Kai Ole Hartwig — Blog
5 min read
By

NVIDIA OpenShell becomes the containment layer for agents — sandbox, credential isolation and policy-as-code in GitHub Copilot

4 June 2026. At Microsoft Build 2026 (keynote on 2 June), NVIDIA and Microsoft presented OpenShell as a secure runtime for autonomous agents and integrated it into GitHub Copilot. Every agent runs in its own sandboxed container; every outbound call is checked against a policy written as code before it reaches files, networks or credentials. The real move is not in the chip but in the layer: agents get their own security substrate.

What happened

On 2 June, in the Build keynote, NVIDIA and Microsoft showcased their expanded partnership. At its centre, for my readers, is NVIDIA OpenShell, a secure-by-design runtime for autonomous agents that is now integrated into GitHub Copilot. The principle: each agent runs isolated in its own sandboxed container, and every outbound call is evaluated against a policy before it may reach files, networks or credentials. The rules are written as code, versioned in the repository and changeable at runtime. OpenShell is licensed under Apache 2.0, is model-agnostic and spans on-premises, hybrid and cloud environments. The same runtime also sits beneath the new Windows agents on RTX Spark and DGX Station — built on new Windows security primitives for identity, containment and policy.

Why this matters

Yesterday this slot was about the orchestration and governance layer — who picks the model, who bills, who logs. OpenShell sits one floor below: at the question of what an agent may even touch at the moment of execution. This is precisely where the agent wave had been stalling. An agent that really gets work done needs access to files, networks and systems — and that very authority is the risk. Handing an agent standing credentials does not scale: it turns every misdirected agent into full access. OpenShell’s answer is the separation of capability and authorisation — „real capability without real credentials“: the agent can act, but every single action passes a policy gate. Architecturally this is the same shift that containers and sandboxing brought — do not trust the process, control the frame it runs in. That the layer is open (Apache 2.0) and model-agnostic makes it neutral substance, comparable to MCP at the interop level.

What this means for the German Mittelstand

For the DACH Mittelstand this is first a data-protection and sovereignty question, not a performance question. Letting agents into your own systems is a decision about which data crosses which border. OpenShell addresses this axis with three levers: requests can be routed by policy to local models, personal information is masked before being sent to cloud models, and via Microsoft Foundry Local on Azure Local workloads can run where the data resides — on-premises, hybrid or in sovereign environments, without giving up governance.

This is the entry question, not the footnote. Anyone letting agents loose on personal-data records belongs, with that plan, at the data-protection officer’s desk, in the record of processing activities and — for sensitive data classes — in a data protection impact assessment. PII masking before the cloud call and routing to local models are not a comfort feature but technical building blocks of a third-country and sub-processor argument: they move the line at which data leaves the house at all. For regulated firms this fits into the outsourcing and ICT third-party obligations under BaFin/MaRisk and DORA. These mechanisms do not replace a legal and data-protection assessment — but they provide an auditable technical basis instead of a blanket „the AI sees everything“.

What this means for technical development

Technically, a layer of its own is emerging in the agent stack: the containment and execution substrate, separate from the model (interchangeable) and from orchestration (routing, governance). OpenShell turns agent permissions into policy-as-code — versioned in the repository, reviewable in the pull request, updatable in operation. The permission question thus moves from ad-hoc configuration into version control: the same GitOps pattern we have long used for infrastructure, now for the question of what an agent may do. The per-agent sandboxed container and the policy gate before every outbound call enforce least privilege structurally, instead of documenting it.

The practical value for development lies in the neutrality. OpenShell is Apache 2.0 and model-agnostic; the underlying Windows primitives provide identity, containment and policy as native capabilities. Model your agent permissions cleanly as policy and you are not bound to a model vendor — the same containment definition carries across local, hybrid and cloud execution. That is the investment that stays, even if the model underneath is a different one tomorrow.

Concrete recommendation

In this order. First, an honest inventory: where are agents or agent features already running in the house, which systems do they access, and with which credentials — are standing full-access tokens running anywhere? Second, make capability-without-standing-credentials the goal: model agent permissions as policy-as-code, least-privilege, versioned and reviewed — not as a permanent token in a config file. Third, pilot a sovereign variant for data classes with personal data: local or on-prem model routing plus PII masking before every cloud call, coordinated with the data-protection officer, with an entry in the record of processing activities and a DPIA check. Fourth, watch OpenShell as a young, open layer rather than putting it into production immediately — its licence (Apache 2.0) and model neutrality make a controlled pilot low-risk.

This article reflects my technical and strategic assessment. It does not replace legal advice or a data protection impact assessment.

Sources

About the author

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.