What happens when the world’s largest cybersecurity platform meets the world’s largest AI infrastructure company? You get security baked into the agent runtime itself.

CrowdStrike and NVIDIA just unveiled a Secure-by-Design AI Blueprint that integrates CrowdStrike’s Falcon platform directly into NVIDIA OpenShell — an open-source runtime from the NVIDIA Agent Toolkit that provides isolated sandboxes with policy enforcement for autonomous agents.

The key word is directly. Not a sidecar. Not a monitoring layer. Falcon security is embedded in the runtime where agents execute — which means policy enforcement happens at the same speed as agent execution.

The Architecture

The blueprint works across both local and cloud agent deployments:

Local Agents (DGX Spark / DGX Station)

  • Falcon Endpoint Security secures agents running in OpenShell on NVIDIA hardware
  • Host-level controls and continuous behavioral monitoring
  • Covers both system activity and agent execution patterns

Cloud Agents (AI-Q Blueprint)

  • Falcon Cloud Security protects agents built on NVIDIA’s AI-Q Blueprint for deep research
  • Unified visibility across infrastructure and AI workloads
  • Runtime controls in cloud and data center environments

Across Both

  • Falcon AI Detection and Response (AIDR) integrates with OpenShell to secure every prompt, response, and agent action in real time
  • Falcon Next-Gen Identity Security enforces access controls across data, APIs, and services — so agents operate within defined privilege boundaries

The most forward-looking element: intent-aware controls that govern how agents plan and execute tasks. This goes beyond monitoring what an agent does — it evaluates what the agent intends to do and limits the blast radius of unintended or malicious behavior.

Why This Is Different

Most agent security products announced this month operate at a single layer — identity (Oasis, Okta), credentials (1Password), network (F5), or governance (AvePoint, Singulr). CrowdStrike × NVIDIA operates at the runtime layer — the actual execution environment where agents think and act.

Daniel Bernard, CrowdStrike’s CBO: “As we enter the agentic era, agents no longer simply assist — they act. This shift fundamentally changes the security equation, and security must be embedded into the AI stack itself.”

Justin Boitano, NVIDIA VP of Enterprise Platforms: “By integrating CrowdStrike’s security platform with the NVIDIA Agent Toolkit, we’re enabling enterprises to build and scale safer, autonomous AI agents.”

The CoreWeave CISO validation is notable too — James Higgins: “AI agents must be observable, governed, and resilient by design. The collaboration between CrowdStrike and NVIDIA secures AI systems at the foundation.”

The Secure-by-Design Principle

“Secure by design” means security isn’t added after the agent is built — it’s part of the foundation the agent runs on. This is a deliberate contrast to the current reality where most organizations:

  1. Build or deploy an AI agent
  2. Discover it has access to things it shouldn’t
  3. Try to retroactively add controls
  4. Get breached somewhere between steps 2 and 3

The blueprint inverts this: before an agent can execute its first action, Falcon is already enforcing policy on every prompt, response, tool call, and data access. The security infrastructure exists before the agent does.

The RSAC 2026 Convergence

This announcement lands in what’s become the most concentrated week of agent security launches in industry history:

Infrastructure layer:

  • CrowdStrike × NVIDIA — runtime security in agent execution environment
  • Booz Allen Vellox — agentic cyber defense suite (5 products)
  • Microsoft Agent 365 — enterprise control plane

Identity layer:

  • Oasis Security — $120M for Agentic Access Management
  • 1Password — agent credential vault
  • Okta — agent identity controls (April 30)

Governance layer:

  • Airia — enterprise OpenClaw gateway
  • ConductorOne — MCP access governance
  • AvePoint AgentPulse — shadow agent discovery

Offensive layer:

  • Xbow — $120M autonomous pen testing
  • Booz Allen Vellox Striker — AI adversary emulation

The CrowdStrike × NVIDIA partnership sits at the foundation — the runtime where all other security controls ultimately need to enforce. If your agent runtime isn’t secure, no amount of identity management or governance dashboards will save you.

What OpenClaw Users Should Know

OpenShell is open-source, which means the isolation and policy enforcement patterns it implements are available for anyone to study and adapt. For OpenClaw users running agents that take real actions — executing code, accessing APIs, managing infrastructure — the secure-by-design principles apply:

  1. Sandbox agent execution — agents should run in isolated environments with explicit permissions, not with your full user context
  2. Monitor at the runtime level — application-level logging misses system-level activity; runtime monitoring catches everything
  3. Policy before deployment — define what your agent can and cannot do before it starts running, not after you discover what it did
  4. Intent-aware controls — the next generation of agent security isn’t just “what did it do?” but “what is it trying to do?”

The partnership between the world’s leading cybersecurity company and the world’s leading AI infrastructure company sends a clear signal: agent security is a runtime problem, and it needs runtime solutions.

The Secure-by-Design AI Blueprint was announced at GTC, March 16, 2026. CrowdStrike will demo at RSAC 2026, March 23–26, Booth S-0461.