Loading
Free Trial
March 16 2026

Cohesity taps NVIDIA OpenShell to build AI resilience

Long-running, unsupervised agents execute untrusted code, hold production credentials, and make real API calls. NVIDIA OpenShell makes that safer. Here's how Cohesity is applying it across AI resilience.

Get prequalified to start a free trial
Meet with us at NVIDIA GTC
NVIDIA Cohesity

The real problem with autonomous agents is not privilege. It’s trust.

The next generation of AI is autonomous, long-running agents that plan, execute, and evolve over extended periods of time. As NVIDIA demonstrated at GTC 2026, agents now create their own sub-agents, develop specialized skills, and operate professional tools without human supervision. OpenClaw crossed 200K GitHub stars in just a few weeks, outpacing PyTorch and Linux. The agentic era is here.

But there is a foundational problem that the industry has not solved yet. It is not that agents need elevated privileges—most of what agents do works fine in user space. The problem is that useful agents may do things that are inherently unsafe, regardless of privilege level:

  • They blindly execute code written by strangers. The agent does not review the code. It just runs it. When an agent runs pip install, it downloads and executes code from a public registry. Supply chain attacks on major repos are well documented: typosquatting, dependency confusion, and malicious post-install scripts. 
  • They hold production credentials in memory. Agents that interact with cloud platforms carry creds like AWS access keys, Azure OAuth tokens, API keys, and database connection strings. In an unsandboxed environment, any process on the same machine can read these from environment variables, /proc, or shared memory.
  • They make authenticated calls to production control planes. An agent calling create_agent or export_solution on AWS or Azure is making write-capable API calls to infrastructure. A confused or compromised agent could modify or delete production configurations. This needs no elevated privilege—just a credential and a network path.
  • They process adversarial content. Agents that work with security data—malware reports, threat intelligence feeds, content from compromised systems—handle inputs specifically designed to subvert software. An unsandboxed agent processing a malware analysis report could itself become a vector.
  • They run for hours or days, unsupervised. A one-shot script has a limited blast radius. An agent running autonomously for hours, deciding what to install, what to call, and what to write, creates compounding exposure.

This is why the old model—“god mode agents with broad access trying to police themselves”— does not work. Rules that live inside the agent process can be bypassed. The safety layer must be outside the agent, not inside it.

NVIDIA OpenShell: Safety enforced at the runtime, not in the agent

NVIDIA OpenShell, part of the NVIDIA Agent Toolkit, solves this by applying a security model inspired by browsers. Each agent session is isolated. Every action is policy-enforced before it executes. The runtime implements guardrails and provides safety. 

OpenShell is an open-source runtime that combines Linux kernel isolation with a programmable policy engine. 

  • Deny-by-default access. Every network call, file operation, and package install requires explicit policy approval via OPA/Rego, enforced at the infrastructure layer.
  • Verified packages only. Agents can install approved packages. Unverified packages are blocked at the runtime level.
  • Scoped credentials. Secrets are visible only per-policy. An agent in one sandbox cannot see credentials used by another.
  • No cross-agent access. Each sandbox is isolated. A compromised dependency in one session cannot reach another.
  • Private inference by default. Agents use a local open model (Nemotron, Kimi K2.5) on DGX Spark or Station. Sensitive data never leaves the sandbox boundary.

The environment is designed to be safe, even if the agent does not follow its own instructions. OpenShell enforces this at the runtime, where it cannot be bypassed.

AI resilience requires powerful, long-running agents

At Cohesity, AI resilience is our vision for protecting the agentic enterprise through the entire lifecycle of a cyberattack or disruption: detect threats, validate that recovered systems are clean, and ensure continuity for the new generation of agentic AI workloads. Across all these functions, we are increasingly using AI agents to automate workflows that were previously manual, slow, and error prone.

But each of these workflows puts agents in contact with something potentially dangerous — untrusted code, production credentials, adversarial content, or compromised infrastructure. The pattern is the same: the agent automating a security-critical workflow must itself be protected from the threats it is designed to handle.

OpenShell gives us the runtime to do that. Here is how we plan to apply it across the many needs of AI resilience.

Automated threat analysis orchestration

Cohesity Data Cloud performs threat scanning across backup snapshots using Google Threat Intelligence, including behavioral malware detonation via Google Private Scanning. When a scan surfaces suspicious files, infrastructure and security teams review behavioral reports—process activity, registry modifications, network calls, payload behavior—to decide whether the code is malicious or benign and then to restore or quarantine.

Today, much of this triage is manual. We are building AI agents that automate the workflow: scan backup snapshots at scale, identify unknown files, submit them for sandbox detonation, interpret the behavioral reports, and recommend recovery actions.

These agents handle adversarial content by design. A malware report describes what malicious code does: the processes it spawns, the network endpoints it contacts, and the registry keys it modifies. An agent processing this data—making API calls to Google Threat Intelligence, correlating IOCs across snapshots, holding Cohesity Data Cloud credentials—must be isolated from the rest of the environment. A prompt injection embedded in a knowledge base — that was itself compromised by malware—could subvert the triage agent if it runs unsandboxed.

OpenShell provides the isolation layer: the triage agent can access approved threat intelligence endpoints and Cohesity APIs per policy, but cannot reach production infrastructure, other agents, or external services. This way, the agent that orchestrates threat analysis is itself protected from the threats it analyzes.

Autonomous protection policies for agent resources

Cohesity Data Cloud provides policy-based protection for data across on-premises data centers, edge sites, and public clouds (AWS, Azure, GCP). The policy is often derived from the characteristics of data and surrounding infrastructure. Agent access to varied resources exacerbates the already difficult problem of defining and enforcing such a policy. 

The policy engine and runtime enforced permission in OpenShell would allow the Cohesity engine to suggest and apply needed protection between the agents and the enterprise  resources they consume or transform. Cohesity can deduce the correct policy and permissions by combining previously known characteristics with new agent access patterns for data and resources in consideration.

Clean room recovery automation

Cohesity RecoveryAgent orchestrates incident response with blueprint-driven automation. AI agents increasingly drive these workflows, deciding which snapshots to recover, what scans to run, and how to sequence multi-tier application restores. They hold infrastructure credentials and execute scripts against recovered VMs that may contain dormant malware.

The protection provided by the OpenShell runtime is critical because a recovery test gone wrong—a compromised VM reaching back to the orchestrator, a malicious script phoning home —could pivot into the production environment. As a runtime, OpenShell restricts which endpoints the orchestration agent can reach, which credentials it can see, and what cross-agent communication is allowed. Recovery automation becomes safer to run frequently, which means more rehearsal, which means faster recovery when it matters.

Autonomous connector development

The agentic ecosystem—the tools used for development and runtime of agents is growing faster than any team can build backup connectors by hand. We are exploring using long-running agents to develop prototype connectors to these platforms as we get requests to support new platforms, analyze their APIs, generate connector code, and validate backup and restore cycles autonomously. These agents install packages from public registries, hold platform credentials, and make authenticated calls to production APIs. OpenShell provides the isolation to make this safe: verified packages only, scoped credentials, approved network endpoints, and cross-agent containment.

And this is just the beginning 

We see OpenShell-style runtime containment as foundational to securing long-running agents. Compliance monitoring agents that evaluate data sovereignty policies. Data classification agents that scan unstructured content for PII. Capacity forecasting agents that interact with cloud billing APIs. Each follows the same pattern: the agent needs autonomy to be useful, but that autonomy must be bounded by guardrails the agent cannot override. OpenShell provides that boundary.

Why this matters now

According to Gartner®, “33% of enterprise software applications will include agentic AI by 2028, up from less than 1% in 2024.” Additionally, Gartner predicts that by 2028, 25% of enterprise breaches will be traced back to AI agent abuse, from both external and malicious internal actors.

The common thread across all our use cases is that the agents automating security-critical work are themselves attack surfaces. 

Long-running agents will enable 28 million professional developers and 1 billion knowledge workers to create self-evolving AI assistants. Every one of those agents will carry state that matters to the business: configurations, memory, workflow logic, and compliance policies. All of it needs protection. Cohesity’s goal is to make these agents resilient. The agents that deliver this resilience need a runtime that guarantees they cannot cause the very disasters they are designed to prevent.

NVIDIA OpenShell gives us that runtime. Not by restricting what agents can accomplish, but by enforcing where, how, and with whose credentials they operate. We are excited to be among the first to put it to work across AI Resilience.

Cohesity and NVIDIA are also working on NemoClaw, an open-source stack that simplifies running OpenClaw always-on assistants, more safely, with a single command. As part of the NVIDIA Agent Toolkit, it installs the NVIDIA OpenShell runtime—a secure environment for running autonomous agents, and open-source models like NVIDIA Nemotron. 

Learn more: 

Written By

Vasu Murthy

Vasu Murthy

Chief Product Officer

Swami Ramany

Swami Ramany

GVP, Product Management

Recent Blogs

You may also like

Read now
blog icon
Blog
Cohesity at NVIDIA GTC 2026
Read now
Read now
blog icon
Blog
Cybersecurity is national security
Read now
Read now
blog icon
Blog
World Economic Forum names cyber resilience an economic imperative
Read now

Most popular blogs

Read now
blog icon
Blog
Fortifying cyber resilience: Dozens of features and innovations announced at Cohesity Catalyst 1
Read now
Read now
blog icon
Blog
Cohesity NetBackup 11.0: Protecting data from the cyber threats of today and tomorrow
Read now
Read now
blog icon
Blog
A fresh approach to modern application resilience: Cohesity’s Clean Application Recovery
Read now