NemoClaw Security Architecture — Design Philosophy for Safe Enterprise AI Agent Operations

Security Risks of AI Agents and NemoClaw's Design Philosophy

With the advancement of AI agent technology, systems that autonomously execute tasks have become practical, but security risks have also emerged. Open-source agents like OpenClaw can directly execute system commands, have unlimited file system access, and freely communicate with external APIs, raising concerns about information leakage and system destruction in enterprise environments. To address these challenges, NemoClaw adopts a defense-in-depth architecture based on a zero-trust security model. Specifically, it operates on the premise of not trusting agents, performing authentication, authorization, and auditing for every action while minimizing the scope of impact. This design philosophy achieves enterprise-grade security while maintaining agent convenience.

Technical Details of OpenShell Sandbox

OpenShell provides a container-based sandbox environment leveraging Linux Namespaces and cgroups. Each AI agent runs in independent Namespaces (PID, Network, Mount, UTS, IPC), completely isolated from the host system and other agents. Cgroups apply resource limits for CPU, memory, and disk I/O, preventing system-wide impact from agent runaway. File system access is limited to a read-only root filesystem and restricted writable areas, blocking access to critical system files. Additionally, seccomp (Secure Computing Mode) filters add system-call-level restrictions, preventing execution of dangerous system calls (ptrace, mount, reboot, etc.). This multi-layered isolation mechanism can contain damage within the sandbox even if an agent executes malicious code.

Implementation of Least Privilege Access Control

NemoClaw implements an access control mechanism that thoroughly applies the Principle of Least Privilege. Agents are dynamically granted only the minimum permissions necessary for task execution, with permissions immediately revoked upon task completion. Permission management adopts a hybrid model combining Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), enabling flexible control based not only on agent roles but also execution context (time, location, request source). For example, data analysis agents are granted only read-only access to specific databases, with write and delete operations denied. API calls also employ a whitelist approach, allowing access only to pre-approved endpoints, with connections to unapproved APIs automatically blocked.

Data Flow Control via Privacy Router

The privacy router is a critical mechanism that mediates data communication between agents and external services, preventing leakage of sensitive information. All external communications pass through the privacy router, with both sent and received data inspected in real-time. Sensitive information detection employs a multi-stage approach combining regular expression pattern matching, machine learning-based classifiers, and Named Entity Recognition (NER) models, achieving high accuracy in detecting credit card numbers, personal identification numbers, internal confidential codes, etc. Detected sensitive information is automatically masked or blocked and recorded in audit logs. Additionally, data encryption (TLS 1.3), certificate pinning, and domain whitelisting prevent man-in-the-middle attacks and connections to phishing sites. Application of data retention policies compliant with privacy regulations such as GDPR and CCPA is also supported.

Network Access Restrictions and Zero Trust Network

NemoClaw's network security is based on the zero-trust network model. By default, all external network access from agents is denied, with only necessary connection destinations individually permitted. Network isolation is achieved through combinations of Virtual Private Cloud (VPC), subnets, and network policies, also preventing unauthorized communication between agents. Each agent is assigned a unique service account, with mTLS (mutual TLS) mutual authentication enforced. Outbound traffic is inspected by an Application Layer Gateway (ALG), with HTTP headers, payloads, and request rates evaluated against policies. Abnormal traffic patterns and excessive requests are automatically blocked and security administrators notified. DNS queries are also controlled, detecting DNS tunneling and DGA (Domain Generation Algorithm)-based malware communications.

Audit Logs and Compliance Support

NemoClaw provides comprehensive audit log functionality, recording all agent actions. Logs include agent ID, executed tasks, accessed resources, executed commands, API calls, data access patterns, permission changes, and error information with timestamps. Logs are stored in blockchain technology or Write-Once-Read-Many (WORM) storage to prevent tampering, ensuring audit trail integrity. Log analysis integrates machine learning-based anomaly detection systems that detect activities deviating from normal agent behavior patterns in real-time. Integration with SIEM (Security Information and Event Management) systems also allows incorporation into organization-wide security monitoring. For compliance support, log retention periods, access controls, encryption, and incident response procedures meeting requirements such as SOC 2, ISO 27001, HIPAA, and PCI DSS are implemented as standard.

Challenges of Existing Agent Tools and NemoClaw Solutions

While OpenClaw and similar open-source agent tools possess powerful autonomous execution capabilities, they have minimal security constraints, posing significant risks for enterprise use. Specifically, issues include unintended file deletion and configuration changes from unlimited system command execution, unintended transmission of authentication credentials to external APIs, DoS conditions from lack of resource limits, and difficulty identifying causes during problems due to insufficient audit trails. NemoClaw significantly reduces security risks without compromising convenience by executing these tools in the OpenShell sandbox. All agent actions are monitored and recorded, with immediate stopping upon policy violations. Additionally, a graduated privilege escalation mechanism requests human approval when necessary, ensuring governance before executing high-risk operations. This design creates an environment where enterprises can safely adopt advanced AI agent technology. Oflight Inc., based in Shinagawa Ward, Tokyo, provides enterprise AI agent implementation support utilizing NemoClaw's security architecture, offering comprehensive consulting services from security requirements analysis through system design and operational support to companies primarily in Shinagawa, Minato, Shibuya, Setagaya, Meguro, and Ota wards.