Zero Trust for AI Agents: Comparing Anthropic and Nvidia Security Architectures - News Directory 3
The risk is evidenced by the ClawHavoc supply chain campaign targeting the OpenClaw agentic framework.
The rapid enterprise adoption of AI agents has created a critical security gap that industry leaders are now labeling a governance emergency. While 79% of organizations are utilizing AI agents according to PwC's 2025 AI Agent Survey, only 14.4% of those organizations reported full security approval for their agent fleets in the Gravitee State of AI Agent Security 2026 report.
At the RSA Conference (RSAC) 2026, executives from Microsoft, Cisco, CrowdStrike, and Splunk converged on the conclusion that traditional perimeter security is insufficient for agentic AI. The primary concern is the monolithic agent pattern, where a single container handles reasoning, tool calling, code execution, and credential storage. In this architecture, API keys and OAuth tokens reside in the same environment as untrusted, AI-generated code, meaning a single prompt injection can expose an entire suite of corporate credentials.
The risk is evidenced by the ClawHavoc supply chain campaign targeting the OpenClaw agentic framework. According to the CrowdStrike 2026 Global Threat Report and Antiy CERT, the campaign involved 1,184 malicious skills tied to 12 publisher accounts. Snyk's ToxicSkills research found that 13.4% of scanned ClawHub skills were rated as critical, with some breakout times occurring in as little as 27 seconds.
Launched in public beta on April 8, 2026, Anthropic's Managed Agents architecture addresses the monolithic problem by splitting the agent into three mutually untrusted components: a brain (Claude and its routing harness), hands (disposable Linux containers for code execution), and a session (an external append-only event log).
This design structurally removes credentials from the execution sandbox. OAuth tokens are stored in an external vault; when an agent requires a Model Context Protocol (MCP) tool, it sends a session-bound token to a proxy that fetches the real credentials and executes the call. The agent never interacts with the actual token, ensuring that a compromised sandbox yields no reusable credentials for an attacker.
This decoupling also improved performance, reducing the median time to first token by approximately 60% because inference can begin before the container boots. Because the session log persists outside the brain and hands, agents can resume tasks after a harness crash without losing state.
Released in early preview on March 16, 2026, Nvidia's NemoClaw takes a different approach by wrapping the agent and its execution environment in five stacked security layers. This architecture uses Landlock, seccomp, and network namespace isolation at the kernel level to sandbox execution.
NemoClaw employs a default-deny outbound networking policy, requiring explicit operator approval via YAML-based policies for external connections. It also features a privacy router that directs sensitive queries to local Nemotron models to prevent data leakage. A central component is the OpenShell policy engine, which intercepts every agent action for intent verification before it reaches the host.
While providing high observability through a real-time Terminal User Interface (TUI) that logs every single action and blocked connection, this model increases operator load. Unlike Anthropic's model, agent state persists as files inside the sandbox, meaning a sandbox failure results in total state loss.
The fundamental difference between the two architectures is the proximity of credentials to the execution environment. Anthropic removes credentials from the blast radius entirely, requiring a two-hop attack to exfiltrate tokens. In contrast, NemoClaw gates credentials through policy but keeps some, such as messaging integration tokens for Slack or Discord, as runtime environment variables within the shared sandbox.
This distinction is critical for indirect prompt injection, where an adversary embeds instructions in a web page or API response that the agent queries. In the NemoClaw architecture, injected context sits next to both reasoning and execution in the shared sandbox. In the Anthropic architecture, such injections can influence reasoning but cannot reach the external credential vault.
For security teams auditing their AI agent deployments, five key priorities have emerged: