Your AI Agents Are Already Inside the Building. Who’s Watching What They Do?

Written by Mark Rogge, CEO EnforceAuth

OpenClaw isn't the problem. It's the proof.

Six weeks ago, OpenClaw didn't exist. Today it has 180,000+ GitHub stars, an estimated half million users, and a security rap sheet that reads like a greatest hits album of everything CISOs feared about autonomous AI. The 512 vulnerabilities. The 341 malicious skills. The 42,000+ exposed instances. And an $870,000 premium on breach costs tied to shadow AI.

Most of the breathless coverage treats this as an OpenClaw story. It is not. These numbers aren't aberrations in one open-source project. They are what happens when autonomous software meets authorization architectures that were designed for humans clicking buttons.

And if you think your enterprise is immune because nobody approved OpenClaw internally, you are likely wrong. Stoken Security found unauthorized OpenClaw deployments in 23% of enterprise environments they examined. The 2026 CISO AI Risk Report puts it more bluntly: 70% of security leaders have already discovered unauthorized AI tools running with elevated access in production, and 92% lack full visibility into their AI identities.

Your AI agents are already inside the building. The question is whether anyone is watching what they do.

Why Can't Existing Security Tools Govern AI Agents?

Talk to a CISO about agentic AI risk right now and you'll hear a version of the same frustration. "We have dozens of security tools, and none of them can tell me what our AI agents are actually doing."

That is not because CISOs are behind the curve. It is because the security industry built its entire stack around a question that no longer covers the threat: who can log in?

Identity and Access Management handles authentication well. Endpoint Detection catches malicious binaries. DLP scans for credit card numbers in outbound emails. CSPM maps cloud misconfigurations. Each tool solves a real problem. None of them solve this problem.

An AI agent doesn't break in. It walks through the front door carrying your employee's credentials. It doesn't exfiltrate data with a binary payload that triggers EDR. Instead, it writes a polite email summarizing your customer's financial records and sends it to an external address. It doesn't exploit a CVE to run shell commands. It was given shell access as a feature.

Cisco's security research team put it bluntly when they assessed OpenClaw: "groundbreaking" from a capability perspective, "an absolute nightmare" from a security perspective. Sophos captured the mechanism precisely. Anyone who can message the agent effectively inherits the agent's full permissions, turning multi-factor authentication and network segmentation into decorations.

The 2026 CISO AI Risk Report quantified the governance gap. The Authorization Gap is the structural disconnect between authenticating an identity and actually governing what that identity is allowed to do. It's what happens when you verify who something is but never define what it should be permitted to do. 86% of security leaders don't enforce access policies for AI identities. 85% still rely on login-based authentication methods designed for human users. When only 16% of enterprises effectively govern AI agent access to core systems, we are not looking at a technology gap. We are looking at a category gap.

The Three Enterprise Pain Points That Keep Expanding

1. Shadow Agents Are Faster Than Policy

The first generation of shadow AI was an employee pasting sensitive data into ChatGPT. Risky, but containable. The tool couldn't reach back into your systems.

Shadow agents are fundamentally different. A shadow agent is an AI agent deployed within an enterprise environment without formal IT approval or security governance, operating autonomously with inherited credentials and system access that no one is tracking.

They connect to Slack, Gmail, SharePoint, and internal APIs. They inherit OAuth tokens. They act autonomously across system boundaries. And they operate with persistent memory, which means a compromised agent doesn't just steal data once. It maintains access indefinitely.

Google Cloud's 2026 cybersecurity forecast identified this as the critical shift: shadow agents create "invisible, uncontrolled pipelines for sensitive data" that traditional discovery tools can't see. The CIO research community is finding the same pattern. Employees are building their own internal LLMs and agents that bypass IT policies entirely, often because saying "no" to AI tools without providing governed alternatives drives adoption underground.

Microsoft's Defender team has already identified live campaigns using "memory poisoning" to manipulate AI assistants persistently. This is not theoretical. The attack surface is active.

2. Traditional Security Is Architecturally Blind

The fundamental issue is not that security tools are bad. It's that they were designed for a world where all actors were human and all actions were direct.

Sandboxing forces a binary choice. Total restriction or total access. An agent in a full sandbox can't do anything useful. Relax the rules, and you're back where you started. AI guardrails and prompt filtering catch known injection patterns but can't evaluate whether a legitimate-sounding action should actually be authorized given full context. Endpoint detection sees processes and network calls, but agent-initiated actions look identical to normal user behavior. The payload is natural language, not malicious code.

Security researchers across multiple firms have converged on the same conclusion independently. Traditional controls aren't built for autonomous actors that authenticate once, delegate and chain actions across boundaries, and evolve through persistent memory. As TimeFirm's analysis concluded, even if every OpenClaw instance were flawlessly configured and every known vulnerability patched, the fundamental risks would persist because they are inherent to the agentic model itself.

3. Regulation Is Arriving Faster Than Readiness

The EU AI Act's enforcement deadlines for high-risk systems begin in August 2026. That's six months from now. DORA is already imposing digital operational resilience requirements that explicitly cover AI-driven operational processes. Over 1,050 AI-related laws were proposed globally in 2025.

These frameworks require things that most enterprises cannot currently produce for their AI agents. Structured audit trails. Demonstration of appropriate authorization. Evidence of human oversight for high-risk decisions. Proof that data access was limited to what was necessary for a specific task. Explainable decision chains for regulatory examination.

The 86% of CISOs who doubt their ability to detect or contain AI agent misuse are not going to find comfort in regulatory timelines that assume they can.

What Is Decision-Centric Authorization and Why Does It Matter?

Decision-centric authorization is a security model that evaluates every individual action an agent attempts against contextual policy in real time, rather than relying on static role assignments granted at login. It shifts the core security question from "who has access" to "should this specific action be allowed right now."

Every security tool in your stack answers a version of the same question: who has access?

Autonomous AI agents force a different question entirely. Should this specific action, by this specific agent, with this specific delegation chain, accessing this specific resource, under these specific conditions, be authorized right now?

That is not an incremental improvement to IAM. It is a different category of security. One that treats every agent action as a discrete, governable decision evaluated against current contextual policy.

This is what we built EnforceAuth to solve. Not because OpenClaw is uniquely dangerous, but because every enterprise deploying AI agents faces the same structural gap between authenticated identity and authorized autonomous action. Enterprise copilots, custom-built agentic systems, open-source tools that employees spun up last Tuesday. The gap is the same everywhere.

The AI Security Fabric sits between the agent's reasoning and its execution. Every shell command, API call, file access, email send, and tool invocation passes through policy evaluation before it happens. Not binary allowlists based on static roles. Continuous contextual evaluation: actor identity and type, delegation chain, resource sensitivity, operational conditions, behavioral history, and regulatory requirements. Every decision logged, auditable, and available for compliance reporting in real time.

For organizations discovering shadow agent deployments, and that is most organizations whether they know it yet or not, the platform deploys as an authorization layer without requiring modification to the agents themselves. Governance without prohibition. Because prohibition without alternatives is what created the shadow AI problem in the first place.

Common Questions About AI Agent Authorization

What is decision-centric authorization?

Decision-centric authorization evaluates every action an AI agent attempts against real-time contextual policy, including who the actor is, what resource it's touching, what delegation chain led to the request, and whether current conditions permit it. It replaces the traditional model of granting broad permissions at login with continuous per-action governance.

What are shadow AI agents?

Shadow AI agents are autonomous AI tools deployed inside enterprise environments without formal IT approval or security oversight. Unlike earlier shadow AI (employees pasting data into ChatGPT), shadow agents connect to internal systems, inherit OAuth tokens, and act across system boundaries with persistent memory and no access controls.

Why doesn't traditional IAM work for AI agents?

Traditional IAM was built to answer one question: who can log in? AI agents authenticate once and then execute thousands of autonomous actions across multiple systems. IAM checks permissions at login, not at the moment an agent decides to email your customer's financial records to an external address. The architecture assumes human actors making direct, infrequent requests.

What is the Authorization Gap?

The Authorization Gap is the disconnect between verifying an identity (authentication) and governing what that identity is actually permitted to do (authorization). Most enterprises solved the first problem years ago with SSO and MFA. The second problem, especially for AI agents that chain actions autonomously, remains largely ungoverned. The 2026 CISO AI Risk Report found that 86% of security leaders don't enforce access policies for AI identities.

How does policy-as-code apply to AI agent security?

Policy-as-code means writing authorization rules in a machine-readable format (using frameworks like OPA or Cedar) so they can be version-controlled, tested, and deployed like software. For AI agents, this is table stakes. What matters more is runtime enforcement: evaluating those policies against every agent action as it happens, not just defining them in a repo and hoping they get applied.

The Window Is Closing

Six weeks from zero to 180,000 GitHub stars and half a million users. That is the adoption velocity of agentic AI. The security architectures meant to govern it are running on a cycle measured in quarters and fiscal years.

The enterprises that get this right will be the ones that recognize the category shift. From identity-centric security that asks who can log in to decision-centric security that governs what every actor, human or AI, is allowed to do right now under current conditions.

The agents are already inside. The question is whether you'll know what they're doing before your regulators ask.

If you're running agents without authorization controls, or you suspect your teams have deployed them without telling you, we should talk.