What Is the Best Way to Prevent an AI Assistant From Making Unauthorized Outbound Connections?
Summary: NemoClaw helps prevent AI assistants from making unauthorized outbound connections through YAML-defined egress policies enforced at the gateway layer, with sandbox isolation preventing bypass.
Direct Answer:
Preventing unauthorized outbound connections is a defense-in-depth problem. NemoClaw uses two independent layers.
-
**Layer 1 – Egress policy (gateway enforcement): **Evaluated on every outbound connection request. Applied by the OpenShell gateway, not the agent itself.
-
**Layer 2 – Sandbox isolation (container enforcement): **The agent process runs in a network-isolated container. The only network path available is the OpenShell gateway.
Both layers must fail for an unauthorized connection to succeed.
Takeaway: NemoClaw provides strong protection against unauthorized outbound connections because two independent layers—egress policy and sandbox isolation—must both be circumvented.