NVIDIA GTC 2026 hosted a session called "Safety in the OpenClaw Era" on March 16 in San Jose. The session description set the terms plainly: OpenClaw and platforms like it no longer just assist. They hold credentials, persist context across sessions, spawn sub-agents, and execute continuously against production systems. That is a different threat model than anything enterprise security was built to handle. The panelists, Francis deSouza of Google Cloud, Amit Zavery of ServiceNow, Elia Zaitsev of CrowdStrike, and a participant from Palantir, moderated by NVIDIA Senior Director Ali Golshan, were there to work out what a governance infrastructure that does not yet exist at scale actually needs to look like.
Left to right: Anirvan Mukherjee (Palantir), Elia Zaitsev (CrowdStrike), Amit Zavery (ServiceNow), Francis deSouza (Google Cloud), Ali Golshan (NVIDIA). Safety in the OpenClaw Era, NVIDIA GTC 2026, San Jose, March 16, 2026.
The Agent Paradox Has a Name Now
The moderator, Ali Golshan, framed the core tension cleanly: the more autonomy you give an agent, the more valuable it becomes, and the more dangerous it is. CrowdStrike Global CTO Elia Zaitsev added a useful mental model. Think of an AI agent as a very smart, highly caffeinated PhD intern. Brilliant, fast, and genuinely capable. But would you hand that person root access to every system in the organization on day one? Most enterprises would not. The same logic applies to agents, and the industry has not yet built the institutional equivalent of a probationary period, graduated access, or a real audit trail.
The panel agreed that this tension is use-case specific. deSouza cited a real example: the American Society of Clinical Oncologists uses agents to help oncologists evaluate treatment guidelines, a tightly scoped task with a defined purpose. That is a different risk profile than a general-purpose agent with tool-building capability and persistent memory. What the industry has not done yet is build differentiated governance for those two categories.
The Trust Layer Is the Real Product
Golshan drew a comparison to the evolution of the browser. What transformed the web from an enthusiast sandbox into commercial infrastructure was not bandwidth or content. It was the insertion of a trust layer. Secure connections, certificate authorities, sandboxed execution environments. The same transition is now required for agentic software. Without it, agents remain a proof of concept that organizations run carefully in controlled pilots but never promote to production at scale.
Google Cloud COO and President of Security Products Francis deSouza put the implication plainly: everything the enterprise does for human employees today, identity verification, access control, software development lifecycle reviews, audit logging, all of it has to be rebuilt natively for agents. Not retrofitted. Not added on top after deployment. Baked in from the architecture layer. The organizations that figure this out first are not just solving a security problem. They are building the platform on which the next generation of large enterprise software companies will be constructed.
Identity Governance Is the Immediate Gap
ServiceNow's Amit Zavery identified the most concrete near-term problem. Agents change their identity context faster than existing identity and access management systems can track. Every time an agent picks up a new task, joins a workflow, or spawns a sub-agent, it may be operating under a different permission set. The volume and velocity of these non-human identity changes is a category of risk the enterprise stack was not built to handle. Traditional identity governance was designed around humans whose roles change quarterly, not agents whose effective identity changes by the minute.
Zavery also flagged a related gap he described as a control tower function. As agent proliferation accelerates, enterprises need something that auto-discovers every AI system running in their environment, observes its behavior, and manages its lifecycle. Without that, the governance conversation is theoretical. You cannot govern what you cannot see, and most organizations today have no reliable inventory of what agents are actually running across their infrastructure.
Zavery’s comments carry more weight when you know what ServiceNow is building toward. In December 2025, the company announced a $7.75 billion acquisition of Armis, a cyber exposure management company with real-time asset discovery across information technology, operational technology, and cyber-physical systems. The stated goal is a unified security stack that can see, decide, and act across an organization’s entire technology footprint. The control tower Zavery described on the panel is not a theoretical future state. ServiceNow is spending to own it.
Security Is Adversarial. Most Domains Are Not.
CrowdStrike's Elia Zaitsev made a distinction that sharpened the rest of the conversation. Most domains where AI agents are being deployed are relatively static. Tax law changes slowly and the changes are publicly documented. Human language evolves over decades. Marketing content does not require constant adversarial recalibration. Security is qualitatively different because adversaries are, by definition, continuously attempting to subvert whatever rules you establish. Agent model drift, the gradual divergence of a model's behavior from its intended parameters, is a known machine learning challenge. In a security context it is not a maintenance issue. It is an ongoing threat vector. The agents defending your environment will drift, and so will the agents attacking it. The timescales at which each side operates, and the controls appropriate to each timescale, become the central engineering challenge.
Palantir's Anirvan Mukherjee added a related point. Rather than layering guardrails on top of agents after the fact, policy should be encoded as close to the data and permission layer as possible. His example: an insurance company receiving inputs from external brokers should be able to detect anomalous machine-speed activity and disallow related actions at the persistence layer, not at an application layer that may be three steps removed from where the damage is happening. Push the policy down. The further up the stack your controls live, the more attack surface exists beneath them.
The Data Privacy Problem Is Larger Than It Looks
Golshan offered a quantification that deserves attention. When an agent executes code, the risk surface is bounded and relatively well understood. When an agent works with sensitive data, the velocity differential is roughly five orders of magnitude greater. The existing data governance tooling was not built for that speed. deSouza noted that agents will surface old problems organizations thought they had buried. The abandoned SharePoint server with poorly maintained access controls was harmless when no one could efficiently find it. An agent roaming the enterprise environment will find it, read it, and potentially act on it. There is no such thing as an AI strategy without a data strategy, and that statement applies with more force to agents than to any prior generation of enterprise software.
The Viability Question for Technology Leaders
The panel was not pessimistic. Every speaker described real production deployments where agents are delivering measurable value today. The question is whether organizations are building on a foundation that will hold. The vendors represented on that stage, Google Cloud, ServiceNow, CrowdStrike, and Palantir, are each building components of what will eventually become the trust layer for enterprise agents. None of them has the complete picture yet. The relevant question for a technology leader evaluating agent platforms right now is not whether the agents can perform the task in a demo. It is whether the platform has a coherent, native answer for identity governance, policy enforcement at the data layer, auditability, and adversarial resilience. If the answer requires significant add-on architecture, the platform is not production-ready for high-stakes workflows.
Sources
Golshan, Ali, et al. "Safety in the OpenClaw Era [S82553]." NVIDIA GTC 2026, San Jose, CA, 16–19 Mar. 2026. Panel participants: Francis deSouza (Google Cloud), Amit Zavery (ServiceNow), Elia Zaitsev (CrowdStrike), Anirvan Mukherjee (Palantir), moderated by Ali Golshan (NVIDIA). Transcript via Otter.ai. Session catalog: nvidia.com/gtc/session-catalog/sessions/gtc26-s82553.
