AGIACC’s solutions span the full protection spectrum — software runtime hardening, confidential AI computing, and hardware capability architecture. This section presents case studies, research-motivated scenarios, and architectural approaches for securing AI systems from agents to autonomous vehicles.
For technology explainers (memory safety primers, distributed training background), use Technology → Memory safety or Technology → Distributed training in the site menu. For research deep dives, see our Blog.
SafeClaw: Securing AI agent deployments#
Our flagship platform for making AI agent systems like OpenClaw deployable in production environments.
The OpenClaw crisis#
OpenClaw represents a new class of AI — agents that control hardware, execute shell commands, read and write files, and integrate with messaging platforms. By giving AI “hands,” OpenClaw demonstrated the future of accessible automation. Its adoption was explosive: millions of instances deployed within months.
In early 2026, the security community revealed the true cost of powerful capabilities on insecure foundations:
- CVE-2026-25253 — One-click Remote Code Execution giving attackers full access to any instance and every system it controlled
- 800+ malicious plugins in ClawHub (roughly 20% of all extensions), stealing API keys, credentials, and browser sessions
- 135,000+ instances publicly exposed online, leaking chat histories, API keys, and gateway tokens
- Prompt injection attacks — malicious instructions in emails and documents hijacking agents for data exfiltration and lateral movement
Meta banned OpenClaw internally. Chinese regulators issued formal warnings. Financial institutions restricted its use.
SafeClaw architecture#
SafeClaw addresses these threats through layered enforcement:
Software runtime layer (deployable today):
- Tool call blocking prevents dangerous operations before execution
- ML-based prompt injection detection identifies manipulation attempts
- PII redaction removes sensitive data from outputs and logs
- Human approval gates require authorization for high-risk actions
- Tamper-evident audit logging maintains integrity-protected records
Confidential execution layer (on TEE-capable infrastructure):
- Agent credentials and API keys exist only in TEE-encrypted memory
- Model weights remain encrypted during inference via NVIDIA Confidential Computing
- Remote attestation cryptographically verifies the execution environment
- Attestation-gated access automatically cuts off compromised agents
Hardware compartmentalization (on CHERI silicon):
- Each plugin runs in hardware-enforced capability bounds — violations trap at the CPU level before any data is exposed
- Unforgeable capability pointers prevent credential forging and privilege escalation
- Deterministic containment that cannot be bypassed by software attacks
“When AI has hands, legs, and wheels, software patches aren’t enough. SafeClaw rebuilds the trust model from silicon to system.”
Confidential AI computing: protecting models and data in use#
Applying Trusted Execution Environments to AI workloads — keeping model weights and data encrypted even during computation.
The data-in-use gap#
Encryption protects data at rest and in transit, but AI workloads must decrypt data to process it. This vulnerability window is where model weights can be stolen, training data leaked, and inference inputs exposed — even by infrastructure operators.
How AGIACC deploys confidential computing#
We integrate TEE-based protection into AI infrastructure using production-ready technologies:
- NVIDIA Confidential Computing — GPU memory encryption keeps model weights invisible during inference on H100, H200, and B200 hardware. GPU-to-GPU communication is encrypted over NVLink/NVSwitch for multi-GPU workloads
- Intel TDX / AMD SEV-SNP — CPU-level Trust Domains with encrypted memory and integrity verification protect agent runtimes and orchestration layers
- Composite attestation — CPU and GPU TEEs are attested together, establishing a chain of trust from silicon to application logic
- Secure key release — Encryption keys are only released to workloads that pass attestation, using Intel Trust Authority for independent multi-cloud verification
Production reference points#
- EQTY Lab Verifiable Runtime — Silicon-based enforcement for AI agents using NVIDIA Confidential Computing on BlueField DPUs, providing hardware-attested security at near-zero performance cost
- Fortanix Confidential AI — Enables enterprises to deploy proprietary models where weights remain encrypted and invisible to infrastructure operators
- Corvex HGX B200 — Demonstrated near-native performance for confidential AI workloads on NVIDIA’s latest hardware
Case study: Automotive — the RESAuto pilot (industry demonstrator)#
Case study 2: Automotive — the RESAuto pilot (industry demonstrator)#
Summarises a public UK DSbD / industry demonstrator that shows the kind of adoption pathway the market needs.
The Attack Surface of Connected Mobility#
Modern autonomous vehicles carry dozens of connected Electronic Control Units (ECUs), each managing critical functions: braking, steering, perception, V2X communication, and infotainment. That connectivity brings convenience — and a massive, interconnected attack surface.
A vulnerability in one ECU (e.g., the infotainment system) can potentially cascade into safety-critical domains, turning a cyberattack into a physical safety incident.
CHERI on Morello Silicon: RESAuto Results#
The UK’s RESAuto (Resilient and Safe Automotive) project — led by Thales and partners under the Digital Security by Design (DSbD) programme — ported a safety-critical braking system to Arm Morello silicon with CHERI capabilities:
- Simulated attacks were detected and contained instantly. Faults injected into braking and steering stacks were caught by hardware capability checks before they could affect vehicle behavior.
- Lateral movement blocked — CHERI compartmentalization prevented exploits from propagating between perception, control, and infotainment domains.
- Minimal code changes — Only 1–2 modifications were required across 2.5 million lines of Thales’s existing safety and security codebase. This remarkably low friction validates CHERI’s industrial adoptability.
- Safe failure modes — When an exploit was detected, the system entered a known-safe state, protecting passengers while containing and logging the attack.
Standards Alignment#
CHERI-enabled automotive systems align with ISO 26262 (functional safety), UN R155/R156 (cybersecurity), and the UK’s DSbD framework — providing a pathway to regulatory compliance for next-generation connected and autonomous vehicles.
Case study 3: Industrial IoT and critical infrastructure (ecosystem)#
The Embedded Attack Surface#
Factory robots, SCADA controllers, power grid sensors, and logistics networks form the backbone of modern industry. These systems are typically:
- Resource-constrained — limited CPU, memory, and power budgets
- Long-lived — deployed for 10–20+ years with minimal updates
- Safety-critical — a single software defect can halt production, damage equipment, or endanger workers
The convergence of AI with industrial control (Industry 4.0) is expanding this attack surface dramatically, as connected devices gain AI capabilities but retain legacy software stacks written in memory-unsafe C/C++.
CHERIoT: CHERI for the Smallest Devices#
Microsoft’s CHERIoT (Capability Hardware Extension to RISC-V for IoT) brings CHERI’s deterministic memory safety to the embedded tier:
- Custom RTOS with a lightweight compartment model specifically designed for low-cost, low-power microcontrollers.
- Deterministic use-after-free protection and spatial memory safety — critical for long-lived devices that cannot be easily patched.
- LowRisc Sunburst boards — funded under UK DSbD, these development platforms make CHERI-secured embedded design accessible to the wider engineering community.
DEFGRID: Securing the Energy Grid#
The DEFGRID project (University of Strathclyde, funded by DSbD) is the first demonstrator of CHERI-secured utility infrastructure:
- Protection of Operational Technology (OT) networks from cyber-physical attacks
- Hardware-enforced isolation between monitoring, control, and communication subsystems
- Alignment with IEC 62443 (industrial automation security) and NERC CIP (critical infrastructure protection)
Impact for Manufacturers#
Early adopters in IoT and manufacturing are already exploring CHERI-secured controllers to:
- Sandbox control modules — hardware-backed compartments ensure a fault in one component does not cascade across the production line.
- Block malware propagation — CHERI prevents the most common exploit vectors (buffer overflows, ROP chains) used to hijack motion systems and safety interlocks.
- Enable graceful degradation — equipment continues operating safely or shuts down predictably, rather than exhibiting undefined behavior.
Case study 4: Medical and safety-critical systems (research and trials)#
Non-Negotiable Safety Requirements#
From robotic surgery systems to infusion pumps, medical devices demand the highest levels of software integrity. A memory corruption bug in these systems doesn’t just leak data — it can harm patients.
CHERI for Medical Device Security#
On CHERI-enabled processors:
- Out-of-bounds access and pointer misuse are trapped by hardware capability checks before they can affect dosing calculations or surgical control loops.
- Compartmentalization keeps critical dosing and monitoring code isolated from less-trusted components (e.g., network stacks, display drivers).
- Behavior aligns with IEC 62304 (medical device software lifecycle) and FDA premarket cybersecurity guidance.
UK researchers at TTP plc are already trialling CHERI boards to validate compliance with these safety and regulatory targets, demonstrating the technology’s readiness for clinical deployment pathways.