EnterpriseClaw launches with guardrails, but its DefenseClaw security layer is only five days old.
Automation Anywhere rolled out EnterpriseClaw on May 19 — a platform that lets companies run AI agents inside their own systems, with governance guardrails that stop those agents from accessing data they should not touch. The platform arrives with four major partners: Cisco, Nvidia, Okta, and OpenAI. But the security layer underneath it, an open-source project called DefenseClaw, has been publicly visible for five days. PR Newswire GitHub
That gap — a four-vendor enterprise launch built on an open-source foundation that has existed for five days — is the actual story. Jason Andersen, a VP and principal analyst at Moor Insights & Strategy, put it directly when asked about EnterpriseClaw's differentiation from Nvidia's already-general-available NemoClaw platform: "Nvidia has already announced its NemoClaw open-source stack to provide guardrails for always-on agents, and EnterpriseClaw has essentially the same capabilities and generally-available stack. Which begs the question: If you are already using Nvidia's, why choose this?" CIO
The announcement positioned EnterpriseClaw as a direct response to the OpenClaw era's security failures — the data leaks, inappropriate behaviors, and uncontrolled tool use that gave enterprise IT teams reason to panic in 2025. Manish Jain, a principal research director at Info-Tech Research Group, traced the market opportunity directly: "OpenClaw did not meet enterprise-grade product standards. The data leaks and inappropriate behaviors associated with claw agents exhibit how an uncontrolled tool, when introduced with no guardrails, will lead to massive issues." CIO
That logic is sound. OpenClaw-style agents that can execute code, browse the web, and read files inside corporate environments without meaningful policy enforcement are a real problem. Enterprises are right to want guardrails. The question is whether EnterpriseClaw's implementation earns that trust. GitHub
DefenseClaw itself is a real codebase. The Cisco-hosted repository has 675 stars, 197 commits, and 109 forks. The architecture is three-part: a Python CLI for operators, a Go gateway sidecar that mediates between the agent runtime and external tool providers, and an OpenClaw TypeScript plugin that intercepts tool calls at the runtime level. The README describes its core operating rule plainly: "untrusted agent capabilities are scanned, governed, logged, and blocked when policy says they are unsafe." GitHub
What the README actually claims is specific: admission control that scans skills, MCP servers, plugins, and code before they run; runtime guardrails using regex rules, policy, and an optional LLM judge; a CodeGuard module that checks source for secrets, dangerous execution, unsafe deserialization, weak crypto, injection patterns, and risky file access; and an OpenShell sandbox with network, filesystem, syscall, and policy controls. The commit from May 17 — two days before the EnterpriseClaw announcement — adds cosign verification of release artifacts and SHA-256 checksums on every downloadable file, with hardened tarball extraction that rejects path traversal, absolute paths, symlinks, and unexpected file types. GitHub
Those are real hardening signals. What the README does not contain is the specific HTTP rate-limit figure that appeared in the PR Newswire announcement — "100 requests per second with a burst of 200." That number is not in the repository. Nor does the repository README directly state the "deny-by-default" sandbox posture that Cisco's blog describes separately: that an agent starts with zero permissions and receives access only when policy explicitly allows it. The README documents the sandbox controls; the specific deny-by-default framing comes from Cisco's blog, not the repository itself. GitHub Cisco Blog
Five days of public history is not the kind of track record enterprise security teams use to certify a production dependency. CVE history, incident response records, community uptake — DefenseClaw has none of that yet. Enterprises are being asked to trust a security project whose code they have been able to audit for less than a week.
EnterpriseClaw is available in preview now, with general availability expected later in 2026. Pricing has not been announced. Named enterprise customers have not been disclosed. The Process Reasoning Engine that Automation Anywhere describes as giving EnterpriseClaw agents "enhanced accuracy and process context" is proprietary to Automation Anywhere — which matters for the open-core economics of DefenseClaw, since the open-source project's auditability stops at whatever Automation Anywhere ships as its own value-add. PR Newswire
Ely Kahn, Okta's chief product officer, said in the announcement that "AI agents must have first-class identities" — the same identity and least-privilege enforcement applied to human employees. That is the right framing. Whether EnterpriseClaw's implementation earns that trust is a question the code will answer before the marketing will. PR Newswire