AI agents are now running in production at 79% of organizations, but only 14.4% have full security approval for their entire agent fleet. That gap between deployment speed and security readiness has created what cybersecurity experts are calling a governance emergency. At the RSA Conference 2026 in April, four separate keynote speakers arrived at the same conclusion without coordinating: AI agents need a fundamentally different security model than traditional software. Then two companies shipped architectures that answer the question in completely opposite ways .

Why the Default Agent Architecture Is a Security Nightmare?

The problem starts with how most enterprises deploy AI agents today. The standard pattern is a monolithic container where the model reasons, calls tools, executes generated code, and holds credentials all in one process. Every component trusts every other component. OAuth tokens, API keys, and git credentials sit in the same environment where the agent runs code it wrote seconds ago. A prompt injection attack gives the attacker everything .

The numbers reveal how widespread this vulnerability is. According to a survey of 228 IT and security professionals conducted by the Cloud Security Alliance (CSA) and Aembit, 43% of organizations use shared service accounts for agents, 52% rely on workload identities rather than agent-specific credentials, and 68% cannot distinguish agent activity from human activity in their logs. No single team claimed ownership of agent security. Security teams said it was a developer responsibility. Developers said it was security's job. Nobody owned it .

The real-world consequences are already visible. CrowdStrike's Global Threat Report documented a supply chain campaign called ClawHavoc targeting the OpenClaw agentic framework. Antiy CERT confirmed 1,184 malicious skills tied to 12 publisher accounts. Snyk's ToxicSkills research found that 36.8% of 3,984 ClawHub skills scanned contain security flaws at any severity level, with 13.4% rated critical. Average breakout time has dropped to 29 minutes. The fastest observed breakout took 27 seconds .

How Are Companies Actually Solving Agent Security?

• Anthropic's Separation Model: Split every agent into three independent components that do not trust each other: a brain (Claude and the harness routing decisions), hands (disposable Linux containers where code executes), and a session (an append-only event log outside both). Credentials never enter the sandbox.
• Nvidia's Containment Model: Wrap the entire agent inside four stacked security layers and monitor every move. Use kernel-level sandboxing with Landlock, seccomp, and network namespace isolation. Default-deny outbound networking forces every external connection through explicit operator approval.
• Observability and Audit Trails: Both approaches include real-time logging of agent actions, but they differ in how much autonomy agents retain versus how much visibility operators gain.

Anthropic's Managed Agents, launched April 8 in public beta, separates instructions from execution using a pattern borrowed from microservices and serverless functions. Credentials never enter the sandbox. Anthropic stores OAuth tokens in an external vault. When the agent needs to call a tool, it sends a session-bound token to a dedicated proxy. The proxy fetches real credentials from the vault, makes the external call, and returns the result. The agent never sees the actual token. Git tokens get wired into the local remote at sandbox initialization. Push and pull work without the agent touching the credential. For security directors, a compromised sandbox yields nothing an attacker can reuse .

The security gain arrived as a side effect of a performance fix. Anthropic decoupled the brain from the hands so inference could start before the container booted. Median time to first token dropped roughly 60%. The zero-trust design is also the fastest design. That kills the enterprise objection that security adds latency. Pricing is $0.08 per session-hour of active runtime, with idle time excluded, plus standard API token costs .

Nvidia's NemoClaw, released March 16 in early preview, takes the opposite approach. It does not separate the agent from its execution environment. It wraps the entire agent inside four stacked security layers and watches every move. NemoClaw stacks five enforcement layers between the agent and the host using kernel-level sandboxing. Default-deny outbound networking forces every external connection through explicit operator approval via YAML-based policy. A privacy router directs sensitive queries to locally-running Nemotron models, cutting token cost and data leakage to zero .

"While the concept of zero trust is good, we need to take it a step further. It's not just about authenticating once and then letting the agent run wild. It's about continuously verifying and scrutinizing every single action the agent's trying to take, because at any moment, that agent can go rogue," said Matt Caulfield, VP of Product for Identity and Duo at Cisco.

Matt Caulfield, VP of Product for Identity and Duo at Cisco

Where Do These Two Approaches Actually Differ?

The trade-off for organizations evaluating NemoClaw is straightforward. Stronger runtime visibility costs more operator staffing. The agent does not know it is inside NemoClaw. In-policy actions return normally. Out-of-policy actions get a configurable denial. Observability is the strongest layer. A real-time Terminal User Interface logs every action, every network request, every blocked connection. The audit trail is complete. The problem is cost: operator load scales linearly with agent activity. Every new endpoint requires manual approval. Observation quality is high. Autonomy is low. That ratio gets expensive fast in production environments running dozens of agents .

Anthropic's approach trades some observability for autonomy. Session durability is the structural gain. A container crash in the monolithic pattern means total state loss. In Managed Agents, the session log persists outside both brain and hands. If the harness crashes, a new one boots, reads the event log, and resumes. No state lost turns into a productivity gain over time. Managed Agents include built-in session tracing through the Claude Console .

CrowdStrike's CTO Elia Zaitsev noted that securing agents resembles securing highly privileged users. "A lot of what securing agents look like would be very similar to what it looks like to secure highly privileged users. They have identities, they have access to underlying systems, they reason, they take action," Zaitsev explained. "There's rarely going to be one single solution that is the silver bullet. It's a defense in depth strategy" .

Elia Zaitsev

What Does This Mean for Enterprise Teams?

The gap between Anthropic and Nvidia's designs reveals where the real risk sits. Only 26% of organizations have AI governance policies in place, according to a CSA survey presented at RSA. The CSA's Agentic Trust Framework describes the resulting gap between deployment velocity and security readiness as a governance emergency. Security directors can now model agent compromise cost per session-hour against the cost of architectural controls .

Beyond these two architectures, the broader market is moving toward sovereign AI solutions designed for regulated industries. Younet AI announced a strategic partnership with Perpetuals.com to license and co-develop Forgentiq.ai, a sovereign large language model (LLM) and agentic technology platform designed for institutional-grade digital asset market infrastructure. The partnership positions both companies at the forefront of regulated fintech infrastructure as institutional capital flows into blockchain at unprecedented scale .

Younet AI is developing Forgteam, a fully sandboxed, native orchestration engine for Forgentiq.ai agents. This engine will enable deterministic orchestration with predictable task sequencing, transparent token economics with real-time visibility into token consumption per agent, and comprehensive audit trails logging agent decisions, actions, and resource utilization. The capability reflects growing demand for agents that operate with full transparency in regulated environments .

The timing of these architectural innovations aligns with massive shifts in institutional capital. The Anthropic-Broadcom partnership expansion secures 3.5 gigawatts of TPU capacity from 2027 onward, validating that AI infrastructure has emerged as the defining asset class of this decade. Anthropic's annual revenue run rate has surpassed $30 billion, up from approximately $9 billion at the end of 2025. Enterprise customers spending $1 million or more annually have doubled from February to over 1,000 organizations .

The real story is not which architecture is "better." It is that the industry has finally acknowledged that monolithic agents are indefensible. The question now is whether your organization will choose separation of concerns like Anthropic, containment and monitoring like Nvidia, or a hybrid approach. The governance emergency is real. The solutions are shipping. The choice belongs to your security team.