A new VentureBeat analysis from this week lands on a truth that every enterprise security team already feels in their gut: most AI agents are a credential exfiltration waiting to happen. The monolithic agent pattern — where reasoning, execution, credential storage, and tool access all share the same process — creates a threat surface that conventional security tooling wasn't designed to close.
The piece audits two emerging zero trust architectures: Anthropic's Managed Agents, which structurally separate the "brain" from the "hands," and Nvidia's NemoClaw, which wraps agents in layers of kernel-level policy enforcement. Both represent meaningful advances. Neither, on its own, closes the full loop.
The gap they leave is exactly where Pomerium lives.
The VentureBeat piece frames the core vulnerability well: in the monolithic pattern, AI model reasoning, tool execution, and credentials occupy the same memory space. If an attacker can influence the agent's reasoning — through a prompt injection attack on untrusted input — they can potentially reach every credential the agent holds.
Core threat identified by VentureBeat
A March 2026 CSA/Aembit survey of 228 IT and security professionals found that 43% of organizations use shared service accounts for AI agents — making them the first targets for credential exfiltration. An agent holding OAuth tokens in its execution environment is a single-hop attack away from a full breach.
Anthropic's response is architectural: remove credentials from the execution sandbox entirely. Their Managed Agents decouple inference from the container that takes actions. A compromised sandbox yields nothing worth stealing. It's a structurally elegant approach — and by decoupling inference from container boot, Anthropic also achieved a roughly 60% drop in median time-to-first-token. The zero trust design turned out to be the faster design, too.
Nvidia's NemoClaw takes the opposite posture: keep the agent whole, but enforce strict kernel-level controls on what it can do. Landlock, seccomp, network namespaces, and an intent verification engine create multiple enforcement layers between the agent and the host. The tradeoff, as the VentureBeat analysis notes: operator approval overhead scales with agent activity, and for integrations that require runtime credentials, those tokens may still reside inside the execution environment.
Monolithic Agent (Legacy) | Isolated Execution (Anthropic + Nvidia) | + Pomerium Layer (Complete Stack) | |
|---|---|---|---|
Credential separation | ✗ Credentials in execution env | ✓ Credential separation (Anthropic) | ✓ Credential separation |
Blast radius containment | ✗ No blast radius containment | ✓ Kernel-level isolation (Nvidia) | ✓ Kernel-level isolation |
Shared accounts | ✗ Shared service accounts | △ No network-layer identity | ✓ Identity-aware access proxy |
Single-hop risk | ✗ Single-hop exfiltration | △ No cross-service policy | ✓ Per-request policy enforcement |
Operational overhead | △ Low operational overhead | ✗ No per-request auth enforcement | ✓ Full audit trail, no static creds in the request path |
Read the VentureBeat audit closely, and a pattern emerges. Both Anthropic and Nvidia solve the intra-agent problem — what the agent can do within its own execution environment. But neither solves the inter-service problem: how do the services and APIs that the agent calls know they're talking to a legitimate, properly scoped agent — and not an attacker who has compromised the agent's outbound request channel?
Consider what happens when an AI agent in either architecture calls an internal API — a CRM, a code repository, an HR system. The downstream service receives an HTTP request. In the monolithic pattern, that request carries a static bearer token. In Anthropic's model, that token was at least never inside the sandbox. In NemoClaw, the network policy gates which endpoints the agent can reach. But in neither case does the downstream service have cryptographic certainty about the caller's identity, scope, or entitlements at the moment of that specific request.
Zero trust for AI agents isn't just about protecting what's inside the sandbox — it's about ensuring every downstream service verifies every agent request, every time, regardless of network location.
This is the trust gap that matters in production. It's not enough to ensure that an agent's credentials didn't get stolen during the session. You also need every service that the agent touches to enforce who it is, what it's allowed to do, and whether this specific action is within its delegated scope — on a per-request basis, with a full audit record.
Pomerium is a context-aware, identity-aware access proxy. It turns out to be exactly what AI agents need at the network layer — for all the same reasons it secures human access to internal services, and a few new ones that are specific to agentic workloads.
Here's how Pomerium closes the gaps that both Anthropic's and Nvidia's architectures leave open:
Pomerium issues short-lived, cryptographically signed tokens for each agent session. There are no long-lived OAuth tokens or API keys to steal — from the sandbox or anywhere else. This is a structural complement to Anthropic's credential isolation: even if the brain and hands are separated, the credentials that flow between them are ephemeral and scoped to the session. (Pomerium docs →)
Every request an agent makes to a downstream service passes through Pomerium's policy engine. Policies can encode agent identity, time-of-day constraints, allowed actions, and even the specific task the agent was instantiated to perform. A coding agent shouldn't have read access to the HR system — and with Pomerium, it structurally can't, regardless of what credentials it may have inherited. (Policy documentation →)
The VentureBeat piece notes that NemoClaw's observability is strong but comes with overhead — operator approval requirements scale with agent activity. Pomerium's audit log is automatic, immutable, and requires no per-endpoint approval overhead. Every request is logged with identity context. This closes the audit trail gap that enterprise compliance teams are already flagging with agentic deployments. (Audit logging →)
When an AI agent calls Service A, which calls Service B, which calls Service C, who is accountable for the blast radius? Pomerium propagates identity headers across every hop, so every service in the chain knows it is dealing with an agent, which agent, under which delegated authority. The accountability chain never breaks. (Identity headers →)
Pomerium is not an alternative to credential isolation or sandbox enforcement. It is the network-layer complement. Deploy Anthropic's Managed Agents with Pomerium as the access proxy, and you have structural credential isolation plus per-request identity verification at every downstream service. Deploy NemoClaw with Pomerium, and NemoClaw's default-deny network policy becomes identity-aware rather than purely endpoint-based.
NCC Group's David Brauchler, quoted in the VentureBeat piece, advocates for what he calls "gated agent architectures" built on trust segmentation principles — where AI systems inherit the trust level of the data they process. It's the right framing. But trust segmentation without infrastructure enforcement is just a policy document.
The principle — untrusted input equals restricted capabilities — needs a runtime that can enforce it dynamically, across services, without relying on the agent itself to self-impose constraints. An agent that has been compromised through prompt injection will not honor its own restrictions. The enforcement has to happen outside the agent, at the infrastructure layer, for every request.
This is what Pomerium was built to do. The same properties that make it the right solution for human users in a zero trust network make it the right solution for AI agents: identity-awareness, per-request verification, policy-as-code, and a complete audit trail — all enforced at the network layer, invisible to the workload, and not bypassable from within a compromised execution environment alone.
What a complete AI agent security stack looks like
Anthropic Managed Agents (credential isolation) + NemoClaw OpenShell (sandbox enforcement) + Pomerium (identity-aware access proxy) = structural credential removal, kernel-level action constraints, and per-request network-layer enforcement. Three layers, no single point of failure, no static credentials in the request path.
If you're auditing your AI agent deployments, as the VentureBeat piece recommends, the checklist shouldn't stop at "does this agent hold OAuth tokens in its execution environment?" It should also ask:
Do the services this agent calls verify its identity on every request? Do they enforce least-privilege access at the network layer? Is there an immutable audit trail of every action the agent took, independent of the agent's own logging? If the agent is compromised and calls a service it shouldn't, does the service have the infrastructure to refuse?
If the answer to any of these is "no" or "we depend on the agent to self-enforce," you have a gap. Pomerium closes it without requiring you to rearchitect your agents, without adding operational overhead that scales linearly with agent activity, and without replacing the good work that Anthropic and Nvidia have done to harden the execution environment itself.
The question the VentureBeat article asks is: where does the blast radius actually stop? With Pomerium in the stack, the answer changes from "at the sandbox boundary" to "at the identity-verified policy boundary of every downstream service." That's the architecture zero trust was always supposed to deliver, and now AI agents can have it too.
Read our documentation on deploying Pomerium as an identity-aware access proxy for AI agent workloads, or talk to our team about your specific architecture.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
