Illia Polosukhin co-authored the 2017 paper that gave the world the Transformer. These days he runs his company with 12 AI agents, and his single rule for all of them: do not go off leash.
"If I just let it go and run and do things, I come back to something that makes no sense," Polosukhin told Business Insider. "So you need to babysit it with your judgment."
That quote is doing the rounds as a profile anecdote. The thing nobody has noticed is that Polosukhin already built what supervision actually looks like in code. It is called IronClaw, it lives on GitHub, and it has 11,600 stars.
IronClaw is NEAR's open-source Rust implementation of an AI agent framework, inspired by OpenClaw but with a specific focus on security primitives that the original did not prioritize. The credential protection layer means secrets never reach the tools — they are injected at the host boundary and never exposed to the agent's execution context. The WebAssembly (WASM) sandbox runs untrusted tools in isolated containers with capability-based permissions. Prompt injection defense handles content sanitization and policy enforcement. There is an HTTP allowlist: requests only go to explicitly approved hosts.
This is not a research paper. It is shipped infrastructure that anyone can read, audit, and deploy. The GitHub README is written in plain English: "IronClaw is the AI assistant you can actually trust with your personal and professional life." That is the product claim. The architecture makes it testable.
The weekly executive summary agent that Polosukhin described — the one that pulls his meeting notes, Google Drive docs, and Slack messages into a coaching summary — works in this framework because the framework treats every tool as a potential attack surface. An agent that can read your email and execute code and move money is an agent that can be tricked into doing all three on behalf of someone else. IronClaw's endpoint allowlisting and WASM sandbox are the mechanical answer to that problem.
The contrast with how most AI labs ship agents is not subtle. Anthropic's Cowork, OpenAI's Agents SDK, and Google Agent Development Kit are all closed stacks where the security model is whatever the lab decided. Polosukhin's thesis is that this is not acceptable for agents that will eventually handle real financial or personal infrastructure. "You do not want any singular company to have control or access to this," he said, referring to AI systems that manage health data or corporate logistics.
NEAR AI has also shipped a TEE-secured GPU marketplace: Trusted Execution Environment infrastructure where AI workloads run on hardware-isolated nodes with per-job attestation and zero operator access. The first 30-second attestation claim is specific enough to be testable. If an enterprise is running sensitive inference and needs verifiable confidentiality, this is a concrete offering, not a roadmap.
There is a gap worth naming. NEAR AI also operates an Agent Market, a decentralized task-and-payment layer where AI agents bid on jobs and earn NEAR tokens. The blog post announcing it is from February 2026. The smart contract code is not on GitHub. Near.ai says the platform enables agentic commerce, but the infrastructure behind the escrow and dispute resolution is proprietary rather than auditable. For a project that frames itself around transparency and user sovereignty, this is a contradiction the team has not addressed publicly.
Polosukhin's 12 supervised agents are the least interesting thing about this story. The interesting thing is that one of the people who built the architecture the AI industry runs on has concluded, from actual deployment, that you need the sandbox before you need the smarter model. IronClaw is what that conclusion looks like after you open your editor.
