The numbers tell the whole story. PwC’s 2025 AI Agent Survey reports 79% of enterprises already use AI agents. The Gravitee State of AI Agent Security 2026 report found only 14.4% have full security approval for those agent fleets. The Cloud Security Alliance puts it at 26% with any AI governance policies at all.
That gap is not theoretical risk. The CrowdStrike 2026 Global Threat Report documented the “ClawHavoc” supply chain campaign: 1,184 malicious skills tied to 12 publisher accounts targeting the OpenClaw agentic framework. AI-enabled adversary activity rose 89% year-over-year. Average eCrime breakout time fell to 29 minutes.
RSAC 2026 forced the conversation. Two competing zero-trust architectures shipped from Anthropic and Nvidia, each taking a fundamentally different approach to the same core vulnerability: credentials sitting in the same environment as untrusted, AI-generated code.
The Problem: Monolithic Containers
Most enterprise AI agents today run in a monolithic pattern. The model’s reasoning, tool execution, generated code, and stored credentials all occupy the same process. A single prompt injection can exfiltrate every API key and OAuth token in the container.
The CSA/Aembit survey of 228 IT and security professionals found 43% of organizations use shared service accounts for agents, 74% say agents receive more access than necessary, and 68% cannot distinguish agent activity from human activity in their logs.
The blast radius is unlimited by default.
Anthropic’s Model: Vault Isolation
Anthropic’s Managed Agents architecture, launched in public beta on April 8, splits the agent into three mutually distrustful components: a “brain” (Claude plus routing harness), disposable Linux containers for code execution (the “hands”), and an external, append-only event log (the “session”).
The security innovation is structural. OAuth tokens live in an external vault. When the agent needs to call an MCP tool, it sends a session-bound token to a dedicated proxy. The proxy fetches real credentials from the vault, executes the call, and returns only the result. The agent never sees the actual token. Git credentials are wired into the local remote during sandbox initialization, enabling push and pull without the agent touching the credential.
According to Anthropic’s engineering documentation, decoupling inference from container boot dropped median time to first token by roughly 60%. Because the session log exists outside both brain and hands, a harness crash triggers recovery: a new instance boots, reads the log, and resumes without state loss.
A successful prompt injection compromises a disposable container that holds nothing of value. Credential exfiltration requires a two-hop attack: first influencing the brain’s reasoning, then convincing it to act through a container that has no tokens to steal.
Nvidia’s Model: Layered Policy Enforcement
Nvidia’s NemoClaw, released in early preview on March 16, wraps the entire agent in five stacked security layers instead of separating it from its execution environment.
The architecture uses kernel-level isolation (Landlock, seccomp, network namespace isolation), a default-deny outbound networking policy requiring explicit operator approval via YAML-based policies, and a privacy router that directs sensitive queries to locally running Nemotron models to prevent data leakage.
The critical layer is intent verification. Using the OpenShell policy engine, NemoClaw intercepts every proposed action before it touches the host. A real-time Terminal User Interface provides runtime visibility into every agent decision.
The tradeoff: operator load scales linearly with agent activity. Every new endpoint requires manual approval. NemoClaw also lacks an external session recovery mechanism. If the sandbox fails, state is lost.
Where Anthropic structurally removes credentials from the blast radius, Nvidia policy-gates them. Integration tokens for services like Slack or Discord are injected into the sandbox as runtime environment variables, as noted in World Today Journal’s architectural comparison. The agent and the credentials coexist, guarded by enforcement layers rather than physical separation.
NIST Enters the Frame
Both approaches are vendor-specific. The standards question remained open until NIST’s National Cybersecurity Center of Excellence published a concept paper on Software and AI Agent Identity and Authorization in February 2026, soliciting public comment on how existing identity standards should apply to autonomous AI agents.
SpruceID’s formal response to NIST proposed that agents should possess their own persistent, organization-bound identity with ephemeral, task-scoped capabilities issued dynamically. Their recommendation: build a zero-trust boundary around each agent combining cryptographic identity anchored to validated hardware (aligned to FIPS 140-2/140-3), capability-based authorization using verifiable digital credentials, formally verifiable policy languages like CedarLang or WebAssembly, and continuous behavioral monitoring.
The NIST framework will likely determine whether the industry converges on structural credential isolation (Anthropic’s approach), layered policy enforcement (Nvidia’s approach), or a hybrid model. The February concept paper is still in comment period, with multiple vendors submitting frameworks that align with their existing architectures.
The Operational Cost Question
For enterprise security teams evaluating these models today, the choice reduces to two variables: blast radius containment and operational overhead.
Anthropic’s vault isolation minimizes blast radius by default. A compromised container yields nothing. But it requires trusting Anthropic’s infrastructure for credential management, which creates vendor lock-in and a single point of failure at the vault layer.
Nvidia’s policy enforcement keeps credentials local and provides granular runtime visibility. But the manual approval model creates a bottleneck that scales poorly. An agent fleet executing thousands of API calls per hour needs automated policy decisions, not human review for each new endpoint.
The 79% of enterprises already deploying agents are not waiting for standards. The 14.4% with security approval are the ones who’ve already chosen an architecture. For everyone else, the NIST concept paper’s final guidance may be the forcing function that moves agent security from vendor-specific implementations to an interoperable standard.