What happened?
Agentic AI platforms have recently surged in popularity, reflecting a move towards users wanting AI that can do things, not just simply answer questions.
While conversational AI - such as ChatGPT – focuses on responding to user prompts, agentic AI – such as Google's "Gemini" and Anthropic's "Claude" – takes action autonomously to proactively complete tasks, independently executing operations while minimising human prompting.
Agentic AI can be run locally, connected to powerful LLMs and granted access to other platforms, such as email, file systems, SaaS APIs, and internal business applications. This functionality is further bolstered by community‑built "skills" that allow agents to perform more complex tasks.
OpenClaw, formerly known as "Moltbot", has recently emerged as one of the most widely deployed "agentic AI" personal‑assistant platforms. As more users contribute skills, using platforms such as "Moltbook" to share them, the platform becomes even more capable. This powerful combination of autonomy and extensibility has driven adoption among developers and, more worryingly, employees experimenting in corporate environments using instances that are often spun up without security review.
This shift from conversational AI to agentic AI, however, introduces a completely different risk profile; while these new capabilities make them more powerful, they can also make them more dangerous when deployed casually.
So what?
Sub-par authentication practices and overly-permissive access coupled with unpatched vulnerabilities - including remote code execution – mean that these deployments can function as backdoors into corporate environments. This effectively creates a single point of compromise; if an attacker were to gain access to the agent, they will inherit any permissions to files, credentials, browser sessions, or internal systems it may have access to.
In a recent Bitdefender internet-wide scan, more than 135,000 OpenClaw instances exposed online were identified, many of which are running with default configurations, easily reachable from the public internet.
On top of this, improperly managed agentic AI deployments can also create significant regulatory headaches, as agents may process regulated data without logging or approval, complicating GDPR, HIPAA, and PCI-DSS compliance. Autonomous agents can ingest, transform and transmit sensitive information as part of routine tasks, and often do so without generating an audit trail or allowing administrators to control where the data flows.
For GDPR, this can amount to unlawful processing, or an inability to meet subject access or deletion requests. For HIPAA and PCI‑DSS, unmonitored handling of protected health information or cardholder data can potentially breach strict requirements around implemented access controls, auditability and data residency.
These risks align with emerging industry frameworks, such as the OWASP Agentic AI Top 10, which cite both tool misuse and unsafe autonomy as primary security concerns. These risks do not always stem from the agent being compromised or through someone acting with malicious intent; agents can also simply misunderstand instructions or produce incorrect outputs.
What should I do?
The Rule of Two is a security principle stating that an AI agent should not hold more than two "high‑risk" capabilities in a single session. These capabilities, alongside their potential risks, are:
- Processing untrustworthy inputs – externally authored data, such as emails or documents, may contain prompts designed to execute malicious commands. This technique, called "Prompt Injection" can result in the exfiltration of sensitive data, the modification of files, or the execution of further arbitrary commands.
- Accessing sensitive systems or private data – the risk arises when an agent is granted permissions that allow it to interact with sensitive data, such as private user data or company secrets (such as production settings or source code). Intentional misuse or unintentional misinterpretation of commands could expose confidential information or compromise security settings.
- Changing state or communicating externally – in practice, this means that the agent can modify files, update configurations, trigger actions in production systems or send data to external endpoints, resulting in potential data leakage or unauthorised communications.
Granting an agent all three capabilities simultaneously within the same session could lead to uncontrolled access or disclosure of sensitive assets. If this functionality is required, the agent should not operate autonomously; instead, it should be supervised through human approval or other robust validation steps, as this prevents small errors or misunderstandings from escalating into potentially high‑impact consequences.
The following actions provide a practical baseline on how to utilise agentic AI while minimising potential risks to your security.
- Deploy agents in isolated virtual machines or containers separated from production systems to minimise exposure to both internal resources and external networks where possible.
- Apply the "principle of least privilege" – only grant agents the minimum access necessary to perform their tasks.
- Keep a strict allowlist of any approved tools, integrations, and data the AI may interact with.
- Treat all external content as potentially hostile, and ensure any code is reviewed and signed before being enabled.
- Test high-risk workflows through adversarial exercises and red team simulations before deployment.
- Integrate agents into existing vulnerability management processes to ensure consistent levels of security are maintained across your whole digital estate.
- Log all tool usage and data access to ensure accountability and enable auditing.
- Ensure that clear governance and ownership structures are in place for all agentic AI systems.
Agentic AI can offer significant operational benefits, but if your organisation chooses to explore the usage of these platforms, they must be deployed with the same caution applied to any high‑privilege technology, rather than treating them like simple consumer chatbots. By applying structured governance and strict access controls from the outset, organisations can harness the advantages of agentic AI while maintaining a secure environment.