Forensic Evidence for NemoClaw: HIPAA Audit Trails for Sandboxed Clinical AI

Healthcare has a two-layer problem

When a health system deploys an AI agent that reads patient records, generates treatment recommendations, and writes to the chart, two questions arise that no single tool answers:

Guardrails solve the first. They do not solve the second. Application logs attempt the second, but they are mutable, unsigned, and lack cryptographic identity. A tampered log is indistinguishable from an original. That is not evidence. That is a text file.

NVIDIA's NemoClaw and Vindicara's Project AIR solve each layer independently, and snap together cleanly because their boundaries do not overlap.

What NemoClaw brings: the hardened sandbox

NemoClaw combines NVIDIA's OpenClaw agent platform with the OpenShell runtime to create a sandboxed execution environment for autonomous AI agents. The agent runs inside a hardened container with declarative policies governing:

• Network access: which endpoints the agent can reach, enforced by eBPF at the kernel level. No policy, no connection.
• Filesystem access: which paths are readable, writable, or invisible. Locked at sandbox creation via Linux Landlock.
• Inference routing: which models the agent can call, through NemoClaw's L7 proxy. No model substitution attacks.
• Process isolation: seccomp + cgroups contain the agent's system calls and resource consumption.

For healthcare, this means a clinical decision support agent can be structurally prevented from accessing psychiatric records (42 CFR Part 2 protected), calling external APIs not in the approved list, or consuming more compute than budgeted. The sandbox is the cage.

What Project AIR brings: the cryptographic camera

Project AIR instruments the agent inside the sandbox. Every action the agent takes becomes a Signed Intent Capsule: a JSON record content-hashed with BLAKE3 and signed with Ed25519. Each capsule's signature covers both its own content and the previous capsule's hash, forming a tamper-evident chain that breaks if anyone alters a single byte.

The chain is the evidence. Not logs. Evidence. The distinction matters in healthcare:

How they connect: four lines of Python

The instrument_nemoclaw integration hooks into the OpenClaw agent lifecycle inside NemoClaw's sandbox. Every execution, every tool call, every inference request, and every OpenShell policy decision is captured as a signed capsule.

from openclaw_sdk import OpenClawClient
from airsdk import AIRRecorder
from airsdk.integrations.nemoclaw import instrument_nemoclaw

recorder = AIRRecorder("clinical-chain.jsonl")
client = OpenClawClient(api_key="...")
instrumented = instrument_nemoclaw(client, recorder)

# Every execution now produces signed forensic evidence
result = instrumented.execute(
    pipeline="clinical-cds",
    input={"mrn": "20260511-0042"},
)

The instrumented client captures six event types:

The last row is the bridge. When OpenShell denies a network egress or blocks a filesystem read, that enforcement decision is captured in the same signed chain as the agent's clinical actions. An auditor sees both what the agent tried and what the sandbox stopped, in one tamper-evident record.

HIPAA mapping: which layer covers which control

No overlap. No redundancy. NemoClaw fills the access control and transmission security columns. AIR fills the audit, integrity, and authentication columns. The minimum necessary row is the only shared concern, and even there the mechanisms are complementary: NemoClaw enforces at the infrastructure level (filesystem paths), AIR enforces at the application level (declared behavioral scope per agent).

What the auditor sees

A HIPAA auditor reviewing a NemoClaw + AIR deployment gets three artifacts:

1. The OpenShell policy YAML: a declarative specification of what the agent is allowed to access. Readable by a non-engineer. "This agent can reach the EHR API at ehr.internal:443 and the NIM endpoint at nim.internal:8000. Nothing else."
2. The signed forensic chain: every action the agent took, in order, signed and tamper-evident. The auditor can verify independently using air verify-public with zero Vindicara API calls. The math is the trust anchor, not the vendor.
3. The Sigstore Rekor anchor: a public, immutable timestamp proving the chain existed at a specific point in time. The auditor does not need to trust Vindicara, NVIDIA, or the hospital. The entry is at search.sigstore.dev, run by the Linux Foundation.

Three independent verification paths. No single point of trust. That is what HIPAA 164.312(c) integrity controls look like when you take them seriously.

A real scenario: clinical decision support on NemoClaw

A health system deploys a clinical decision support agent on NemoClaw. The agent reads patient labs, imaging reports, and medication history, then generates a treatment recommendation for a clinician to review.

$ air demo --healthcare

  Project AIR: Healthcare Demo (HIPAA-Aligned)

  STEP 2/8  AIR captures every EHR access
    PHI accesses captured: 14

      [ 2] tool_start     ehr_query (lab_results)
      [ 3] tool_end       HbA1c: 8.4%, Glucose: 186
      [ 4] tool_start     ehr_query (imaging)
      [ 5] tool_end       12mm RUL pulmonary nodule
      [ 8] tool_start     ehr_query (psychiatric_notes)
      [ 9] tool_end       [RESTRICTED: 42 CFR Part 2]
      [11] llm_end        Recommend GLP-1 agonist, PET-CT

  STEP 3/8  ✓ Chain integrity verified
  STEP 7/8  ✗ Tamper detected at index 3

  HIPAA 164.312(b): SATISFIED
  HIPAA 164.312(c): SATISFIED

Record 8 shows the agent attempted to access psychiatric records. OpenShell's filesystem policy blocked the underlying data access. AIR captured the attempt in the signed chain. The auditor sees both the prevention (sandbox policy denied) and the evidence (signed capsule recording the denied attempt). Neither layer alone gives this picture.

Getting started

If you are running clinical AI on NemoClaw, or evaluating NemoClaw for a healthcare deployment:

1. Install Project AIR: pip install projectair. MIT-licensed, runs locally, no cloud dependency required.
2. Instrument your NemoClaw agent: four lines. instrument_nemoclaw(client, recorder) handles the rest.
3. Run the healthcare demo: air demo --healthcare. Show it to your compliance officer. The output maps directly to the HIPAA CFR sections they review.
4. Connect to AIR Cloud: stream capsules to cloud.vindicara.io for a live forensic dashboard your security team monitors without touching the agent or the sandbox.

NemoClaw is the cage. AIR is the camera. The health system gets both, and the auditor gets evidence that neither vendor can fabricate.