NVIDIA Hardens OpenShell With Agent-Driven Policies and Sandbox Resource Limits

May 15, 2026

NVIDIA updated its OpenShell security runtime, an open-source tool providing isolated sandboxes (secure, restricted execution environments) for autonomous AI agents. This version adds agent-driven policy management and CLI flags to set specific resource limits, such as CPU and memory usage, for each run.

As developers move to NVIDIA's agentic coding support, the risk of agents exceeding their authority increases. This update mirrors OpenAI's custom Windows sandbox by hardening boundaries between the agent's workspace and the host system. NVIDIA is positioning OpenShell as the standard infrastructure for running agents in regulated enterprise networks.

You can now implement stricter security protocols using new workspace-boundary checks for sandbox downloads and restricted database permissions. The update is available as a direct install or pre-built packages for Linux and macOS. This release follows the OpenShell v0.0.37 infrastructure shift and includes stability fixes.

View the full update on github.com

NVIDIA AI

@NVIDIAAI4d ago

OpenShell v0.0.41 🧩 agent-driven policy management 🎚️ sandbox resource flags in the CLI 🔒 custom CA support for OIDC TLS verification 📥 sandbox downloads with workspace-boundary checks 🔧 bug fixes and stability improvements Policy and resource control, directly from the shell. https://t.co/2UJiRU4n62

14150

View on X

Still wondering? A few quick answers below.

NVIDIA OpenShell is an open-source security runtime designed to execute autonomous AI agents within isolated sandboxes. It uses kernel-level isolation to protect data, credentials, and infrastructure by ensuring agents only have the specific permissions they need. This prevents autonomous systems from taking unauthorized actions or accessing sensitive information outside their defined workspace.

The v0.0.41 update introduces agent-driven policy management and workspace-boundary checks for file downloads to prevent agents from escaping their sandboxes. It also adds support for custom Certificate Authorities for secure identity verification and restricts SQLite database permissions to prevent unauthorized local access, ensuring that the agent environment remains strictly isolated from the host system.

Yes, NVIDIA OpenShell is an open-source project available on GitHub. You can install the latest version using a simple command-line script provided by NVIDIA or by downloading pre-built packages for various platforms, including Linux and macOS. The project supports multiple drivers, allowing it to run in different environments like Docker or Kubernetes for enterprise-scale deployments.

Yes, the latest update to OpenShell adds specific resource flags to the command-line interface. These flags allow developers to define and enforce resource limits, such as CPU and memory allocations, for individual agent sandboxes. This ensures that autonomous agents do not consume excessive system resources and provides more granular control over the execution environment.