By admin 
The cybersecurity landscape at RSAC 2026 echoed with a singular, urgent message: the pervasive adoption of AI agents has outpaced our ability to secure them, creating a critical vulnerability. Four prominent keynote speakers, from industry titans Microsoft, Cisco, CrowdStrike, and Splunk, converged on this alarming conclusion independently, highlighting a fundamental challenge in the burgeoning era of artificial intelligence. Microsoft’s Vasu Jakkal underscored the necessity of extending the zero-trust model to encompass AI systems, while Cisco’s Jeetu Patel advocated for a paradigm shift from mere access control to granular action control. In an exclusive interview with VentureBeat, Patel vividly described AI agents as "teenagers, supremely intelligent, but with no fear of consequence." This sentiment was echoed by George Kurtz of CrowdStrike, who identified AI governance as the most significant chasm in enterprise technology, and John Morgan of Splunk, who called for a robust agentic trust and governance framework. Four distinct voices, four separate stages, yet a unified diagnosis of a singular, pressing problem.
Matt Caulfield, VP of Product for Identity and Duo at Cisco, articulated this concern with stark clarity in a VentureBeat interview at RSAC. "While the concept of zero trust is good, we need to take it a step further," Caulfield stated. "It’s not just about authenticating once and then letting the agent run wild. It’s about continuously verifying and scrutinizing every single action the agent’s trying to take, because at any moment, that agent can go rogue." This sentiment reflects a growing unease within the security community, as organizations rush to integrate AI agents without fully grasping the inherent risks.
The statistics paint a sobering picture. According to PwC’s 2025 AI Agent Survey, a staggering 79% of organizations are already utilizing AI agents. However, the Gravitee State of AI Agent Security 2026 report, based on a survey of 919 organizations in February 2026, revealed that a mere 14.4% have achieved full security approval for their entire fleet of agents. Compounding this issue, a Cloud Security Alliance (CSA) survey presented at RSAC found that only 26% of organizations have established AI governance policies. The CSA’s Agentic Trust Framework further amplifies this concern, labeling the widening gap between the rapid deployment of AI agents and their security readiness as a "governance emergency." This alarming disconnect underscores a fundamental imbalance, where innovation is outpacing the diligent establishment of robust security protocols.
The consensus among cybersecurity leaders and industry executives at RSAC was unequivocal regarding the existence of this problem. However, the path forward diverged, with two companies introducing architectural designs that offer contrasting solutions. The fundamental differences in their approaches expose the core of the prevailing risk.
The Monolithic Agent Problem: A Legacy of Insecure Design
The prevalent design pattern for enterprise AI agents is the monolithic container. In this model, a single process is responsible for reasoning, invoking tools, executing generated code, and crucially, storing credentials. This tightly coupled architecture fosters an environment where every component implicitly trusts every other component. Consequently, sensitive assets like OAuth tokens, API keys, and Git credentials reside within the same operational environment where the agent is actively generating and executing code, often seconds after its own creation.
This inherent lack of segmentation creates a critical vulnerability. A successful prompt injection attack, a relatively common exploitation vector, effectively grants an attacker unfettered access to all these embedded credentials. The implications are dire: tokens can be exfiltrated, new malicious sessions can be spawned, and the "blast radius" of a compromise extends far beyond the agent itself, encompassing the entire container and every service it is connected to.
A joint survey by the CSA and Aembit, which polled 228 IT and security professionals, quantifies the persistence of this problematic pattern. The findings reveal that 43% of organizations use shared service accounts for their agents, 52% rely on workload identities rather than agent-specific credentials, and a significant 68% admit they cannot reliably distinguish AI agent activity from human actions within their logs. This lack of clear ownership and granular control over AI agent access is particularly concerning, with security teams often deferring responsibility to developers, and vice versa, leaving a critical security gap unaddressed.
CrowdStrike CTO Elia Zaitsev, in a revealing interview with VentureBeat, drew a parallel between securing AI agents and safeguarding highly privileged human users. "A lot of what securing agents look like would be very similar to what it looks like to secure highly privileged users. They have identities, they have access to underlying systems, they reason, they take action," Zaitsev explained. He emphasized that a singular "silver bullet" solution is unlikely, advocating instead for a comprehensive "defense in depth strategy."
CrowdStrike CEO George Kurtz brought the tangible risks into sharp focus during his RSAC keynote, highlighting the ClawHavoc campaign. This sophisticated supply chain attack targeted the OpenClaw agentic framework, with Koi Security naming the campaign on February 1, 2026. Antiy CERT subsequently confirmed the presence of 1,184 malicious "skills" linked to 12 publisher accounts, according to independent analyses. Further research by Snyk’s ToxicSkills initiative revealed that a substantial 36.8% of the 3,984 ClawHub skills scanned contained security flaws of any severity, with 13.4% classified as critical. The observed "breakout time" – the time an attacker takes to move from initial compromise to impacting other systems – has plummeted to an average of 29 minutes, with the fastest observed instance occurring in a mere 27 seconds, as detailed in the CrowdStrike 2026 Global Threat Report. These alarming metrics underscore the escalating threat posed by compromised AI agent ecosystems.
Anthropic’s Innovative Approach: Separating the "Brain" from the "Hands"
In a significant development, Anthropic unveiled its Managed Agents in public beta on April 8th, introducing a novel architecture that fundamentally separates an agent’s core components, ensuring they operate without mutual trust. This design partitions each agent into three distinct elements: the "brain" (comprising Claude and the routing mechanism guiding its decisions), the "hands" (ephemeral Linux containers responsible for code execution), and the "session" (an immutable, append-only event log residing outside both the brain and hands).
This architectural decoupling echoes long-established software design principles, drawing parallels to microservices, serverless functions, and message queues. The core security advantage lies in the stringent separation of credentials from the execution environment. Anthropic stores OAuth tokens in an external, secure vault. When an agent requires interaction with an external tool, it dispatches a session-bound token to a dedicated proxy. This proxy then retrieves the necessary credentials from the vault, executes the external call, and relays the result back to the agent. Critically, the agent itself never directly accesses or handles the actual credentials. Similarly, Git tokens are seamlessly integrated into the local remote configuration at the sandbox’s initialization, enabling push and pull operations without the agent ever needing to directly interact with sensitive token data. For security directors, this means that even if a sandbox is compromised, the attacker gains possession of an environment devoid of reusable credentials, significantly limiting their ability to escalate the attack.
This crucial security enhancement emerged as a beneficial side effect of a performance optimization initiative. By decoupling the "brain" from the "hands," Anthropic enabled inference processes to commence even before the execution container fully initialized. This resulted in a remarkable reduction in the median time to the first token, dropping by approximately 60%. This innovation powerfully counters the enterprise objection that enhanced security invariably introduces latency; in this instance, the zero-trust design is demonstrably the faster design.
Furthermore, Anthropic’s architecture introduces a significant gain in session durability. In the traditional monolithic pattern, a container crash invariably leads to total state loss. With Managed Agents, the session log persists independently of both the brain and the hands. Should the harness encounter a failure, a new instance can be launched, which can then seamlessly read the event log and resume operations from the last recorded point, thereby eliminating state loss and translating into substantial long-term productivity gains. The Claude Console provides built-in session tracing capabilities, offering enhanced visibility and control.
The pricing model is structured at $0.08 per session-hour of active runtime, with idle time excluded, in addition to standard API token costs. This transparent pricing allows security directors to accurately model the potential cost of an agent compromise against the investment in these architectural controls.
Nvidia’s Approach: Fortifying the Sandbox and Intense Scrutiny
Conversely, Nvidia, with its NemoClaw offering released in early preview on March 16th, adopts a strategy of heavily fortifying the agent’s execution environment rather than separating its core functions. NemoClaw does not segregate the agent from its operational surroundings but instead encases the entire agent within four layered security enforcements and meticulously monitors every action. As of this writing, Anthropic and Nvidia stand as the sole vendors to have publicly released zero-trust agent architectures, with other industry players reportedly in development.
NemoClaw implements a formidable stack of five enforcement layers positioned between the agent and the host system. Sandboxed execution is achieved through kernel-level isolation mechanisms including Landlock, seccomp, and network namespaces. A default-deny outbound networking policy mandates explicit operator approval for every external connection, managed through YAML-based policies. Agent access is strictly limited to minimal privileges. A dedicated privacy router is employed to direct sensitive queries to locally running Nemotron models, thereby eliminating token costs and preventing data leakage. The most critical layer for security teams is intent verification, facilitated by OpenShell’s policy engine, which intercepts every agent action before it can interact with the host. The inherent trade-off for organizations evaluating NemoClaw is a clear one: enhanced runtime visibility comes at the cost of increased operator staffing requirements.
From the agent’s perspective, it remains unaware of the NemoClaw environment. Actions that comply with established policies are processed normally, while out-of-policy actions trigger a configurable denial.
Observability represents NemoClaw’s strongest defense. A real-time Terminal User Interface meticulously logs every action, network request, and blocked connection, providing a comprehensive audit trail. The primary challenge with this approach lies in its scalability and cost. Operator load scales linearly with agent activity, and each new endpoint necessitates manual approval. While the quality of observation is exceptionally high, the level of autonomy is considerably low, a ratio that quickly becomes prohibitively expensive in production environments managing dozens or even hundreds of agents.
Durability, however, presents a notable gap that is not widely discussed. Agent state is persistently stored as files within the sandbox. Consequently, if the sandbox itself fails, the state is irretrievably lost. There is no inherent external session recovery mechanism. This poses a significant durability risk for long-running agent tasks, a factor that security teams must rigorously evaluate and factor into their deployment planning before venturing into production.
The Credential Proximity Gap: A Critical Divergence
Both Anthropic’s and Nvidia’s architectures represent a substantial advancement over the default monolithic design. Their divergence, however, lies in a crucial question that holds paramount importance for security teams: how closely are credentials situated to the execution environment?
Anthropic’s approach effectively removes credentials from the potential blast radius entirely. In the event of a sandbox compromise via prompt injection, an attacker is confined to a disposable container devoid of any exploitable tokens or persistent state. To exfiltrate credentials, an attacker would be forced to execute a complex, two-hop attack: first, influencing the agent’s reasoning, and subsequently, manipulating it into acting through a container that contains no valuable assets. This structural elimination of single-hop credential exfiltration significantly raises the bar for attackers.
Nvidia’s NemoClaw, in contrast, constrains the blast radius and imposes rigorous monitoring on all internal activities. Four security layers are strategically employed to limit lateral movement, and the default-deny networking policy effectively blocks unauthorized connections. Nevertheless, the agent and its generated code still share the same sandbox. While Nvidia’s privacy router ensures that inference credentials remain on the host, outside the sandbox, messaging and integration tokens (such as those for Telegram, Slack, or Discord) are injected directly into the sandbox as runtime environment variables. Inference API keys are proxied through the privacy router, preventing direct injection into the sandbox. This means the level of exposure varies depending on the specific type of credential; credentials are policy-gated rather than structurally eliminated.
This distinction is particularly critical when considering indirect prompt injection attacks. In such scenarios, an adversary embeds malicious instructions within content that the agent is tasked with querying as part of its legitimate workflow, such as a poisoned web page or a manipulated API response. The intent verification layer in NemoClaw evaluates the agent’s proposed actions, not the content of the data returned by external tools. Consequently, injected instructions can be incorporated into the reasoning chain as trusted context, with the proximity to the execution environment exacerbating the risk.
Within Anthropic’s architecture, indirect injection can indeed influence the agent’s reasoning, but it cannot breach the secure credential vault. In NemoClaw’s design, however, injected context resides directly alongside both the reasoning and execution processes within the shared sandbox. This proximity represents the most significant architectural gap between the two innovative solutions.
David Brauchler, Technical Director and Head of AI/ML Security at NCC Group, advocates for the implementation of gated agent architectures built upon "trust segmentation principles," where AI systems inherit the trust level of the data they process. This implies that untrusted input should be met with restricted capabilities. Both Anthropic and Nvidia are making strides in this direction, but neither has achieved a complete realization of this ideal.
The Zero-Trust Architecture Audit for AI Agents
The journey towards secure AI agents is ongoing, and the urgency is palpable. The advent of these two distinct architectural approaches signifies a critical turning point, moving zero trust for AI agents from a theoretical concept to a tangible implementation. The monolithic default, prevalent in many current deployments, is a significant liability. The substantial 65-point gap between the speed of deployment and the approval of security measures within AI agent ecosystems represents the fertile ground where the next wave of significant data breaches is likely to emerge.
To navigate this complex landscape, a comprehensive audit of AI agent architectures is essential. Such an audit should encompass three primary vendor patterns – monolithic, Anthropic’s separated model, and Nvidia’s fortified sandbox – across six critical security dimensions. Each dimension can be further broken down into five distinct actions or considerations. Ultimately, the audit distills to five paramount priorities for organizations seeking to implement truly secure AI agents:
- Credential Segregation: Are sensitive credentials physically separated from the agent’s execution environment?
- Action Verification: Is every agent action rigorously scrutinized and verified before execution?
- Least Privilege: Does the agent operate with the absolute minimum privileges necessary for its intended function?
- Session Durability: Is there a robust mechanism for recovering agent state in the event of an interruption or failure?
- Observability & Auditability: Is there a comprehensive, immutable log of all agent activities and interactions?
By addressing these priorities and understanding the nuances of architectures like those proposed by Anthropic and Nvidia, organizations can begin to bridge the critical security gap, ensuring that the transformative power of AI agents is harnessed responsibly and securely. The future of cybersecurity hinges on our ability to adapt and implement robust, zero-trust principles for these increasingly sophisticated AI systems.