NVIDIA announced NemoClaw at GTC 2026, combining the OpenClaw agent platform with a new open-source security runtime called OpenShell. It’s NVIDIA’s entry into the governed AI agent space – the same space WorkingAgents occupies.
This article examines what NemoClaw and OpenShell actually do, where they overlap with WorkingAgents, and where they diverge.
What NemoClaw Is
NemoClaw is OpenClaw with enterprise guardrails bolted on. OpenClaw handles the agent runtime – memory, skills, task execution. NemoClaw adds NVIDIA’s Nemotron models, NIM inference microservices, and the OpenShell security sandbox. The whole stack is Apache 2.0 licensed and installable with a single command.
Key components:
- OpenClaw – the agent runtime. Memory, skills, multi-step task execution
- OpenShell – the security sandbox. Isolated execution environments with declarative YAML policies
- Nemotron models – NVIDIA’s own LLMs, optimized for NIM inference
- NeMo Guardrails – programmable guardrails for LLM-based systems
- Pre-built connectors – Salesforce, Cisco, Google Cloud, Adobe, CrowdStrike
Hardware-agnostic by design – runs on NVIDIA, AMD, Intel, and other processors.
What OpenShell Does
OpenShell is the security runtime that makes NemoClaw enterprise-grade. It provides sandboxed execution environments governed by declarative YAML policies across four domains:
| Policy Domain | What It Controls | Hot-Reloadable? |
|---|---|---|
| Filesystem | Prevents reads/writes outside allowed paths | No (locked at creation) |
| Network | Blocks unauthorized outbound connections | Yes |
| Process | Blocks privilege escalation and dangerous syscalls | No (locked at creation) |
| Inference | Reroutes model API calls to controlled backends | Yes |
This is infrastructure-level isolation. The agent runs inside a sandbox where it physically cannot access files, networks, or processes outside its allowed scope. It’s defense-in-depth at the OS level.
What WorkingAgents Does
WorkingAgents is a governance and control layer between AI agents and enterprise systems. Three gateways, one control plane:
- AI Gateway – unified proxy to 250+ LLMs with routing, failover, and cost control
- AI Agent Gateway – control plane for agentic workflows with retries, timeouts, escalation
- MCP Gateway – enterprise hub for Model Context Protocol with per-user permissions and tool registry
Agents inherit the human user’s access control. One identity, one set of rules. 86+ MCP tools covering CRM, task management, knowledge, monitoring, scheduling, email, and messaging – all behind capability-based permission gates. Self-hosted, zero data egress, built on Elixir/OTP.
Where They Overlap
Both platforms are trying to answer the same question: how do you make AI agents trustworthy enough for production?
| Capability | NemoClaw/OpenShell | WorkingAgents |
|---|---|---|
| Agent sandboxing | Yes (OS-level via OpenShell) | Yes (BEAM process-level isolation) |
| Access control | Role-based (YAML policies) | Capability-based (compiled permission keys) |
| Audit logging | Yes | Yes (immutable, per-action) |
| Guardrails | NeMo Guardrails (programmable) | Three-checkpoint guardrails (pre/during/post) |
| Multi-agent orchestration | Yes (hierarchical delegation) | Yes (MCP + A2A protocol) |
| Self-hosted deployment | Yes (open-source) | Yes (one instance per customer) |
| Enterprise connectors | Salesforce, Cisco, Google Cloud, Adobe, CrowdStrike | 86+ MCP tools (CRM, tasks, knowledge, monitoring, scheduling, email, messaging) |
Where They Diverge
1. The Isolation Model
NemoClaw/OpenShell: OS-level sandboxing. The agent runs in a container-like environment where filesystem, network, process, and inference policies are enforced by the runtime. The agent physically cannot access resources outside its sandbox. This is the same approach used for untrusted code execution – strong isolation, heavy boundaries.
WorkingAgents: Application-level governance via the BEAM runtime. Every agent workflow runs in its own Erlang process (2KB, lightweight) with capability-based permission checks at the function head level. The check is a single map key lookup – O(1), compiled into the module at build time. The BEAM provides process isolation natively (no shared memory between processes), preemptive scheduling (a rogue agent can’t starve the system), and supervision trees (crashed processes restart automatically).
The tradeoff: OpenShell is stronger isolation for untrusted agents that might try to break out. WorkingAgents is faster, lighter governance for agents operating within a trusted enterprise environment where the question isn’t “will this agent try to escape?” but “does this user have permission to trigger this action?”
2. The Permission Model
NemoClaw: Role-based access control defined in YAML policies. Policies are declarative and some are hot-reloadable. This is familiar to ops teams who manage Kubernetes RBAC or cloud IAM policies.
WorkingAgents: Capability-based access control where integer permission keys are compiled into modules at build time. Agents inherit the user’s permission map. A single is_map_key guard check gates every tool call at the VM level – before the function body executes. Roles are named bundles of keys with set-arithmetic revocation. Temporary TTL-based grants enable just-in-time access.
The tradeoff: NemoClaw’s YAML policies are easier to audit visually and familiar to DevOps teams. WorkingAgents’ compiled capabilities are faster at runtime and structurally prevent bypass – the permission check happens at the BEAM dispatch level, not in application code that could be skipped.
3. The Ecosystem Position
NemoClaw: An NVIDIA product. It comes with Nemotron models, NIM inference, and pre-built connectors to major enterprise platforms (Salesforce, Cisco, Google Cloud). It benefits from NVIDIA’s distribution – every enterprise GPU customer is a potential NemoClaw user. Open-source under Apache 2.0, backed by a $3 trillion company.
WorkingAgents: An independent platform. Protocol-native (MCP and A2A from day one), vendor-neutral (routes to 250+ LLMs from any provider), self-hosted with zero data egress. Built on Elixir/OTP by a solo founder. No corporate backing, no pre-built enterprise connectors to Salesforce or Cisco – but also no vendor lock-in.
The tradeoff: NemoClaw has distribution and ecosystem momentum that WorkingAgents cannot match. WorkingAgents has vendor neutrality and zero-egress deployment that NemoClaw compromises by being tightly integrated with NVIDIA’s model and inference stack.
4. The Business Model
NemoClaw: Open-source (Apache 2.0). NVIDIA makes money on GPU hardware and NIM inference services. NemoClaw drives adoption of NVIDIA’s AI stack. The governance layer is free because it sells GPUs.
WorkingAgents: Commercial product with consulting services. Revenue from deployment, customization, and managed operations. The governance layer is the product.
The implication: This is the classic open-source bundling threat. When the governance layer is a loss leader for a hardware company, a standalone governance company faces existential pricing pressure. WorkingAgents cannot compete on price with free. It must compete on depth, specialization, and operational value.
5. What NemoClaw Doesn’t Do
NemoClaw is an agent platform with governance added. It is not a pure governance layer. Several things WorkingAgents provides that NemoClaw does not (as of launch):
- Unified LLM routing across all providers – NemoClaw routes primarily to Nemotron models and NIM services. WorkingAgents routes to 250+ LLMs from any provider with cost-based and latency-based routing.
- Built-in business operations tools – WorkingAgents ships with 86+ MCP tools for CRM, task management, knowledge base, scheduling, monitoring, email, and messaging. NemoClaw has pre-built connectors to third-party platforms but no built-in business logic.
- Per-user data isolation – WorkingAgents runs per-user SQLite databases. Each user’s data is structurally separated at the storage level, not just the access level.
- Human communication channels – WhatsApp bridge, real-time WebSocket chat, push notifications. NemoClaw focuses on agent-to-system interaction, not agent-to-human communication.
- Persistent scheduling and escalation – Alarm system, cron-like scheduling, escalation chains. NemoClaw handles task execution but not long-running business workflow orchestration across hours and days.
6. What WorkingAgents Doesn’t Do
Several things NemoClaw provides that WorkingAgents does not:
- OS-level sandboxing – OpenShell’s filesystem, network, process, and inference policies are stronger isolation than BEAM process boundaries. For untrusted agent execution, OpenShell is more appropriate.
- NVIDIA hardware optimization – NIM inference microservices, Nemotron model optimization, GPU-aware scheduling. WorkingAgents is hardware-agnostic but doesn’t optimize for specific GPU architectures.
- Pre-built enterprise connectors – NemoClaw ships with Salesforce, Cisco, Google Cloud, Adobe, and CrowdStrike connectors. WorkingAgents has MCP tools but not pre-packaged integrations with these specific platforms.
- NVIDIA ecosystem distribution – Every GTC attendee, every NVIDIA enterprise customer, every developer using NIM or NeMo is a potential NemoClaw adopter. WorkingAgents has no comparable distribution channel.
The Strategic Reality
NemoClaw’s announcement validates the market WorkingAgents is in. NVIDIA doesn’t build products for imaginary categories. The fact that a $3 trillion company is investing in agent governance confirms that the governance gap is real, budget-bearing, and urgent.
But validation comes with a cost. NemoClaw is free, open-source, backed by NVIDIA’s distribution, and ships with connectors to platforms that enterprise buyers already use. This is the bundling threat that every standalone governance company faces.
WorkingAgents’ response cannot be to compete feature-for-feature with NVIDIA. The response must be:
1. Go deeper on governance. NemoClaw’s governance is one layer of a larger platform. WorkingAgents’ governance is the entire product. Capability-based permissions compiled at build time, three-checkpoint guardrails, TTL-based just-in-time access, set-arithmetic role revocation – these are governance features that a platform product won’t invest in deeply because governance isn’t their core value prop.
2. Stay vendor-neutral. NemoClaw pushes you toward Nemotron models and NIM inference. WorkingAgents routes to any LLM from any provider. For enterprises running multi-vendor AI stacks (which is most of them), vendor neutrality is a real differentiator.
3. Own the regulated verticals. NemoClaw is a horizontal platform. WorkingAgents can go vertical – healthcare (HIPAA), financial services (SOC 2), legal (EU AI Act). Compliance-specific guardrails, audit reporting formatted for regulators, and industry-specific tool integrations are things a general platform won’t prioritize.
4. Complement, don’t compete. WorkingAgents’ MCP Gateway can sit in front of NemoClaw agents, adding permission-scoped tool access to agents running on the NemoClaw runtime. The governance layer doesn’t need to replace the agent runtime – it can govern it.
Bottom Line
NemoClaw and WorkingAgents are solving the same problem from different directions. NemoClaw comes at it from the agent runtime side – building agents first, adding governance second. WorkingAgents comes at it from the governance side – building governance first, connecting to agents second.
NemoClaw has NVIDIA’s distribution, ecosystem, and the economic advantage of being free. WorkingAgents has deeper governance architecture, vendor neutrality, and the ability to specialize in regulated verticals where governance depth matters more than platform breadth.
The market is big enough for both approaches. The question for WorkingAgents is not whether NemoClaw exists – it’s whether WorkingAgents can find the customers who need governance that goes deeper than what a free, general-purpose platform provides.
Those customers exist. They’re in healthcare, financial services, and legal. They need HIPAA-compliant audit trails, SOC 2 evidence packages, and EU AI Act documentation – not just YAML policies and sandboxes. That’s the wedge.
Sources: