NVIDIA and SAP Are Making Enterprise AI Agents You Can Trust

88% of organizations reported confirmed or suspected AI agent security incidents in the last year. Not predictions, not projections, actual incidents already investigated and quietly resolved at companies that moved agents into production faster than they established what those agents were allowed to do.

SAP CEO Christian Klein had that problem in mind when he took the stage at SAP Sapphire this week. The company is betting its next decade on the Autonomous Enterprise, a model where AI agents handle complete workflows across finance, procurement, HR, supply chain, and manufacturing without waiting for human approval at each step. The ambition requires agents enterprises can trust in mission-critical systems.

The infrastructure answer, announced at Sapphire alongside a video appearance by NVIDIA founder and CEO Jensen Huang, is NVIDIA OpenShell, now embedded into SAP's Business AI Platform as the security runtime for every Joule Studio agent the company ships.

How NVIDIA OpenShell Makes Enterprise Agents Safer by Default

NVIDIA released OpenShell in March 2026 as an open-source runtime for autonomous AI agents, available under the Apache 2.0 license. The license choice is deliberate. A proprietary security runtime asks enterprises to trust vendor claims. An open-source runtime lets security architects, legal counsel, and procurement teams verify what the code actually does.

The design principle is zero-permission by default. An agent starts with no filesystem access, no network access, no ability to reach any external service. Everything it can do must be explicitly granted through policy files written in declarative YAML. Those policies split into two sections: static rules covering filesystem and process permissions, locked at agent creation and unchangeable while the agent runs; and dynamic rules covering network access and inference routing, which can be hot-reloaded on a running agent without a restart.

In practice, an agent handling accounts payable might receive read access to one specific financial data directory, permission to call one internal ERP endpoint, and an approved route to an inference model. It can't reach the internet, can't write outside its scope, can't escalate its own privileges, and can't chain into adjacent systems. If a prompt injection attack redirects the agent toward restricted data, the policy blocks the access at the infrastructure layer rather than relying on the model's judgment to decline.

OpenShell also includes a privacy router. Prompts sent to cloud inference endpoints are anonymized before they leave the environment, stripping PII and masking proprietary data. For enterprises in regulated industries, this removes a recurring obstacle to production deployment. Most AI agent architectures force a tradeoff between capability and data confidentiality. OpenShell addresses that tradeoff at the runtime level rather than asking each enterprise to engineer around it case by case.

Security ecosystem partners including Cisco, CrowdStrike, Google Cloud, Microsoft Security, and TrendAI are aligning their threat detection workflows with OpenShell's policy model. The practical implication: existing security operations infrastructure can be extended to flag anomalous agent behavior using the same tools, incident response playbooks, and visibility layers already deployed for network threats. No new security stack required.

NVIDIA is also integrating NemoClaw into Joule Studio, a development framework that gives engineering teams a structured path from initial agent build through testing, evaluation, and production deployment. Without a shared framework, each engineering team builds security scaffolding independently, producing inconsistent security postures across agents in the same enterprise. NemoClaw combined with OpenShell creates a repeatable, auditable path from development to production that a security review board can evaluate systematically rather than case by case.

That last point matters. Enterprise AI agent projects stall not because the underlying models are incapable, but because security and legal teams don't have a standard way to evaluate an agent before production sign-off. NemoClaw addresses the process gap, and OpenShell addresses the runtime gap. Both are needed.

SAP's Autonomous Enterprise: Architecture, Scale, and Production Path

SAP's framework for the Autonomous Enterprise is organized around two complementary control layers. OpenShell governs what an agent can technically do at the infrastructure level. Joule Studio's runtime governs whether an agent should act at all at the business logic level.

These layers answer different questions. OpenShell asks: can this action safely execute given the agent's declared policy? Joule Studio asks: does this action conform to company policy, identity and access management rules, compliance requirements, and authorization thresholds? An agent might clear the Joule Studio business policy check and still be sandboxed by OpenShell from data it didn't need. Or it might be technically capable of accessing a system but blocked at the business logic layer because the authorization chain is incomplete.

Distinguishing these layers matters for incident response. When an agent causes an unexpected outcome, both logs are available: the OpenShell audit trail showing exactly what the agent accessed and when, and the Joule Studio policy log showing what it was authorized to do. That separation makes investigation faster and compliance reporting cleaner.

Andre Lamego, SAP's Chief Product Officer for BTP Fabric, described the design requirement in the Sapphire announcement this way: "Enterprise AI agents must be safe, governable, and auditable by design." That last word is the one procurement committees and legal teams actually care about. Audit trails for autonomous agent actions are being written into vendor contracts and compliance frameworks right now.

SAP Autonomous Suite ships 50+ domain-specific Joule Assistants and 200+ specialized agents covering finance, supply chain, procurement, HR, and customer experience. These agents execute multi-step processes. SAP's Autonomous Close Assistant compresses financial close from weeks to days. A standard financial close involves reconciling accounts across business units, verifying journal entries, resolving exceptions, generating reports, and obtaining multi-party approvals. Doing that at software speed, accurately, with a defensible audit trail, is qualitatively different from what prior enterprise automation delivered.

RWE demonstrates the same governance model applied to physical operations. SAP agents analyze sensor data from offshore wind turbines, predict component failures, and schedule service windows before problems escalate into downtime. The decisions carry financial and safety consequences. The runtime that protects a finance agent from touching unauthorized data applies equally to agents making hardware maintenance decisions.

SAP also established a EUR 100 million fund for partners building on Joule Studio. ERP migration tooling now reduces implementation effort by more than 35%. Joule Work, a natural language interface running across desktop, mobile, and voice, brings these agents into existing workflows without requiring employee retraining. RISE with SAP customers receive three assistants activated in the first year as part of their standard agreement.

The scale of what SAP announced at Sapphire, 200+ specialized agents, a EUR 100 million partner commitment, a new natural language interface, and a security runtime co-developed with NVIDIA, represents one of the more credible production-scale enterprise AI deployments announced by any software vendor in 2026.

The Governance Standard Forming Across Enterprise AI

SAP is the highest-profile OpenShell deployment, but not the only one. NVIDIA launched OpenShell in March with 17 major enterprise platform partners: Adobe, Atlassian, Amdocs, Box, Cadence, Cisco, Cohesity, CrowdStrike, Dassault Systemes, IQVIA, Red Hat, Salesforce, Siemens, ServiceNow, Synopsys, and others. The list spans professional services, cybersecurity, manufacturing software, and enterprise cloud, covering most of the enterprise application stack.

When that many platforms commit to the same security runtime, the competitive landscape shifts. Proprietary agent security runtimes face a different procurement conversation when an independently auditable open-source alternative has this level of adoption. Enterprise security teams will increasingly ask whether a closed runtime is necessary when a verifiable open-source option exists with broad integration coverage.

The industry context shows why timing matters. 54% of enterprises now run AI agents in production. Only 14.4% have done so with full security and IT approval. The gap between those numbers represents a large category of deployments operating with real governance exposure. As analysis of enterprise AI compute efficiency has shown, governance gaps don't just create security risk; they drive operational overhead as teams build manual review layers to compensate, which undercuts the productivity gains agents are supposed to deliver.

SAP and NVIDIA are trying to close that gap by leading with governance infrastructure rather than capability claims. OpenShell is not a feature inside a product. It's the security layer every product builds on top of. Releasing it as open-source changes the procurement dynamic: security teams can evaluate it before committing to any platform. When a CISO asks "how do we know the agent won't access restricted data," an architecture built on OpenShell has a specific, verifiable answer: here's the YAML policy file, here's the 30-day audit log, and here's the open-source runtime enforcing both that your team can inspect independently.

Jensen Huang described OpenShell as the foundation for "the next industrial revolution in knowledge work." When Adobe, Salesforce, SAP, Siemens, and Cisco all commit to the same runtime, that framing reflects the early formation of an industry standard, one reaching critical adoption mass before it becomes an official specification.

For enterprises evaluating or scaling agent deployments right now, three things follow from the Sapphire announcements. First, the dual-layer governance model, technical sandbox plus business policy engine, should be the baseline architecture, not an advanced option. Second, open-source runtime auditability is becoming a default expectation in procurement. Third, audit trails are non-negotiable: any production deployment must be able to answer what the agent did, when, and why.

For a current overview of how enterprise AI vendors are approaching governance, compliance, and production rollout, the Enterprise AI in 2026 resource page covers the market with regular updates as the landscape develops.

The competitive question for Microsoft, Google Cloud, and ServiceNow is whether they can match governance depth alongside capability breadth, because enterprise buyers in 2026 are asking for both.