Enterprise software stacks were never designed for machines that act independently. They assume human-paced interactions, manual credential management, and constant oversight. But autonomous AI agents—programs that can run for hours, make decisions, and interact with multiple services—break every one of those assumptions. That’s why Nvidia and ServiceNow CEO Bill McDermott are betting on OpenShell, an open-source secure runtime that rethinks the entire stack from the ground up. Here’s what you need to know about this groundbreaking project.

1. The Human-First Stack Problem

Traditional enterprise software is built around a human user as the trusted actor. The user controls the pace, monitors each action, and holds credentials. Autonomous agents operate differently—they’re faster, they can run indefinitely, and they don’t fit into identity models designed for people. Lifting a legacy stack and applying it to agents creates inefficiency and serious security gaps. OpenShell addresses this architectural mismatch by providing a dedicated environment where agents don’t interact directly with the host operating system, network, or infrastructure. This principle, explained by Nvidia senior director of AI software Ali Golshan, is the foundation of a true agent-native stack.

2. A Sandbox-First Architecture

At the core of OpenShell is the sandbox approach. Every agent—including its harness and model—gets its own isolated sandbox. This sandbox acts as a secure container, preventing the agent from accessing the host system directly. If a prompt injection attack occurs or an agent tries to execute arbitrary commands, the damage is limited to that sandbox. The blast radius is contained. This isn’t a bolted-on security feature; it’s baked into the lowest level of the stack. Golshan emphasizes that giving agents more autonomy requires a sandbox as the default trust zone.

3. The Credential Gateway

Outside each sandbox sits a gateway that handles all credential management and session state. When an agent needs to call an external service (like ServiceNow, Salesforce, or Workday), the gateway authenticates and passes the session into the sandbox. The agent never holds keys or passwords directly. This design eliminates the risk of credential leakage. Even if an agent is compromised, the attacker cannot steal stored credentials because they are never in the agent’s memory. This is a critical shift from traditional models where each application manages its own secrets.

4. Policy Enforcement Below the Application Layer

OpenShell enforces security policies at the operating system level, not at the application layer. It leverages Linux kernel primitives like seccomp, eBPF, and Landlock. Seccomp limits system calls, eBPF provides dynamic kernel-level monitoring, and Landlock offers sandboxing for file system access. By enforcing policies below the app, OpenShell avoids the complexity of every product having its own enforcement mechanism. This “baked-in” approach ensures consistent, tamper-proof security across all agents, regardless of the software stack they run on.

5. Blast Radius Containment

Because each agent is isolated in its own sandbox, any security incident is contained. If an agent is compromised—say through a malicious plugin or a prompt injection—the attacker gains control only within that sandbox. They cannot move laterally to other agents, access the host, or reach the network. The gateway prevents credential exposure, and the kernel policies restrict system calls and file access. This micro-segmentation is essential for enterprise environments where agents may interact with sensitive data. The blast radius is minimized, making incident response faster and less damaging.

6. Part of Nvidia’s Agent Toolkit

OpenShell isn’t a standalone product; it’s a key component of Nvidia’s broader Agent Toolkit. This toolkit provides everything developers need to build, deploy, and manage autonomous AI agents securely. By integrating OpenShell, Nvidia aims to create a consistent security baseline across all agent workflows. The toolkit also includes tools for observability, debugging, and policy management. This unified ecosystem reduces fragmentation and simplifies adoption for enterprises already using Nvidia hardware or software.

7. Agent-Native vs. Bolted-On Security

The distinction between “baked-in” and “bolted-on” security is central to OpenShell’s design. In a bolted-on model, every tool in the stack adds its own security layer, creating gaps and overlaps. Agents end up with inconsistent protections. OpenShell inverts this by defining a secure runtime at the infrastructure level. Policies are enforced uniformly, and agents don’t need to implement their own security. This agent-native architecture treats security as a foundational layer, not an afterthought. Golshan argues this is the only way to safely scale agent autonomy.

8. Open Source Under Apache 2.0

OpenShell is released under the Apache 2.0 license, making it fully open source. This allows enterprises to inspect the code, modify it, and contribute back without licensing concerns. Transparency is critical for security—users can verify that no backdoors exist and that the sandboxing mechanisms are robust. The open-source nature also encourages community-driven improvements and rapid innovation. Nvidia and its partners, including ServiceNow, are betting that an open runtime will become the industry standard for agent security.

9. The Nvidia and ServiceNow Bet

Both Nvidia CEO Jensen Huang and ServiceNow CEO Bill McDermott have publicly backed OpenShell. ServiceNow is integrating it into its AI agent platform to securely automate enterprise workflows. For McDermott, secure agent runtime is a prerequisite for customers to trust autonomous operations. For Huang, it’s about enabling the next wave of AI infrastructure. Their shared vision: autonomous agents that operate at machine speed without compromising security. This high-level endorsement signals that OpenShell is not just a research project but a strategic priority.

10. What’s Next for OpenShell

The team behind OpenShell, led by Ali Golshan, has been building it for six months. The project is still evolving, with plans to support more Linux kernel features, additional cloud platforms, and tighter integration with identity providers. As autonomous agents become more capable, the security requirements will only grow. OpenShell’s layered approach—sandbox, gateway, kernel-level policy—provides a scalable foundation. Enterprises exploring agent deployment should monitor OpenShell closely, as it may become the default secure runtime for the agent era.

Conclusion: The shift from human-operated software to autonomous AI agents is inevitable, but it demands a fundamentally new security architecture. OpenShell delivers that by sandboxing agents, managing credentials via a gateway, and enforcing policies at the kernel level. With backing from Nvidia and ServiceNow, and an open-source license, it has the potential to become the industry standard. For any enterprise building or deploying AI agents, understanding OpenShell isn’t optional—it’s essential. The future of enterprise security lies in stacks that are agent-native, and OpenShell is leading the way.