NemoClaw Architecture Deep Dive: OpenShell, Privacy Router, and the YAML Policy Engine

Gartner projects 40% of enterprise applications will include AI agents by end of 2026. NVIDIA shipped NemoClaw with 17 launch partners — Adobe, Salesforce, SAP, CrowdStrike, ServiceNow, Atlassian, Red Hat — to meet that demand with a security-first architecture. But “security-first” is a phrase that appears in every vendor’s slide deck. What does it mean at the implementation level? What are the actual Linux primitives enforcing isolation? How does the policy engine evaluate agent actions? Where does sensitive data route when a HIPAA-regulated agent needs to reason over protected health information?

This post is the technical deep dive. We are going to walk through the 3 core components of the NemoClaw security stack — OpenShell’s kernel-level sandbox, the YAML policy engine, and the privacy router — at the architecture level that enterprise architects and security engineers need for evaluation. Code examples included. No marketing abstractions.

Most AI agent sandboxing discussions start and end with Docker containers. Docker provides namespace isolation and cgroups for resource limits — useful for separating processes, but built for application packaging, not adversarial containment. A misconfigured docker.sock mount, a --privileged flag, or an unpatched kernel CVE can escalate a container compromise to full host access. OpenShell takes a different approach: it layers 4 distinct Linux security primitives to create defense-in-depth isolation purpose-built for autonomous agents.

The distinction matters. Docker isolation fails when the boundary is misconfigured. OpenShell isolation is deny-by-default across every primitive — misconfiguration means the agent can do less, not more.

Primitive 1: Landlock — Filesystem Access Control

Landlock is a Linux security module available since kernel 5.13 that enables unprivileged processes to restrict their own filesystem access. Unlike AppArmor or SELinux, Landlock does not require root privileges or policy compilation — it is applied programmatically by the process itself. OpenShell uses Landlock to enforce deny-by-default filesystem boundaries for every agent sandbox.

In practice, this means an agent process starts with zero filesystem access. The policy engine then whitelists specific paths: the agent’s working directory, its configuration files, and any explicitly approved data directories. Everything else — /etc/shadow, /root, /var/run/docker.sock, SSH keys, system binaries — is invisible to the agent. Not restricted. Invisible. The kernel will not resolve those paths for the sandboxed process.

Static vs. Dynamic Policies: Two Enforcement Models

OpenShell enforces two distinct categories of policy, each with different lifecycle characteristics:

Static policies are kernel-enforced and permanent for the sandbox session. Once Landlock filesystem restrictions and seccomp syscall filters are applied, they cannot be relaxed — even by the process that created them. This is a kernel-level guarantee, not an application-level promise. Dynamic network policies, by contrast, are evaluated by the HTTP CONNECT proxy and can be updated at runtime. This means security teams can tighten or adjust network access without destroying and recreating the sandbox — a critical operational capability for incident response scenarios where you need to revoke an agent’s API access immediately.

Primitive 2: seccomp — System Call Filtering

seccomp (secure computing mode) filters which system calls a process can make to the kernel. OpenShell applies a restrictive seccomp profile that blocks dangerous syscalls before the kernel processes them. The blocked list includes:

• mount / umount — prevents the agent from mounting filesystems or escaping chroot boundaries
• ptrace — prevents debugging or inspecting other processes (a common container escape vector)
• reboot / kexec_load — prevents system-level disruption
• unshare / setns — prevents the agent from creating new namespaces or joining existing ones (another escape vector)
• init_module / delete_module — prevents kernel module manipulation

Docker also supports seccomp profiles, but the default Docker seccomp profile allows 300+ syscalls. OpenShell’s profile is narrower — purpose-built for agent workloads where the process needs to read files, make network requests, and execute approved binaries, but nothing more. Every syscall outside the allowlist returns EPERM — the kernel denies the call before execution.

Primitive 3: Network Namespaces — Isolated Network Stack

Each agent sandbox runs in its own Linux network namespace. This is not just IP address isolation — it is a completely separate network stack. The agent has its own routing table, its own iptables rules, and its own DNS resolution. It cannot see the host’s network interfaces, other containers’ traffic, or any services bound to the host’s loopback address.

Outbound traffic from the agent’s namespace routes through the policy engine (covered in the next section), which evaluates every connection against the YAML policy before allowing or denying it. Inbound traffic is blocked by default. The agent cannot bind listening ports on the host. If an agent needs to expose an API or webhook endpoint, the policy engine must explicitly allow it — and the configuration specifies which ports, protocols, and source IP ranges are permitted.

Primitive 4: Process Isolation — Separate Process Space

The agent runs in its own PID namespace and process space. It cannot see or interact with processes outside its sandbox — including the policy engine process. This is the architectural decision that makes the entire stack credible: the component that enforces security policy is unreachable by the component it governs.

Compare this to application-layer guardrails. Claude Code, Cursor, and vanilla OpenClaw all enforce safety rules inside the agent process. A sufficiently sophisticated prompt injection or tool-use exploit could theoretically modify those rules. OpenShell’s policy engine runs in a separate process that the agent literally cannot address.

How the 4 Primitives Work Together

No single primitive provides complete isolation. The strength of OpenShell’s approach is the layering:

An agent that escapes Landlock restrictions (hypothetically) still cannot make dangerous syscalls (seccomp). An agent that finds a seccomp bypass still cannot reach the host network (namespace isolation). An agent that somehow tunnels network traffic still cannot see or kill the policy engine (PID isolation). Each layer covers the failure modes of the others.

The policy engine is the decision layer of the NemoClaw stack. Every action the agent attempts — every file read, every network request, every binary execution — passes through the policy engine before the operating system permits it. The engine runs as a separate process that the sandboxed agent cannot access, modify, or terminate. Policies are defined in YAML configuration files at policies/openclaw-sandbox.yaml.

The 4-Level Evaluation Model

The policy engine evaluates every agent action against 4 hierarchical levels. Each level narrows the scope of what is permitted:

1. Binary — What program is being executed? Only approved binaries can run. If the agent attempts to execute a binary not in the allowlist, the request is denied before any further evaluation.
2. Destination — What host is being contacted? Outbound connections are evaluated against a domain allowlist. The agent can reach api.slack.com but not attacker-c2.example.com.
3. Method — What HTTP method is being used? An agent may be allowed to GET from the Jira API but not DELETE. Read access does not imply write access.
4. Path — What URL path is being accessed? An agent can read /api/v2/issues but not /api/v2/admin/users. Path-level granularity prevents privilege escalation through API exploration.

This 4-level hierarchy means a single policy can express: “The agent may execute curl to api.slack.com using POST on /api/chat.postMessage — and nothing else.” That is granularity that Docker capabilities, AppArmor profiles, and AGENTS.md allowlists cannot express in a single rule.

Under the Hood: OPA, Rego, and TLS Termination

The network policy engine is not a simple allowlist parser. Under the hood, OpenShell’s HTTP CONNECT proxy uses Open Policy Agent (OPA) with policies written in Rego, a purpose-built policy language for cloud-native authorization. This is the same policy framework used by Kubernetes admission controllers, Envoy proxies, and Terraform Cloud — battle-tested at scale across the cloud-native ecosystem.

The proxy terminates TLS on every outbound connection to inspect each HTTP request at the method level. This is how L7 enforcement works: the proxy sees the full HTTP request (method, host, path, headers) before forwarding it to the destination. Without TLS termination, the proxy would only see encrypted traffic and could enforce at the IP/port level but not at the method or path level. This is the architectural tradeoff that enables the 4-level evaluation model — and it is worth understanding because it means the proxy holds the TLS certificates for outbound connections.

# Allow git to clone from GitHub only
allow {
  input.binary == "git"
  input.host == "github.com"
  input.port == 443
}

# Allow curl to POST to Slack API, deny everything else
allow {
  input.binary == "curl"
  input.host == "api.slack.com"
  input.method == "POST"
  startswith(input.path, "/api/chat.")
}

# Default deny — strict-by-default
default allow = false

The Rego rules above demonstrate per-binary, per-endpoint, per-method control. The git binary can reach GitHub on port 443. The curl binary can POST to Slack’s chat APIs. Everything else — every binary, every host, every method not explicitly authorized — is denied. The sandbox can only reach endpoints that are explicitly allowed. Full network policy reference: docs.nvidia.com/nemoclaw/latest/reference/network-policies.html. For a walkthrough of writing your first policy: OpenShell first network policy tutorial.

Example: Slack Integration Policy

Here is what an enterprise Slack policy looks like in the YAML policy engine. This configuration allows the agent to post messages and read channel history, but blocks file uploads, user management, and admin APIs:

# Slack integration — read channels, post messages only
- name: slack-agent-policy
  binary:
    allow:
      - curl
      - node
  destination:
    allow:
      - api.slack.com
      - files.slack.com
  method:
    allow:
      - GET
      - POST
  path:
    allow:
      - /api/chat.postMessage
      - /api/conversations.history
      - /api/conversations.list
    deny:
      - /api/admin.*
      - /api/files.upload
      - /api/users.admin.*

Every field is explicit. There is no implicit inheritance, no “allow all unless denied.” If a binary, destination, method, or path is not in the allow list, the request is blocked and logged. This is deny-by-default at every evaluation level.

Example: Healthcare HIPAA-Compliant Policy

For regulated industries, the policy engine enforces data handling requirements at the infrastructure layer — not the application layer. This example restricts a healthcare agent to only access an internal EHR API and route all inference through the privacy router (covered in the next section):

# Healthcare agent — PHI restricted to local inference
- name: hipaa-clinical-notes
  binary:
    allow:
      - node
      - python3
  destination:
    allow:
      - ehr.internal.hospital.org
      - localhost   # Local Nemotron inference only
    deny:
      - api.openai.com
      - api.anthropic.com
      - "*.amazonaws.com"
  method:
    allow:
      - GET
      - POST
    deny:
      - DELETE
      - PUT
  path:
    allow:
      - /api/v1/patients/*/notes
      - /api/v1/patients/*/vitals
    deny:
      - /api/v1/admin/*
      - /api/v1/patients/*/billing

Notice the explicit denial of cloud LLM endpoints. This agent can reason over clinical notes using local Nemotron models (localhost), but the network policy physically prevents PHI from reaching OpenAI, Anthropic, or AWS endpoints. This is not a prompt-level instruction that the agent could theoretically ignore. It is a kernel-enforced network rule. The connection will not be established.

Policy Presets: Production-Ready Defaults

Writing YAML policies from scratch for every integration is exactly the kind of work that slows enterprise adoption. NemoClaw ships with a policies/presets/ directory containing pre-built, audited policies for common enterprise integrations:

Each preset defines all 4 levels (binary, destination, method, path) and follows the OWASP Principle of Least Agency — the agent gets the minimum access required for its integration and nothing more. Enterprise teams can compose presets for multi-integration agents, override specific rules, and version-control the resulting policy alongside their infrastructure-as-code.

Audit Trail: Every Decision Logged

Every policy evaluation produces an audit log entry: timestamp, agent identity, requested action, policy match, and decision (allow/deny). For SOC2 evidence collection, HIPAA audit requirements, and EU AI Act transparency obligations, this is not optional — it is the evidentiary foundation. The audit trail answers the question every compliance officer asks: “Can you prove what this AI agent did and didn’t do on Tuesday at 3:14 PM?”

Because the policy engine runs out-of-process, the audit trail is tamper-resistant. The agent cannot access, modify, or delete its own logs. If the agent is compromised, the audit trail of its actions remains intact for forensic analysis.

The privacy router solves a fundamental tension in enterprise AI agent deployment: organizations need the reasoning capability of frontier cloud models (Claude, GPT-5), but they cannot send protected health information, personally identifiable information, financial records, or trade secrets to third-party APIs. The privacy router intercepts every inference call and makes a routing decision based on the sensitivity of the data involved.

Routing Architecture

The privacy router sits between the agent and all LLM endpoints. It intercepts every inference request and evaluates it through 3 stages:

• 1
  Classification — The router analyzes the content of the inference request for sensitive data categories: PHI, PII, financial data, credentials, intellectual property. Classification uses pattern matching, named entity recognition, and configurable rules.
• 2
  Redaction / Routing Decision — Based on the classification, the router either (a) strips sensitive content and routes to a cloud model with redacted context, (b) routes entirely to a local Nemotron model running on-premises, or (c) passes through to the cloud model if no sensitive data is detected.
• 3
  Audit Logging — Every routing decision is logged: what data was classified as sensitive, which model received the request, what was redacted, and what was routed locally. This log integrates with the policy engine’s audit trail for a unified compliance record.

This is the architectural innovation that makes NemoClaw viable for regulated industries. A healthcare system can use Claude for general administrative reasoning while keeping patient data on local Nemotron models — with a provable audit trail showing that PHI never left the premises.

Healthcare Example: HIPAA-Compliant Agent Workflow

Consider a clinical notes summarization agent deployed at a hospital. The workflow processes patient records and produces summaries for physician review. Here is how the privacy router handles a single inference cycle:

The result: clinical reasoning happens on local hardware with full PHI access. General-purpose reasoning (formatting, structure, language quality) leverages frontier cloud models without exposing protected data. The audit log records every routing decision, providing HIPAA audit evidence that PHI never traversed a cloud API.

Nemotron 3 Super 120B: The Local Inference Engine

The privacy router’s local routing capability depends on having a model that can handle complex enterprise reasoning tasks without cloud API calls. NVIDIA’s answer is Nemotron 3 Super 120B — a model architecturally optimized for the latency and throughput demands of local agent inference.

Nemotron 3 Super uses a LatentMoE architecture that interleaves three distinct layer types — Mamba-2 (state-space), Mixture-of-Experts (MoE), and traditional Attention layers. The 120B total parameters with only 12B active per inference call directly addresses the “thinking tax” that makes large models impractical for local deployment. The MoE routing means you get 120B-class reasoning quality at 12B-class compute cost.

Key architectural features for enterprise agent workloads:

• Native 1M-token context window — SSMs (Mamba-2 layers) provide linear-time complexity for long-context processing, enabling agents to reason over entire codebases, legal documents, or clinical records without chunking
• Multi-Token Prediction (MTP) layers — predicts multiple tokens per forward pass, improving both generation speed and output quality for agent tool-use sequences
• NVFP4 quantization on Blackwell — trained on 25 trillion tokens using NVIDIA’s FP4 format, optimized for Blackwell GPU architecture
• 2.2x throughput vs GPT-OSS-120B and 7.5x vs Qwen3.5-122B on 8k/16k context settings — verified benchmarks from NVIDIA’s technical blog

Nemotron 3 Super is available through multiple channels: Ollama for local development, HuggingFace for custom fine-tuning, and NVIDIA NIM for production deployment. For NemoClaw deployments, the Ollama integration is the most straightforward path to local inference — though it comes with some known routing limitations we address in the current issues section below.

Financial Services: Data Residency Compliance

For financial institutions subject to data residency requirements (GDPR Article 44, various national banking regulations), the privacy router provides a provable mechanism for keeping regulated data within jurisdictional boundaries. An agent processing EU customer transaction data routes all PII and financial records to local models within the organization’s EU data center. General reasoning tasks — formatting, calculations, template generation — route to cloud models. The audit trail proves, per-request, where each piece of data was processed.

This is not theoretical. EU AI Act full enforcement begins August 2026. Every AI agent deployment touching EU personal data will need a documented data processing architecture that proves compliance. The privacy router’s audit trail is purpose-built for that evidentiary requirement.

NemoClaw installs with a single command:

curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

The installer launches a guided onboard wizard that walks through 3 configuration steps:

1. Sandbox creation — configures the OpenShell sandbox with Landlock, seccomp, network namespaces, and process isolation for your agent
2. Inference configuration — sets up the privacy router, configures local Nemotron models if GPU hardware is available, and establishes cloud model routing rules
3. Security policy application — applies baseline YAML policies from presets and prompts for custom rules based on your agent’s integrations

The installation is straightforward. The production hardening is not. The wizard produces a baseline configuration that is functional but not enterprise-ready. Customizing YAML policies for your organization’s specific integration landscape, configuring the privacy router’s classification rules for your data types, integrating audit logs with your existing SIEM, and setting up CrowdStrike Falcon AIDR integration — that is where the 2-6 week implementation timeline comes from.

NemoClaw does not exist in isolation. NVIDIA launched with 17 enterprise partners, and 2 integrations are particularly relevant for security architects evaluating the stack.

CrowdStrike Falcon AIDR

CrowdStrike’s Secure-by-Design Blueprint for NemoClaw extends Falcon’s AI Detection and Response (AIDR) to cover every prompt, response, and agent action. This means the same SOC team that monitors your endpoint fleet can monitor your AI agents through the same Falcon console they already use. No separate tool, no separate alert pipeline, no separate incident response workflow.

The integration secures 3 surfaces: the agent’s input (prompts and instructions), the agent’s output (responses and actions), and the agent’s behavior (tool calls, network requests, file operations). CrowdStrike’s 2026 Global Threat Report documented an 89% year-over-year increase in AI-enabled attacks. Falcon AIDR applies CrowdStrike’s threat intelligence to the agent’s activity stream in real time.

JetPatch Enterprise Control Plane

JetPatch provides the operational governance layer for NemoClaw deployments at scale. Where the YAML policy engine governs individual agent behavior, JetPatch governs the fleet: deployment orchestration, patch management, compliance reporting, and operational visibility across all NemoClaw instances in an organization. For enterprises running 10, 50, or 100+ agents across departments, the control plane is what keeps the governance model manageable.

Enterprise architects evaluating NemoClaw need to understand how it compares to existing deployment approaches at the architecture level — not the marketing level. Here is a layer-by-layer comparison:

The column that matters most for security evaluation is the enforcement boundary. Vanilla OpenClaw’s safety controls are agent-internal — a compromised agent can potentially override them. Docker’s controls are container-level — stronger than in-process, but still sharing the host kernel with known escape vectors. NemoClaw’s controls are kernel-enforced and out-of-process — the agent cannot reach the component that governs it.

For a deeper comparison of sandboxing approaches including MicroVMs and gVisor, see our AI Agent Sandboxing in 2026 analysis.

NemoClaw’s architecture is sound. Its current maturity level is not production-grade for every use case. An honest evaluation requires acknowledging both.

Known Issues: What the GitHub Tracker Reveals

Alpha software means open issues. Enterprise teams evaluating NemoClaw should review the GitHub issue tracker for current pain points. As of March 2026, these are the issues most likely to affect deployment:

Additionally, the HTTP CONNECT proxy has been reported to return 403 errors on valid tunnels in certain configurations — a symptom of TLS termination edge cases where the proxy’s certificate chain does not match the destination’s expected handshake. These are integration-layer issues, not architectural flaws, but they directly affect deployment timelines.

That said, the core security primitives — Landlock, seccomp, network namespaces — are battle-tested Linux kernel features with years of production history in non-agent contexts. OpenShell is applying proven isolation technology to a new category of workload. The risk is in the integration layer and tooling maturity, not in the underlying security model.

Organizations that build governance around these primitives now will be production-ready when NemoClaw reaches GA. Organizations that wait will be 6-12 months behind on policy development, compliance documentation, and team training.

Enterprise security teams evaluating NemoClaw need to map its capabilities against the OWASP Top 10 for Agentic Applications. Here is how the 3 security layers address each risk category:

No single product covers every OWASP risk category completely. NemoClaw provides the infrastructure-level controls. Application-level controls (input validation, output filtering, human-in-the-loop workflows) remain the responsibility of the deployment team. The architecture gives you the enforcement boundaries. The governance program gives you the operational discipline to maintain them.

Vendor documentation is necessary but not sufficient for enterprise evaluation. Independent security analyses provide the adversarial perspective that vendor docs typically omit. Three third-party assessments are worth reviewing alongside this deep dive:

We recommend enterprise security teams review at least two independent assessments before committing to any AI agent sandboxing architecture. Vendor documentation describes the intended behavior. Independent analysis describes the observed behavior, the edge cases, and the failure modes.

Enterprise FAQ

NemoClaw’s architecture represents a genuine step forward for enterprise AI agent security. The kernel-level primitives are proven. The policy engine’s 4-level evaluation model is more granular than anything available in container-native tooling. The privacy router solves a real compliance gap for regulated industries. The question for most organizations is not whether the architecture is sound — it is whether the implementation and governance around it are configured correctly for their specific deployment.

ManageMyClaw provides NemoClaw implementation, security hardening, and ongoing managed care for enterprise deployments. Our assessment tier delivers architecture review, security gap analysis against OWASP ASI01-ASI10, and a written remediation plan — before any commitment to implementation.