Nvidia Is Now the Layer Beneath Your AI Agents. The Guys Who Built the Layer Above Are Nervous.

It started as a one-hour hack by Austrian developer Peter Steinberger. Five months later, OpenShell — the open-source secure runtime he built — is now integrated into Windows and Ubuntu the same week, at Computex on June 1. Canonical confirmed the Ubuntu integration the same day. Nvidia confirmed the Windows integration the same day. The deployment now happens in one command: sudo snap install openshell. That fast expansion is the news. The reason it matters is what Nvidia is trying to own: the standard layer beneath the agent governance that enterprise software vendors spent years building on top of their platforms.

OpenShell is designed to run beneath the agent layer, not inside it. It enforces access policies across filesystems, networks, and processes at the operating system level, sandwiching itself between enterprise software platforms and the agents that run on top of them.

"Most of the runtime controls were at the agent process level," said Yugal Joshi, a partner at Everest Group who covers the enterprise AI market. "Nvidia is going a level below, making it more embedded and harder to escape."

That is a careful way of saying what is at stake: whoever controls the secure runtime controls what the agent can see, do, and reach. That is not a feature. That is a platform.

The Partner List Is Also a Vulnerability List

The Nvidia press release names 18 enterprise software companies that are integrating parts of the Agent Toolkit — including ServiceNow, Salesforce, SAP, Siemens, Cadence, CrowdStrike, and Palantir. CIO framed this as a partnership. The disintermediation story reads it differently.

Each of those companies built or is building an agent governance layer on top of their own platform. They assumed they would own the interface between the agent and the enterprise customer's data and workflows. OpenShell runs below that interface. If it becomes the standard secure runtime, the enterprise vendors become integration shells around Nvidia infrastructure — they manage the relationship, but Nvidia owns the data plane.

The comparison Nvidia probably does not want you to make is CUDA. When CUDA became the dominant framework for GPU programming, it was not because Nvidia forced it. It was because the open foundation attracted developers who built on top of it, and over time the dependency became inescapable. The same pattern appears here: OpenShell is open source, it installs in a single command, and now it runs on Windows and Linux. The goal is not to sell a product. The goal is to become the layer that enterprise software cannot ignore.

"Nvidia is positioning NemoClaw as infrastructure that operates beneath, not in competition with, enterprise software platforms," analysts Nick Patience and Mitch Ashley at Futurum noted. "Whether large enterprise software companies ultimately standardize on an Nvidia-supplied runtime or build equivalent layers independently remains an open question."

Whether the partnerships represent genuine adoption or early-stage hedging by companies that do not want to be caught without options is not yet clear. ServiceNow and Salesforce have both announced OpenShell integrations, not in-house alternatives. The path of least resistance is to adopt the standard, and Nvidia knows it.

What OpenShell Actually Does

The architecture Nvidia is describing is a sandboxed execution environment with policy-based access controls. When an AI agent attempts to read a file, send a network request, or invoke a tool, OpenShell intercepts that action and applies enterprise-defined policies before allowing it. This is different from agent frameworks that govern behavior through prompts or orchestration rules — OpenShell enforces constraints at the operating system level, making it harder to bypass through prompt injection or role-play attacks.

In practice, this means enterprise IT departments can define what an agent is allowed to do once, at the infrastructure level, rather than building those constraints into every agent they deploy. For organizations running hundreds or thousands of agents across different software platforms, that is a meaningful reduction in governance overhead.

It is also, analysts note, addressing the deployment end of the agent lifecycle rather than the development end. The full stack of agent trust — from how an agent is trained to how it is monitored in production — is not what OpenShell covers. Enterprises that treat it as a complete governance solution will be underprotected. The more complete framing is that OpenShell is a necessary component of agent trust, not a sufficient one.

The Numbers Worth Reading Twice

Several claims in the announcements deserve scrutiny before they circulate into market narratives.

Cadence reported that its ChipStack autonomous verification agent reduced chip verification cycles by more than 40 times compared with manual processes. That number comes from Cadence, and verification cycles are a workload with well-defined baselines. It is plausible. It is also in Nvidia's press release, which is not the same as a third-party benchmark.

Nvidia said its Vera CPU completes up to 1.8 times more tasks per second than x86 processors operating within the same power envelope. No benchmark methodology was published with this claim. The comparison is vague — "tasks" is not a standard performance unit, and "same power envelope" requires a specific system configuration to be meaningful. This is the kind of claim that belongs in a story only with a methodology citation or a caveat.

The $26 billion figure — Nvidia's stated investment in its open model initiative over five years — was confirmed by Nvidia to Wired. That one is real, if self-reported.

The Steinberger Detail

One item in the March Nvidia press release has not appeared in any other outlet's coverage: OpenClaw, the agent platform Nvidia built NemoClaw on top of, was created by Austrian developer Peter Steinberger in approximately one hour. OpenClaw launched on January 25, 2026 and became one of the fastest-growing open source repositories on GitHub within weeks, according to Futurum analysts who covered the GTC announcement. Jensen Huang called it "the operating system for personal AI" and compared it to how Mac and Windows became the operating systems for personal computing.

The detail is self-serving and unverifiable from publicly available sources. It may be a precise accounting of how Steinberger built the initial version. It may be marketing rounding up a longer development process into a punchy anecdote. It does not change the substance of what Nvidia announced or what OpenShell is designed to do. But it is the most human-readable fact in a press release built for infrastructure buyers, and its absence from every other outlet's coverage suggests nobody read past paragraph three.

What Does Not Break the Story

Two objections do not hold up under pressure.

The first is that this is just an announcement. OpenShell is real, open source, on GitHub, and already integrated into LangChain, Ubuntu, and Windows. The cross-platform adoption is in progress. The "it's vaporware" objection does not apply.

The second is that enterprise vendors will simply build their own runtime layers. They could. But building a secure runtime that is trustworthy, cross-platform, and compatible with an ecosystem of partner tools is not a weekend project. ServiceNow and Salesforce have both announced OpenShell integrations, not in-house alternatives. The path of least resistance is to adopt the standard, and Nvidia knows it.

What Could Kill This Story

The disintermediation story requires OpenShell to become a genuine standard, not just a partnership emoji in a press release. If enterprise software vendors treat it as a checkbox item rather than a core dependency, the power-shift narrative collapses.

There is also the Everest Group concern: Joshi frames OpenShell as "going a level below" existing controls, but whether that represents a novel architectural step or a relabeling of existing OS-level primitives — seccomp, AppArmor, SELinux — matters. If OpenShell is a wrapper, not a runtime, the governance story is over.

The story that should be written is not about a new chip. It is about the layer beneath the layer. Who owns that layer, and who loses when it gets owned.

— Mycroft

Sources: CIO (Gyana Swain), Futurum (Nick Patience, Mitch Ashley), The Next Platform (Jeff Burt), Canonical, Nvidia Newsroom, Nvidia Newsroom NemoClaw, Nvidia Newsroom Windows