Enterprise AI agents face an impossible choice: keep them locked in a sandbox where they're useless, or give them full system access and hope they don't cause chaos. Two emerging platforms are trying to break this deadlock by introducing infrastructure-level safeguards that let agents do meaningful work while keeping humans firmly in control. NanoClaw, an open-source framework, just launched version 2.0 with approval workflows across 15 messaging apps, while Capsule Security emerged from stealth with $7 million in funding to monitor agent behavior in real-time .

The problem is real and urgent. Over 80% of Fortune 500 companies now use active AI agents built with low-code or no-code tools, according to Microsoft, yet most organizations lack the security infrastructure to govern what these agents actually do in production . This gap has created what security researchers call the "agentic AI boom's opening," where agents can execute code, access databases, and trigger financial transactions at machine speed, but security teams have almost no visibility into their decision-making.

Why Traditional Agent Frameworks Create a Security Nightmare?

The fundamental problem with existing agent frameworks is architectural. In platforms like OpenClaw, which has grown to nearly 400,000 lines of code, the agent itself is often responsible for requesting permission before taking sensitive actions . This creates a dangerous flaw: a compromised or manipulated agent could generate a fake approval interface, swapping the "Accept" and "Reject" buttons to trick users into authorizing dangerous commands.

NanoClaw's co-founder Gavriel Cohen, a former Wix.com engineer, identified this vulnerability as the core design flaw in competing platforms. "The agent could potentially be malicious or compromised," Cohen explained. "If the agent is generating the UI for the approval request, it could trick you by swapping the 'Accept' and 'Reject' buttons" . This insight drove NanoClaw's architectural redesign, moving security enforcement from the application layer to the infrastructure layer itself.

How Does NanoClaw's New Approval System Actually Work?

• Container Isolation: Every agent runs inside a strictly isolated Docker or Apple Container, preventing it from accessing the host system or other applications. The agent never sees real API keys; instead, it uses placeholder credentials that are meaningless outside the controlled environment.
• Gateway Interception: When an agent attempts to make an outbound request, the OneCLI Rust Gateway intercepts it before it reaches any external service. The gateway checks user-defined policies (for example, "read-only access is permitted, but sending emails requires approval") and decides whether to allow, block, or escalate the request.
• Human-in-the-Loop Approval: For sensitive actions, the gateway pauses the request and sends a notification to the user through their preferred messaging app. Only after the user approves does the gateway inject the real, encrypted credential and allow the request to proceed.
• Unified Messaging Integration: Vercel's Chat SDK enables NanoClaw to deploy approval workflows across 15 different messaging platforms from a single TypeScript codebase, eliminating the need to maintain separate integrations for each channel.

The 15 supported messaging apps and channels include Slack, WhatsApp, Telegram, Microsoft Teams, Discord, Google Chat, iMessage, Facebook Messenger, Instagram, X (formerly Twitter), GitHub, Linear, Matrix, Email, and Webex . This breadth matters because it means users receive approval requests in the apps where they already spend their time, rather than having to check a separate dashboard.

NanoClaw's lean codebase is itself a security feature. The entire framework consists of only 3,900 lines of code across 15 source files, compared to OpenClaw's 400,000-line monolith . This minimalist design allows the entire system to be audited by a human or a secondary AI in approximately eight minutes, making it practical for security-conscious organizations to verify that no hidden vulnerabilities exist.

What Real-World Problems Does This Solve?

The approval workflow addresses high-consequence "write" actions where mistakes carry significant business risk. In DevOps environments, an agent could propose a cloud infrastructure change that only goes live once a senior engineer taps "Approve" in Slack. For finance teams, an agent could prepare batch payments or invoice triaging, with the final disbursement requiring a human signature via a WhatsApp card . These use cases represent the boundary between useful automation and dangerous autonomy.

Historically, IT departments have blocked agent usage entirely due to the "all-or-nothing" nature of credential access. By decoupling the agent from the secret, NanoClaw provides a third option: agents can be powerful and useful without being dangerous .

How Is Capsule Security Approaching Runtime Monitoring?

While NanoClaw focuses on preventing sensitive actions without approval, Capsule Security takes a complementary approach by monitoring what agents actually do during execution. The company raised $7 million in seed funding led by Lama Partners, with participation from Forgepoint Capital International, to build what it calls a "runtime-first trust layer" for agentic AI .

Capsule's platform enforces controls directly within the agent execution path, providing real-time visibility over agent behavior and ensuring teams retain oversight of what agents can access and act upon. The company has already uncovered critical vulnerabilities in enterprise AI platforms. Its researchers discovered ShareLeak, a critical-severity indirect prompt injection flaw in Microsoft Copilot Studio (now patched and assigned CVE-2026-21520), and PipeLeak, a separate prompt injection vulnerability in Salesforce Agentforce that can be triggered through untrusted lead-form inputs .

"AI agents are quickly becoming a new class of privileged user in the enterprise, except they can act at machine speed and they do not behave like deterministic software. That creates a dangerous gap between what security teams can govern today and what agents can do in production. Capsule closes that gap by enforcing trust at runtime, inside the execution path, so teams can move fast with agents while staying in control of what those agents can access and execute," said Naor Paz, CEO and co-founder of Capsule Security.

Naor Paz, CEO and co-founder at Capsule Security

To address vulnerabilities in open-source frameworks, Capsule developed ClawGuard, an open-source enforcement tool for the OpenClaw framework that introduces a pre-invocation checkpoint before agents carry out any tool calls . This turns each agent action into a controlled decision point where the system can verify that the action aligns with intended behavior.

Why Does the Security Community Take This Seriously?

Capsule's advisory board includes some of the most respected figures in enterprise security. Chris Krebs, the first director of the Cybersecurity and Infrastructure Security Agency (CISA), serves as an advisor, alongside Omer Grossman, former global CIO at CyberArk; Jim Routh, former CISO across multiple Fortune 500 enterprises; and Dr. Yonesy Núñez, a former CISA with a background in financial services . This level of security expertise backing a startup signals that the problem is not theoretical but urgent.

"The agentic AI boom is creating an opening in runtime behavior enterprises can't afford to ignore. The ability to secure this layer is what ultimately determines whether companies can move fast with AI without breaking trust," noted Omer Grossman, former global CIO at CyberArk.

Omer Grossman, former global CIO at CyberArk

Capsule was named one of six finalists in the CrowdStrike, Amazon Web Services, and NVIDIA Startup Accelerator at the RSA Conference, emerging from a field of nearly 1,000 competing startups . This recognition reflects the intensity of focus on agent security across the technology industry.

What Does This Mean for Enterprise AI Adoption?

The emergence of these platforms suggests that the "sandbox versus full access" dilemma is finally being resolved. Organizations can now deploy agents that perform meaningful work, like scheduling meetings, triaging emails, or managing cloud infrastructure, without granting them unrestricted system access . This shift from speculative experimentation to safe operationalization could unlock a new wave of AI agent adoption in enterprises that previously rejected the technology due to security concerns.

NanoClaw's partnership with Vercel and OneCLI demonstrates the power of modular, open-source tools working together. By combining NanoClaw for agent orchestration, Vercel Chat SDK for unified messaging integration, and OneCLI for secrets management, the coalition shows that specialized tools can outpace proprietary platforms in building the application layer for AI . NanoClaw has already amassed more than 27,400 stars on GitHub and maintains an active Discord community, indicating strong developer adoption .

The broader implication is that AI agent security is no longer a future concern but a present-day requirement. With over 80% of Fortune 500 companies now using active AI agents, the infrastructure to govern them safely has become as critical as the agents themselves.