← Back to Payloads
AI Agents2026-06-03· 9 min read

The Agent OS Wars Just Started, and Almost Nobody Is Paying Attention

In the last 48 hours Microsoft shipped Microsoft Execution Containers at Build 2026 and NVIDIA shipped the Vera CPU plus Nemotron 3 Ultra plus NemoClaw at Computex 2026. Together they mark the moment the agent stack stopped being an application pattern and started being an operating-system pattern. The platform vendors just declared war on the agent-framework layer. Most of the agent-framework companies have not noticed yet.
Quick Access
Install command
$ mrt install microsoft
Browse related skills
View in Registry
The Agent OS Wars Just Started, and Almost Nobody Is Paying Attention

I want to make sure you understand what just happened in the last 48 hours, because the AI press is going to bury the lede under a wall of RTX Spark laptop coverage and Copilot feature announcements, and the strategic story is bigger than any of it.

On Monday, June 1, at Computex in Taipei, NVIDIA used a single keynote to ship six agent products: Vera (a purpose-built CPU for agentic AI and RL), Nemotron 3 Ultra (a 500-billion-parameter open-weights model tuned for multi-step agent reasoning), NemoClaw (an orchestration framework), OpenShell (a secure runtime), the RTX Spark consumer superchip, and a multimodal edge model.

On Tuesday, June 2, at Build in San Francisco, Microsoft shipped Microsoft Execution Containers — MXC — an OS-level sandbox for AI agents built into the Windows kernel, with OpenAI and NVIDIA already on board as launch partners. Microsoft also unveiled Project Solara, an agent-first platform built on Android for dedicated agent hardware. Microsoft fellow Steven Bathiche showed a desk concept with facial recognition and a wearable badge concept that wakes an agent with a single press.

Read those two announcements together. The operating system just took the agent stack away from the framework vendors. The infrastructure layer just took the model layer away from the application layer. The two platform shifts happened within 24 hours of each other, and I have not seen a single headline that connects them.

Let me connect them.

MXC Is the Story Nobody at Build Talked About

VentureBeat called it "arguably the most consequential platform move Microsoft made at Build this year." I think that's an understatement. MXC is the missing primitive that has been blocking enterprise agent deployment for two years, and Microsoft just shipped it into the Windows kernel.

Here is what MXC actually is. It is a policy-driven execution layer embedded in Windows and the Windows Subsystem for Linux. It is not a product you buy. It is an SDK and a policy model that gives developers and IT administrators a "composable sandbox spectrum" — process isolation for lightweight agents, Linux containers for medium-trust workloads, micro-VMs for high-trust workloads, full Windows 365 cloud instances for the highest-stakes agent deployments. The model that Microsoft used at Build, lifted straight from the keynote:

  • **Process isolation** — already adopted by GitHub Copilot's command-line interface. Cheap, fast, weak.
  • **Linux containers** — a step up. Familiar to anyone running Docker in production.
  • **Micro-virtual machines** — strong isolation, fast cold start, the new sweet spot.
  • **Windows 365 cloud instances** — the strongest primitive. The agent does not run on your laptop at all. It runs in a dedicated cloud instance you can wipe and rebuild in seconds.

The crucial pieces that nobody is talking about:

1. **Every agent is bound to a strong identity** — either a local ID or a cloud-provisioned Microsoft Entra identity. Every action the agent takes is attributable, auditable, and governable.

2. **The agent's execution is separated from the user's desktop, clipboard, UI, and input devices.** The agent cannot read what you are typing unless you explicitly grant that capability. The agent cannot paste into your terminal unless you explicitly grant that.

3. **The boundaries are enforced by the OS kernel.** Not by the agent. Not by the application. Not by a wrapper library that the agent can be prompt-injected out of. By the kernel.

That last point is the one that changes the security math. The dominant pattern for agent safety in 2024 and 2025 was application-level guardrails: the agent calls a tool, the wrapper library inspects the call, the wrapper library decides whether to allow it. This is the pattern that Claude Code, Cursor, Devin, and most of the agent frameworks shipped. It is also the pattern that gets defeated by every prompt-injection attack you have ever read about, because the guardrail and the model are running in the same trust domain. The model can be tricked into calling the wrapper in a way the wrapper does not expect. The model can be tricked into bypassing the wrapper entirely.

MXC moves the guardrail out of the trust domain of the model. The kernel does not trust the agent. The kernel enforces the policy regardless of what the agent's chain of thought looks like. That is a fundamentally different security model. That is the model that makes enterprise-scale agent deployment possible.

Microsoft framed the problem correctly in their own blog post: "As agents become more capable and autonomous, they're delivering material productivity gains. But they're also introducing new risk, and the issue isn't just the agent. It's the entire system the agent operates across." Every interaction between agents and humans, tools, applications, models, and other agents "exposes new attack surface and introduces different failure modes." They called it a "multi-layer systems problem." They are right, and MXC is the first credible attempt to solve it at the layer where systems problems are actually solved: the operating system.

NVIDIA's Six Shots at the Agent Stack

MXC is the Windows side. NVIDIA's Computex keynote is the hardware and runtime side. Let me walk through the three announcements that actually matter for enterprise deployment, in the order I think they matter.

**Vera CPU.** This is the headline. Vera is a purpose-built processor for agentic AI and reinforcement learning workloads. NVIDIA claims twice the efficiency and 50% faster performance than traditional x86 server CPUs. Early adopters include OpenAI, Anthropic, and SpaceX. Read that customer list again. The three most important model vendors on the planet are all committing to a non-x86 CPU architecture for the next generation of agent workloads. This is the moment x86's grip on the data center starts to crack, and it is happening on the back of the agent workload shift, not the inference workload shift.

Why does an agent workload need a different CPU? Three reasons. First, agent workloads are dominated by short, latency-sensitive control loops — the agent calls a tool, gets a result, decides what to call next, calls another tool. These are not the long, batch-friendly matrix multiplies that GPUs are good at. They are branchy, memory-bound, single-threaded. A CPU designed for high single-thread performance with low-latency memory access wins. Second, agent workloads are highly concurrent — thousands of agents running in parallel, each holding open dozens of state objects, each waiting on a different external call. The CPU has to handle that concurrency well. Third, agent workloads have unpredictable memory access patterns. The working set of an agent is whatever tools, files, retrieved documents, and intermediate reasoning it is currently juggling. Vera is tuned for exactly that profile.

**Nemotron 3 Ultra.** 500 billion parameters, mixture-of-experts with roughly 50 billion active per token, over 300 output tokens per second, up to 5x faster inference than comparable frontier models, about 30% cheaper to run. The architecture is tuned for the multi-step reasoning that agents do when they plan, execute, and self-correct over long task horizons. The model is open weights. The training recipes are open. Enterprises can fine-tune it on their own data and deploy it on their own infrastructure. This is the first frontier-class model that is purpose-built and openly available for agentic workloads. If you are an enterprise that has been hesitant to commit to a closed-weight frontier model for agent deployment, Nemotron 3 Ultra is the answer. Open weights, agent-tuned, fast, cheap. That combination did not exist a week ago.

**NemoClaw.** An orchestration framework. The pitch: blueprints for how agents plan, reason, execute, and delegate. If you have built agent systems, think of NemoClaw as a structured alternative to writing your own LangGraph or AutoGen or CrewAI orchestration layer. NVIDIA is going to bundle the orchestration with the runtime (OpenShell) with the model (Nemotron) with the silicon (Vera) with the OS integration (MXC on Windows, presumably an analogous runtime on Linux). That is a full-stack agent platform. NVIDIA is not just selling a GPU anymore. They are selling an agent operating environment.

The War Microsoft and NVIDIA Just Declared

Here is the strategic picture that I think is going to take most of the agent-framework industry by surprise.

For the last 18 months, the agent stack has been organized roughly as follows:

  • **Application layer** — vertical-specific agents built by startups and enterprise teams.
  • **Framework layer** — LangChain, LangGraph, AutoGen, CrewAI, Letta, Claude Code SDK, and a dozen others. The middleware between the model and the application.
  • **Model layer** — OpenAI, Anthropic, Google, Meta, Mistral, the open-weight community. The brains of the agent.
  • **Infrastructure layer** — cloud compute, GPU rentals, vector databases, observability tools.

The framework layer has been the place where most of the value capture and most of the venture capital has been concentrated. The thesis was simple: agents need orchestration, memory, tool routing, state management, and observability, and that is a layer the model vendors will not build, the cloud vendors will not build, and the application builders do not want to build themselves. The framework vendors positioned themselves as the picks-and-shovels for the agent gold rush.

That thesis is now wrong. Or at least, the unit economics of that thesis are now wrong. The platform layer is collapsing the framework layer from both directions.

From the top down, the model vendors are eating the framework layer. Anthropic shipped Claude Code with built-in agent orchestration, memory, and sub-agent delegation. OpenAI shipped the Agent SDK. Google shipped the Agent Development Kit. The model vendors realized that the framework layer is the part of the stack where the customer relationship lives, and they are not going to let a third party own it.

From the bottom up, the platform layer is now eating both. MXC takes the security, identity, and sandboxing primitives that framework vendors were building as application-level wrappers and moves them into the OS. NemoClaw takes the orchestration primitives that framework vendors were building as Python libraries and moves them into a runtime tied to the silicon. Vera takes the compute substrate that the framework vendors were buying on top of and turns it into a vertically integrated agent platform.

The agent framework as a standalone product category is, I think, about to have a very bad 18 months. The picks-and-shovels thesis only works if the gold is being dug by independent miners. When the platform vendor buys the mining company, the picks-and-shovels shop is in trouble. That is the position the agent framework vendors are in. Microsoft, NVIDIA, OpenAI, Anthropic, and Google all now ship their own orchestration, memory, and tool-routing. The framework vendors are competing with the platform vendors on the platform vendors' own platform.

The Enterprise Math Changes This Week

The practical implication for enterprise teams planning agent deployment in the second half of 2026:

**You no longer have to choose between agent capability and agent safety.** The previous tradeoff was real. The more capable the agent, the more dangerous it was to let it run with production credentials, customer data, or write access to systems of record. The frameworks tried to solve this with prompt-level guardrails, and the guardrails were defeatable. MXC solves it with kernel-level enforcement, which is not defeatable. You can now deploy a Claude Code or a Nemotron-powered agent with the same trust posture you apply to a human employee with a managed device: strong identity, least-privilege access, audit trail, and a hard kill switch. That is a new posture. It was not possible a week ago.

**Your agent compute strategy is no longer a GPU strategy.** It is a platform strategy. The Vera announcement means the x86 monopoly on agent compute is ending. The Nemotron 3 Ultra announcement means there is a frontier-class open-weights model purpose-built for agent workloads. The NemoClaw announcement means orchestration is now a runtime concern, not a library concern. If you are planning a multi-million-dollar agent compute investment in 2026, you need to model Vera-based deployments alongside your existing GPU plans. The assumption that "agent compute = GPU rental on AWS or Azure" is no longer correct.

**Your agent security model needs to be re-architected.** If you are deploying agents in 2026 with application-level guardrails and no OS-level enforcement, you have a security model that Microsoft just publicly called insufficient. The CISO conversation you need to have this week is: are we deploying agents inside MXC-class sandboxes, or are we accepting the risk that the application-level guardrails will be defeated? If you do not have an answer to that question, your agent deployment is a Sysdig-style incident waiting to happen. (See the recent report on the first live LLM-agent cyberattack that autonomously exfiltrated an AWS database in under an hour. That was an agent running without OS-level containment. The next one will be too, unless you change the architecture.)

**Your framework choice matters less than you think.** The framework you pick — LangGraph, AutoGen, CrewAI, the Anthropic Agent SDK, the OpenAI Agent SDK — is increasingly a thin layer on top of capabilities the platform vendors are shipping natively. Pick a framework for developer ergonomics and team familiarity, not for capabilities. The capabilities are converging toward the platform.

What Project Solara Tells Us About the Form Factor

The other half of the Microsoft announcement is the most interesting product story and the one I have seen the least analysis of. Project Solara is a new platform built from the ground up to power agent-driven experiences, and it runs on Android — not Windows. Microsoft is positioning it for agent-first devices: a desk concept (Echo Show-like, facial recognition, AI agent access) and a badge concept (wearable, fingerprint scanner, one-press agent wake, conversation transcription, computer-vision access). Microsoft is not planning to ship these devices. They are reference designs for hardware partners. AccuWeather, Best Buy, CVS Healthcare, and Target are already signed up for pilots.

Read that customer list again. A weather company. An electronics retailer. A pharmacy. A retailer. These are not enterprise software companies. These are consumer-facing businesses that see agent-driven devices as the next interface to their customers. The bet is that within five years, a meaningful share of customer interactions that today happen through a smartphone app will happen through an agent-driven device that does not have a screen, or has a very small one, and is always listening, always watching, and always ready to act on your behalf.

I think that bet is right, and I think it is the most important consumer-tech prediction of 2026. The smartphone is going to stop being the primary consumer interface. The agent-driven device is going to replace it for a growing share of use cases. The companies that ship the best agent hardware and the best agent operating system are going to own the next decade of consumer tech. Microsoft is positioning to be one of them, and they are doing it on top of Android, which is either a sign of strategic flexibility or strategic desperation. Either way, it is a real bet with real money behind it.

The form-factor implication for software teams: if you are building a consumer-facing product in 2026, you need a strategy for the agent-driven device. The screen is going to become optional. Voice is going to become primary. Computer vision is going to become the input modality for the camera-equipped devices. The agent is going to become the user. You are going to need to design for that.

The Take

Two platform shifts in two days. Microsoft turned Windows into an agent-native runtime with kernel-level containment. NVIDIA turned the data center into an agent-native compute platform with a non-x86 CPU, an open-weights frontier model, and a vertically integrated orchestration runtime. The agent framework layer is being squeezed from above by the model vendors and from below by the platform vendors. Project Solara is a credible bet that the consumer device is going to be the next battleground.

If you are an enterprise architect, your 2026 plan needs three updates: model agent security on MXC-class primitives, treat agent compute as a platform decision rather than a GPU decision, and stop treating the agent framework as the long-term home of your orchestration logic. The platform vendors just told you where this is going. Pay attention.

If you are building an agent framework, you have a problem. The platform vendors are shipping the capabilities you are selling as first-party features, and they are shipping them at the layer where the customer relationship lives. You can win on developer experience, on vertical specialization, or on a genuinely novel architecture. You cannot win by being a thin layer on top of capabilities the platform ships for free. Differentiate or die.

If you are a developer, the good news is the floor just got higher. The bad news is the floor just got higher. You no longer have to build your own sandbox, your own identity layer, your own orchestration runtime, your own CPU-aware scheduling. The platform provides it. You can focus on the actual problem you are trying to solve. That is a net win. Use it.

The agent OS wars have started. The winners will be the companies that figure out which layer to compete on and which layer to let the platform own. The losers will be the ones that picked the wrong layer.

*Microsoft Build 2026, San Francisco, June 2, 2026. Microsoft Execution Containers (MXC) in preview. Project Solara in early partner pilots with AccuWeather, Best Buy, CVS Healthcare, Target. OpenAI and NVIDIA are launch partners for MXC. NVIDIA Computex 2026, Taipei, June 1, 2026. Vera CPU in early access with OpenAI, Anthropic, and SpaceX. Nemotron 3 Ultra open weights on developer.nvidia.com/nemotron. NemoClaw and OpenShell in early access.*

#microsoft#build-2026#nvidia#computex-2026#ai-agents#mxc#execution-containers#vera-cpu#nemotron#nemoClaw#agent-os#enterprise-ai#ai-infrastructure#ai-security
← All payloads