On March 16, 2026, NVIDIA open-sourced NemoClaw, a security stack for running OpenClaw AI agents without giving them the keys to your entire system. It is currently alpha software. I want to be upfront about that because some of the enterprise marketing around it makes it sound more finished than it is.

NemoClaw bundles three components together:

OpenShell is a kernel-level sandbox runtime. Think of it like a container, but specifically designed for AI agent workloads. It gives you filesystem sandboxing (the agent can only see directories you explicitly allow), network policy with default-deny outbound connections, and operator approval workflows for sensitive actions. If an agent tries to curl something unexpected, it gets blocked unless you've whitelisted it.

Nemotron refers to NVIDIA's local AI models. The idea is that sensitive queries never leave your machine. Instead of sending everything to Claude or GPT-4o, NemoClaw can route certain requests to a Nemotron model running locally.

Privacy Router is the glue that makes the local/cloud routing decision. It classifies each outbound query by sensitivity. Sensitive stuff goes to the local Nemotron model. If a query does need to go to a cloud LLM, the Privacy Router strips PII first using differential privacy techniques that came out of NVIDIA's Gretel acquisition.

Linux only. No macOS, no Windows. You need 20 GB of disk and at least 8 GB of RAM. If you're running Nemotron locally for inference, you'll want significantly more.

The enterprise partner list is long: Salesforce, Adobe, SAP, ServiceNow, CrowdStrike, Atlassian, Palantir, and IBM Red Hat. That's a lot of weight behind a project that just hit alpha. My read on this is that these companies all have AI agent deployments in various stages and they all ran into the same problem: agents with unrestricted system access are a liability.

NemoClaw addresses a real gap. OpenClaw agents by default can read your files, run shell commands, and hit whatever network endpoints they want. That's fine for a hobby project. It's terrifying for a company with customer data.

But this is alpha software. The docs have gaps, APIs will change between releases, and you should expect breaking changes. Don't put this in production yet. Treat it as something to evaluate and experiment with so you're ready when it stabilizes.

I think the architecture is sound. The split between local inference for sensitive data and PII-stripped cloud calls for everything else is a practical compromise. Pure local inference isn't good enough for most tasks yet, and pure cloud inference leaks too much. The middle ground makes sense.