Agents & MCP
NVIDIA Secure Agent Workspace Reference Design
June 29, 2026 3 min read
AI-assisted · editor-reviewedHow we use AI
NVIDIA introduces a reference architecture for governing autonomous agents by isolating the presentation layer from the execution layer. It mandates SSO, network restrictions, and human-in-the-loop approvals for critical system actions.
Impact: High
Why it matters
Use this design to implement enterprise-grade guardrails when deploying long-running AI agents that access sensitive internal infrastructure.
TL;DR
- 01Isolate agent execution from the developer machine
- 02Implement credential proxies instead of raw keys
- 03Use OCSF for standardized audit logs
Core Architecture
The NVIDIA Secure Agent Workspace separates the presentation layer (IDE/Terminal) from the execution layer (Managed VM). This creates a dedicated sandbox where runtime policies, network rules, and logging are centrally enforced.
Security Layers
- Identity: Enforces SSO for all workspace access.
- Network: Default-deny egress; uses
NetworkPolicyon OpenShift or Azure Firewall to restrict outbound connections. - Credential Handling: Prevents raw secrets exposure by using an intermediary credential proxy.
- Governance: Requires human review for system-impacting changes such as code merges or ticket status updates.
✓ When to use
- Production AI agent deployment
- Sensitive internal data access
- Regulated industry environments
What to do today
- Review the OCSF format for your security logs
- Define agent identity delegation records
#NVIDIA OpenShell#Red Hat OpenShift#Azure
Sources