NVIDIA releases NemoClaw

March 16, 2026

Jensen Huang called OpenClaw “the operating system for personal AI.” On March 16, NVIDIA shipped the security and identity infrastructure to make that operating system enterprise-grade. What they didn’t ship — what the architecture explicitly requires and does not provide — is the layer that answers: who authorized this agent, what is it allowed to do, and can a third party verify that independently?

That’s the slot we’re in. With running code, deployed on the same day.

What NVIDIA Announced

Jensen Huang’s GTC keynote on March 16 introduced the NVIDIA NemoClaw stack — a security and privacy layer for OpenClaw, the open-source agent platform that became the fastest-growing open-source project in history in early 2026. OpenClaw let anyone run LLM-powered agents locally for writing, coding, and file operations. Then the security problems surfaced: API key leakage, credential theft, unauthorized code execution. Meta banned it. LangChain banned it. Microsoft issued a security advisory. OpenAI acquired it in February.

NemoClaw is NVIDIA’s answer for the market OpenClaw opened and the security gap OpenClaw exposed. It installs NVIDIA Nemotron models and the newly announced OpenShell runtime in a single command — adding an isolated sandbox with data privacy and security controls to autonomous agents. It runs on everything from RTX PCs to DGX Station, giving always-on agents dedicated computing with policy-based security, network, and privacy guardrails.

The architectural detail that matters for this conversation: NemoClaw uses NVIDIA’s Agent Toolkit, which provides a governance hook system designed to call out to external providers at every stage of the agent lifecycle. The toolkit’s documentation shows MCP servers as the integration pattern for identity-aware tool authorization, with three levels of hooks:

Swarm-level hooks enforce fleet-wide policies and organization-wide security
Identity-level hooks provision role-specific credentials and per-agent governance
Plugin-level hooks authorize tool access and per-capability permissions

The recommended production deployment uses streamable-http MCP transport with authentication. What NemoClaw explicitly does not provide is the identity layer itself. The governance hooks expect an external system to answer the identity questions. The slot labeled “external identity provider” is architecturally defined, documented, and open.

What We Deployed

On the same day as the GTC keynote, Applied Identities deployed the Verified Intent Gateway — a production MCP server on Cloudflare’s global edge network that provides real-time identity verification for AI agents.

The gateway answers identity-level queries in a single MCP call. When any connected agent platform needs to verify an agent’s authorization chain, the response includes the complete, cryptographically verified path:

Company Constitution → Soul Document → Agent Passport → L1 Credential → L2 Mandate → L3 Presentation

Every link is SHA-256 hashed, carries a serial number, and has a traceable derivation path. A verifier receiving a transaction presentation can trace the authorization from the individual commercial action all the way back to the organizational identity root.

Three MCP tools are operational:

verify_agent_chain returns both the Verifiable Intent credential status and the Identity Architecture governance chain for any registered agent. Public endpoint.

verify_presentation validates paired payment-network and merchant presentations against the full constraint chain — issuer signatures, mandate bindings, cross-references, constraint satisfaction, and temporal validity. Authenticated endpoint.

gateway_status provides real-time health and infrastructure details.

The gateway runs on Cloudflare Workers — serverless, globally distributed across 330+ data centers, sub-10ms latency, no cold starts. Every tool call is audit-logged with caller identity, tool name, and timestamp.

Why the Chain Is the Innovation

Others have agent governance frameworks. Others have verifiable credential implementations. Others have MCP servers at the edge. What doesn’t exist anywhere else is the connected chain from organizational constitution through governance documents through commercial credentials, served as a queryable tool at the global edge.

The chain works because of a bridge that nobody else has built.

The Agent Passport — the governance document that specifies an agent’s authorization boundaries — carries a serial number that functions as the join key between two systems that have never been connected before. On the governance side, the Passport derives from the Soul Document, which derives from the Company Constitution. On the commerce side, the Passport’s constraint parameters generate the cryptographic mandate that bounds what the agent can spend, where, and how much.

When our operational agent Nell executes a constrained commercial action, the Passport serial links the organizational policy (“Nell is authorized to spend up to $500 per transaction on approved merchants with a $2,000 monthly budget”) to the cryptographic enforcement (L2 mandate constraints validated against every L3 presentation). Same data, two formats: human-readable in the governance chain, cryptographically enforceable in the transaction chain.

The Verified Intent credential specification — published by Mastercard on March 5, 2026, under Apache 2.0 license — defines the cryptographic layers. Our VI server, live at vi.appliedidentities.com since March 13, is one of the first non-reference implementations. The gateway, deployed March 16, makes that implementation queryable by any MCP client on Cloudflare’s global network.

How It Fits NemoClaw

The Agent Toolkit’s governance hooks create three integration points, and the gateway addresses all of them.

Identity-level resolve hooks are where an agent’s credentials get provisioned. The gateway’s verify_agent_chain tool returns the complete credential and governance chain that the resolve hook needs to establish the agent’s identity context.

Identity-level preStart hooks are where credentials get validated before the agent boots. The same verification call confirms chain integrity — valid hashes, unbroken derivation, active credentials — before the agent enters production.

Plugin-level hooks are where tool access gets authorized. The gateway’s constraint validation confirms whether a specific action falls within the agent’s authorized boundaries — the L2 mandate constraints derived from the Passport’s commercial authorization section.

The transport matches too. The Agent Toolkit’s recommended production deployment uses streamable-http MCP with authentication — which is exactly what the Verified Intent Gateway implements. Bearer token authentication today, with marked upgrade slots for DID-JWT verification, x402 micropayments, and Hedera immutable audit.

What’s Verified — Not Theoretical

Everything described here is running. Not mocked, not simulated, not a demo environment.

The gateway’s automated test suite exercises the complete path: Cloudflare edge → gateway authentication → VI server at vi.appliedidentities.com → Nell Ashpool’s real governance chain (five levels deep: Constitution, Soul Document, Passport, L1 credential, L2 mandates) → response returned through the edge to the client. All tests pass. The chain data is the actual governance chain for Applied Identities’ operational AI agent — the same agent that runs daily operations, produces intelligence reports, and has been under continuous behavioral governance since early 2026.

The gateway health endpoint is public. The landing page is public. The VI server’s JWKS endpoint — which serves the issuer’s public keys for independent credential verification — is public. This isn’t a whitepaper describing what could be built. It’s infrastructure you can query right now.

What This Means for Enterprise AI

The convergence happening this month defines the market structure for enterprise agent identity.

NVIDIA builds the runtime and explicitly requires external identity providers. Mastercard publishes the credential specification for agent commerce. Cloudflare provides the edge infrastructure for global MCP deployment. Microsoft’s internal MCP governance work — published just weeks ago — confirms that even the largest technology companies are still building the governance layer for agent-to-tool interactions.

The identity slot is open across every major platform. Huang called OpenClaw “the operating system for personal AI” — but the security and governance infrastructure NemoClaw adds is what makes it enterprise-deployable. The question for every organization deploying AI agents is not whether they’ll need verifiable organizational identity for those agents — the architecture mandates it. The question is whether they’ll have the governance chain ready when the integration points need filling.

A Company Constitution that encodes your organizational values and decision frameworks. Agent Soul Documents that translate that identity into behavioral specifications. Agent Passports that bridge governance to commercial authorization. And a verification infrastructure that lets any counterparty — a payment network, a partner API, an auditor, a regulatory body — confirm that the agent acting on your behalf is operating within the boundaries your leadership approved.

That’s what we build. NemoClaw just made it infrastructure.

Verified Intent Gateway · NVIDIA NemoClaw Announcement · Anthropic’s Constitution · How We Work · Start a conversation