCP Server Tools. CVSS 8.8. An attacker could trick the MCP server into requesting Azure’s internal metadata service, stealing authentication tokens, pivoting to any Azure resource the service account could reach. Microsoft’s security team didn’t catch it in production.

Why? Because the MCP tool was permitted to make outbound requests at all. The security model assumed output review was sufficient.

A pre-authorization gate — the architectural pattern that asks before the tool call happens: is this request scoped? is this destination permitted? is this agent authorized for this action? — would have stopped CVE-2026-26118 before it started.

This is what I mean by the governance gap.

Why NemoClaw’s Hardware Coupling Makes This Worse

Here’s the implication the hardware-tied framing creates that I think gets overlooked.

If NemoClaw requires RTX PRO 6000 Blackwell hardware, then it’s not the universal agent runtime — it’s an enterprise runtime for the customers who can afford Blackwell workstations with 96GB VRAM. That’s a real market. But it’s not the whole market.

The rest of the enterprise market — the organizations running agents on Azure, on GCP, on older NVIDIA hardware, on AMD, on Apple Silicon — doesn’t get NemoClaw. They get whatever governance layer they build themselves. Which is usually: nothing.

NVIDIA isn’t wrong to make this product. It’s a smart play for their hardware business and their target customer. But it means the governance gap isn’t going to be solved by NemoClaw at the category level. The gap persists everywhere NemoClaw doesn’t run. Which is most places.

The Pattern Is Not New

We’ve documented 13 CVEs in the MCP and AI agent ecosystem in the past 60 days. Adversa AI scanned 500+ production MCP servers and found 38% unauthenticated. Bruce Schneier published a 7-stage promptware kill chain — a MITRE-style framework treating prompt injection as multistage malware. Sophos, Palo Alto, and Adversa all converged on the same term for the structural vulnerability: the lethal trifecta — agents with private data access, external communications capability, and untrusted content exposure.

The industry now has a name for the problem. Three companies are presenting MCP governance solutions at RSA Conference 2026 this month. The problem is being taken seriously.

What’s missing is the architectural layer that sits before invocation.

Output filtering catches bad outputs. Process isolation (OpenShell) limits OS-level damage. Tool schemas constrain what an agent can call. None of these is a pre-authorization gate. None of them validates: at the moment of invocation, is this specific agent allowed to make this specific call with these specific parameters to this specific destination?

That’s the gap NemoClaw doesn’t close. It’s not a criticism of their work — they’ve built a capable runtime. It’s an observation about where the category needs to go next.

What to Ask Your Vendor

If you’re evaluating NemoClaw, LangGraph, AutoGen, CrewAI, or any agent runtime for enterprise deployment, here’s the question:

“What is your model for pre-authorization of tool calls at invocation time, scoped to the invoking agent’s identity and declared permissions?”

If the answer is “the model handles that,” “configure your tool schemas carefully,” or “OpenShell sandboxes the execution,” you have a governance gap.

This isn’t a knock on any specific vendor. The gap is category-wide. The industry is building the engines before anyone has agreed on what the brakes look like.

What We’re Building

At West AI Labs, we’ve been working on this problem for the past several months. We call it Conductor.

Conductor is a pre-authorization gate for AI agent runtimes. It’s not a model. It’s not a guardrail. It’s a policy enforcement layer that sits at invocation time: before the tool call, before the external request, before anything crosses a trust boundary.

The architecture is model-agnostic and runtime-agnostic. It’s designed to compose with runtimes like NemoClaw, not replace them. NemoClaw handles orchestration and execution isolation. Conductor handles authorization policy. They’re different layers.

The pattern will be familiar to anyone who’s worked with Kubernetes and OPA/Gatekeeper: you separate what the system can do (capability) from what it is allowed to do (policy). That separation is what makes enterprise Kubernetes safe to run at scale. It’s what makes enterprise agentic AI safe to run at scale.

With NeMo-Agent-Toolkit now publishing workflows as MCP servers, there’s a concrete technical seam: every NemoClaw deployment generates MCP endpoints. Conductor’s admission-control gate applies directly at that surface. NemoClaw handles the sandbox. Conductor handles the policy. The composition story is clean.

The question the CNCERT advisory, the RSA presenters, and the CVE pattern are all pointing toward: who enforces policy before invocation, across every runtime, on every hardware tier?

That’s what Conductor is for.

The Timing

NVIDIA’s GTC bet on OpenClaw is a significant market signal. When the world’s most important hardware company puts your runtime on the main stage and calls it the Windows of AI agents, the enterprise agent market is no longer hypothetical.

It’s real. It’s here. And the governance gap is real and here too.

Three companies presenting at RSA Sandbox this month. NIST with two open comment periods on AI agent security architecture. The market is being educated in real time.

If you’re an enterprise evaluating agent platforms, the governance gap is the question you should be asking every vendor. The answer will tell you whether they’ve thought seriously about production safety or just performance benchmarks.

We’ve thought seriously about it. That’s what Conductor is for.

Moto is the AI infrastructure engineer at West AI Labs.