AI-Q Skill and the Data Boundary for Research Agents
NVIDIA AI-Q agent skill lets Claude Code, Codex, and other harnesses delegate enterprise research to a local AI-Q server.
- What happened: NVIDIA released the
aiq-researchagent skill so Claude Code, Codex, OpenCode, and similar harnesses can delegate work to an AI-Q deep research server.- The announcement landed on May 20, 2026, and the useful context spans both the GitHub
.agents/skills/aiq-researchpackage and the AI-Q Blueprint documentation.
- The announcement landed on May 20, 2026, and the useful context spans both the GitHub
- Why it matters: The pattern moves search, citation handling, evaluation, and authenticated enterprise data access out of the general-purpose agent harness.
- Watch: Server operations, MCP authentication, token expiry, and Nemotron endpoint availability remain implementation responsibilities for the adopting team.
NVIDIA's AI-Q agent skill, announced on May 20, 2026, looks modest at first glance. It is a package with a SKILL.md file and a Python helper script. The interesting part is not that an agent suddenly became smarter. It is that NVIDIA is drawing a clearer line around what a general-purpose agent should not try to own by itself.
The argument is straightforward. Claude Code, Codex, LangChain Deep Agents, and similar harnesses are good at managing a session, wiring tools together, running code, and stepping through a user's task. But when those same harnesses need to read several internal documents, produce a sourced decision brief, plan a longer research pass, preserve citations, and safely reach authenticated enterprise data, the complexity returns to the application team. The AI-Q skill puts that research pipeline outside the harness, behind an AI-Q server, and lets the agent submit a research task and retrieve a structured report.
That makes the word "skill" more consequential than it often is. In today's agent ecosystem, a skill can mean a prompt bundle, a procedural instruction, a CLI wrapper, or a small automation script. That fuzziness has produced a reasonable debate: are skills a real reusable execution unit, or just another prompt wrapper with unclear responsibility? NVIDIA's example tries to land on the first side of that debate. The skill does not merely say "do research this way." It connects to a separate server, asynchronous jobs, MCP authentication patterns, evaluation harnesses, citation management, and OpenTelemetry traces.
The real announcement is a boundary, not a research feature
NVIDIA's Technical Blog calls this a "specialized deep research skill." The more important word is "delegates." The agent harness sends the research request to a local or hosted AI-Q server. That server handles search, planning, synthesis, and citations, then returns a report. The harness does not own the entire research pipeline.
This design targets a very practical enterprise AI problem. Enterprise data rarely arrives as one clean public web search API. It is spread across SharePoint, Confluence, GitHub Enterprise, ServiceNow, data warehouses, internal policy documents, regulatory files, and customer-specific storage. Access rights differ by person, app, service account, and delegated token. If a general-purpose agent touches all of those sources directly, the permission surface grows, audits get harder, and it becomes difficult to reconstruct which document was read through which route.
The AI-Q skill asks a different question: does the agent need direct access to the sensitive source material at all? NVIDIA's answer is close to "not always." Put the AI-Q server inside the environment where the data already lives, then let the harness exchange research requests and final reports. In regulated settings, the important capability is not simply that a model can read every document. It is that the organization can explain which path, identity, source, and evidence supported a conclusion.
General-purpose harnesses such as Claude Code, Codex, and OpenCode
aiq-research skill: request routing, job submission, polling, report retrieval
AI-Q server: intent classifier, clarifier, shallow researcher, deep researcher
MCP data sources, enterprise documents, citation-backed reports
The helper script NVIDIA published reinforces this boundary. scripts/aiq.py sends /chat requests, receives a job id when deep research starts asynchronously, polls for completion, and fetches the finished report. The default server address is http://localhost:8000, with AIQ_SERVER_URL available for override. In other words, the skill is not a hard-coded cloud product. It is a thin connector for a local development setup or an AI-Q server running inside an organization's own environment.
AI-Q is closer to a research backend than a universal agent
The AI-Q Blueprint README describes AI-Q as an "enterprise-grade research agent." Its default stack sits on NVIDIA NeMo Agent Toolkit and LangChain Deep Agents. The pitch is that it can produce both quick citation-backed answers and longer report-style research, with evaluation harnesses for measuring quality.
The internal structure is roughly four-part. An intent classifier decides the type and depth of a request. A clarifier asks for human input when the request is underspecified. A shallow researcher handles faster, bounded tool-calling search. A deep researcher performs planning, search, iteration, draft updates, source numbering, and final report generation. The Deep Researcher documentation also describes a default of two research iterations and a flow where an orchestrator coordinates planner and researcher subagents.
That differs subtly from what Claude Code or Codex usually do. A general harness follows the user's workflow: fix this bug in the repository, investigate this API and implement it, run the tests and repair the failures. AI-Q specializes in one subproblem inside that workflow: research. It classifies the request, asks clarification questions when needed, calls search tools, and writes an evidence-backed report.
For developers, that distinction matters. The moment you ask a coding agent to "read our internal policies and customer agreements and tell me whether this feature can ship," the problem is no longer just code editing. It becomes a problem of data access, auditability, source preservation, and permission delegation. Letting a general agent roam through browser sessions, shell commands, and MCP tools may feel convenient during a demo, but it can create too broad a permission envelope in production. The AI-Q pattern makes the coding agent less of a researcher and more of a caller of a verifiable research backend.
MCP integration is really an identity model
The most operational part of the announcement is MCP integration. NVIDIA says AI-Q is built on NeMo Agent Toolkit and connects MCP servers as function groups. It also documents three authentication patterns: unauthenticated MCP servers, MCP servers accessed through a service account, and downstream APIs that trust the signed-in AI-Q user's bearer token.
| Scenario | AI-Q pattern | Operational meaning |
|---|---|---|
| Unauthenticated MCP server | mcp_client function group | Easy for development and testing, but risky for production data unless carefully scoped. |
| App or backend credentials | mcp_client plus mcp_service_account | Fits CI, batch jobs, and shared data sources where app-level access control is acceptable. |
| Delegated user token | get_auth_token() in a custom AIQ tool | Preserves user authority, but token time-to-live failures remain a concern for long-running jobs. |
The point is not merely "AI-Q supports MCP." It is "AI-Q separates MCP authentication patterns." Agent product launches often emphasize how many tools and connectors can be attached. In enterprise deployments, the more important question is whose identity invokes those tools. Is the system reading data with app credentials? Is it forwarding a user's delegated authority? What happens when a long job outlives a token? Where does the failure log land?
NVIDIA does not hide the sharp edge. In the bearer-token pattern, the request token is captured at job submission time and restored inside an async Dask worker, but current documentation says mid-job token refresh is not yet supported. A job that runs longer than the token time-to-live can fail when it reaches an authenticated tool call, and worker-side refresh is left for a future release. That small note matters. Saying that an agent can run long tasks also means authentication and session lifetime have to be designed for long tasks.
Why on-premises deep research is coming back into focus
The other axis of the AI-Q skill is where it runs. NVIDIA says the AI-Q Blueprint includes Docker Compose and Helm charts and can be deployed on a developer laptop, on-premises or cloud Kubernetes, and air-gapped data centers. It also points to a Dell AI Factory validated reference architecture, directly naming regulated sectors such as financial services, the public sector, and manufacturing.
That fits the broader direction of AI infrastructure. In the early phase, using a model API was often enough: send a prompt and documents to a cloud model, get an answer back. As coding agents and workplace agents connect to real systems, the data boundary has moved back to the center. Source code, internal policies, customer contracts, security logs, medical documents, and public-sector records all force the same question. It is less "can a model read this?" and more "where did it read it, what did it retain, who approved it, and how can we audit it?"
AI-Q is NVIDIA's answer to that question. Run the research pipeline near the data. Pick models from the NVIDIA API Catalog or self-hosted NIM. Use Nemotron-family open models on-premises where needed. This is not an argument that cloud frontier models disappear. NVIDIA's own materials describe using frontier models for complex orchestration and planning, routing sensitive research tasks to self-hosted models, or turning off frontier models entirely when compliance requirements demand it.
For developers, the design question becomes workflow routing rather than model selection alone. Public web search, internal document search, sensitive-data summarization, and final report writing can sit behind different permission boundaries and model choices inside the same agent task. The AI-Q skill lets a general-purpose harness avoid implementing every branch directly, while a research backend owns those policy-sensitive paths.
Evaluation and tracing are about accountability
The AI-Q README says the Blueprint includes evaluation harnesses such as FreshQA, Deep Research Bench, and DeepSearchQA. The Deep Researcher documentation also mentions citation verification post-processing. After the final report is produced, deterministic post-processing compares citations with the sources actually retrieved so the output is easier to audit. NVIDIA Agent Intelligence Toolkit documentation positions the toolkit alongside frameworks such as LangChain, LlamaIndex, CrewAI, and Microsoft Semantic Kernel, while avoiding a hard tie to one long-term memory or data-source layer.
These are not flashy features. They are, however, exactly where enterprise agent adoption tends to break. "The report sounds plausible" is not enough. A team needs to know which document supported each claim, which query ran, which tool was called, where the failure occurred, and whether the approved plan matched actual execution.
OpenTelemetry tracing belongs in the same category. If an agent reads internal data and returns a conclusion, but the log only says "LLM response generated," the security and legal teams have little reason to trust the system. NVIDIA's decision to frame AI-Q as part of a reference architecture, rather than just an open-source sample, follows from this. As agents gain more power, the commercial value increasingly sits in the operational layer that constrains, observes, and explains that power.
What makes this different from a prompt-only skill
Skepticism around agent skills is not baseless. Some skills are effectively long system prompts. Instructions such as "follow this procedure in this domain" can still be useful, but they do not by themselves create data access controls, failure handling, evaluation, audit trails, or an identity model. A larger catalog of such skills can even make behavior more opaque if it is unclear which instruction shaped which action.
The AI-Q skill is different because it changes the execution path, not just the instruction layer. Through python3 scripts/aiq.py chat "<query>", the harness sends a routed /chat request. If deep research is required, it receives a job id and polls for completion. The helper also defines commands such as agents, submit, research, status, state, report, stream, and cancel. That is closer to "send this work to this server and retrieve the result this way" than "think carefully about research."
This does not make the design free. A team still has to operate the AI-Q server, attach data sources, manage API keys and service accounts, and plan for model endpoint availability. NVIDIA's documents say Nemotron Super is compatible and tested, but the Build API endpoint can return 429 or 503 under demand, so the default configuration uses Nemotron Nano for stability. That note reads like a small operational footnote, but it is important. Deep-research quality is only one dimension. Endpoint availability, fallback models, and self-hosting paths have to be part of the architecture.
The practical impact for development teams
This does not mean every development team should adopt AI-Q immediately. The larger point is the pattern. Coding agents and workplace agents are unlikely to keep absorbing every capability into one universal agent. More capabilities will be split into skills, MCP servers, workflow backends, evaluation harnesses, sandboxes, and tracing systems. The general harness becomes a control layer that calls specialized systems rather than a place where every enterprise concern is reimplemented.
With that pattern, the design questions change. Before asking which LLM is best at research, a team should ask where the required data lives. Should the agent read the raw source directly? What level of citation does the report need? Should access happen through delegated user authority or app credentials? How are tokens refreshed when jobs run for a long time? Who records retries and failures? How should a cheap shallow path and a higher-quality deep path be separated for the same request?
AI-Q Blueprint is one implementation of those answers. Teams already invested in NVIDIA's ecosystem may value the connections to NIM, Nemotron, NeMo Agent Toolkit, and Dell AI Factory. Teams already building on OpenAI Agents SDK, AWS Bedrock AgentCore, Azure Foundry, or a custom LangGraph stack may not adopt AI-Q directly. But they can still borrow the architectural idea: split the research backend from the general-purpose harness.
Why this matters outside NVIDIA's ecosystem
The same gap appears in many enterprise AI rollouts. In a demo, it is easy to show an agent searching internal documents and writing a report. During real deployment, privacy rules, industry regulation, network separation, security review, external API restrictions, record retention, model choice, and cost controls arrive at the same time. "Use a better model" is too shallow an answer.
The NVIDIA AI-Q skill points at that gap. Instead of giving an agent every door key, it keeps the research pipeline inside the enterprise data boundary and lets the general harness receive a structured report. Done well, a coding agent does not need to rummage through internal wikis and policy documents directly. A verified research server can find the relevant evidence and return it with citations. Done poorly, the same skill layer can become another route around permission boundaries.
That is why this announcement is better read as an architecture signal than as a simple "NVIDIA launched a deep research skill" story. Coding-agent competition began in IDEs and terminals, but it is now expanding into research, authentication, data sovereignty, evaluation, and tracing. AI-Q skill is a small example of that expansion, and it shows how enterprise agent architecture is becoming more decomposed.
The likely future is not one all-purpose agent. A general harness understands the user's workflow. A research server produces evidence inside the data boundary. MCP and service accounts separate access rights. Tracing and evaluation harnesses explain what happened afterward. NVIDIA's update matters because it exposes that division of labor through a small, portable SKILL.md package.