Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw

Organizations urgently need governance frameworks built around visibility, access control, and behavioral monitoring to manage the expanded attack surface this creates. OpenClaw is an open-source platform for autonomous AI agents that you can self-host and run locally on your machine for task automation. Taking this platform to task, AI agents are now interacting with one another via an experimental social network for AI agents called Moltbook. Even an experienced AI security researcher at Meta learned that OpenClaw is not without its wild-west frontier status. An AI agent accidentally deleted her emails. This news has again put the spotlight on the nature of authority and agency granted to agentic AI systems, as well as the need for better security and governance. Goodbye Recommendations, Hello Authority OpenClaw AI assistants are no longer legacy chatbots. They have undergone a substantial upgrade and are now an automation executional layer delivered through chat. They can now access tools and systems and leverage persistent memory and inherited permissions to act on the user’s behalf. Think of the chat interface as the multi-step execution engine that can act across business-critical workflows, including revenue operations, IT services, HR, procurement, and security. This transition is authoritative because a single prompt can trigger file access, API calls, messages to third parties, or make changes to the infrastructure. The shift from recommendation to action means organizations must view this transition from the governance perspective, focusing on improved visibility, control, and enforcement to support better risk management. The Anatomy of the OpenClaw Framework To see why OpenClaw shifts the security conversation, it helps to look at how it typically runs in practice. At a basic level, a request starts in chat or a messaging tool, and it may come from outside the usual set of enterprise apps. The gateway receives the request, tracks the ongoing conversation, and decides which connected tools or services to use, triggering actions via local access and connected APIs, using the same access rights as the user and connected systems. Once those behind-the-scenes steps are complete, the result is returned to the user as a response in the chat. Local deployments matter because they place an always-running service inside your environment. That service typically stores setup files, activity records, and the credentials it needs to connect to other tools. If many teams install and run it independently, it can spread into everyday workflows before IT has a clear view of where it is running, what it can reach, and whether it is configured securely. A Single Chokepoint, Enterprise-Wide Impact The OpenClaw Gateway is the always-on control plane that receives incoming messages, maintains sessions and channel connections, and routes requests to the right agent, tools, or services. It’s like the front door of a busy supermarket in an agentic AI system. There is a series of prompts coming in and out of the door. Upon receiving a prompt, it gears up for action, picking the right set of tools and integrations to finish the task. In more advanced setups, the agentic AI has even more agency, storing session state and the credentials needed to interact with other systems. If this ‘front door’ is compromised, you have to confront a growing blast radius as the exposure can trigger legitimate actions across multiple apps and services: The gateway’s risk rises sharply when it extends beyond its intended network scope and becomes remotely reachable, effectively turning it from a simple exposed service into an external control point. Weak access controls can worsen exposure because they can let an attacker (who can connect to the gateway) authenticate successfully and start triggering actions. On local networks, discovery protocols like multicast DNS can advertise the gateway’s presence and connection details, making it easier for anyone with local access to find it and start probing it. Many gateways also use two paths at once: regular HTTP endpoints, plus long-lived WebSocket connections for interactive sessions. If the reverse proxy and access rules are not applied consistently to both, gaps appear that attackers can exploit. OpenClaw Security Guidance Falling Short at Enterprise Scale OpenClaw guidance focuses on minimizing gateway exposure, enforcing stronger authentication backed by regular credential rotation, reducing network discovery as and when possible and treating all logs and transcripts as sacrosanct. But these guidelines can fall short at enterprise scale. Here, the governance gap shows up in three high-risk areas: Prompt Injection: Bad answers are old news; it is the bad actions you must worry about. Malicious instructions can make the assistant access data it shouldn’t by leveraging permission inheritance. This allows attackers to exfiltrate data or execute actions that seem legitimate because they move through trusted, approved workflows. Supply Chain Drift: Adding extensions also means taking on third-party behavior. Even small add-ons can quietly gain broad permissions and gradually expand what the assistant can access or do. For example, an extension that reads calendar data may also gain access to contacts, files, or messaging workflows over time, widening the assistant’s reach without that shift being obvious. Malware Delivery: Well-known tools are often used to deliver malware or remote-access payloads through fake installers, rogue extensions, or fake “prerequisites,” making it especially important to spot suspicious versions and unusual outbound traffic. The Ideal Governance Playbook OpenClaw creates risk across users, devices, networks, and applications, and because it is adopted across users and locations, its impact is felt across access, exposure, and data movement. The ideal governance approach therefore should be founded on: Visibility: With 29% of employees using unsanctioned AI agents at work, your first goal is to get visibility into shadow AI usage, that is, who is using agentic assistants, location, and the behavioral patterns. This information helps to deploy the right policies. Control: Fix implementation and deployment guardrails for OpenClaw and test agents in a limited deployment. These closely monitored trials help you clearly identify who can use OpenClaw, on what devices, and in what conditions. If such controls are not possible, blocking uncontrolled use is often the quickest way to reduce risk. Block Malicious Pathways:  If fake installers, malicious extensions, or compromised components start reaching out to external attacker-controlled systems, network-level defenses can detect suspicious command-and-control traffic and other unusual behavior. Managing agentic AI risk calls for more than legacy network or application security thinking. Organizations need deeper visibility into how threats such as prompt injection, data exfiltration, and autonomous misuse play out in real-world environments. That is why AI security now depends on continuous research, better behavioral insight, and policy controls built specifically for how agents operate. Learn More at the AI Risk Summit WRITTEN BY Etay Maor Etay Maor is Vice President of Threat Intelligence at Cato Networks, a founding member of Cato CTRL, and an industry-recognized cybersecurity researcher. Prior to joining Cato in 2021, Etay was the chief security officer for IntSights (acquired by Rapid7), where he led strategic cybersecurity research and security services. Etay has also held senior security positions at Trusteer (acquired by IBM) and RSA Security’s Cyber Threats Research Labs. Etay is an adjunct professor at Boston College and is part of the Call for Paper (CFP) committees for the RSA Conference and Qubits Conference. Etay holds a Master’s degree in Counterterrorism and Cyber-Terrorism and a Bachelor's degree in Computer Science from IDC Herzliya. More from Etay Maor Living off the AI: The Next Evolution of Attacker Tradecraft Rethinking Security for Agentic AI How TTP-based Defenses Outperform Traditional IoC Hunting Will AI-SPM Become the Standard Security Layer for Safe AI Adoption? Who’s Really Behind the Mask? Combatting Identity Fraud The ZTNA Blind Spot: Why Unmanaged Devices Threaten Your Hybrid Workforce Applying the OODA Loop to Solve the Shadow AI Problem AI Giving Rise of the ‘Zero-Knowledge’ Threat Actor Latest News DoE Publishes 5-Year Energy Security Plan Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector RSAC 2026 Conference Announcements Summary (Day 1) Extortion Group Claims It Hacked AstraZeneca Chrome 146 Update Patches High-Severity Vulnerabilities Webinar Today: Putting CIS Controls and Benchmarks into Practice 3.1 Million Impacted by QualDerm Data Breach Iran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting Tool Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Markwayne Mullin as DHS Secretary late Monday. 7AI has appointed Israel Barak as its first Chief Information Security Officer. Brian Harrell has been appointed Chief Security Officer at FirstEnergy. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email