TL;DR: 42.9K internet-exposed OpenClaw control panels were found across 82 countries, with 15.2K instances flagged for remote code execution risk and 53.3K correlated with prior breaches, according to SecurityScorecard’s STRIKE team. The governance problem is now how to contain privileged automation before exposed agents become inherited compromise paths, showing agentic AI is often deployed with access and identity weaknesses rather than novel model flaws.
At a glance
What this is: SecurityScorecard’s research shows tens of thousands of exposed OpenClaw agent control panels, with vulnerable versions, prior breach correlations, and exposed access paths creating a broad attack surface.
Why it matters: IAM and security teams need to treat AI agents as privileged runtime identities because exposed control planes, weak authentication, and leaked secrets can turn automation into an attacker-controlled access path.
By the numbers:
- 42.9K unique IP addresses hosting exposed OpenClaw control panels across 82 countries
- 15.2K exposed instances appear vulnerable to Remote Code Execution
- 53.3K exposed instances correlate with prior breach activity
👉 Read SecurityScorecard's analysis of OpenClaw exposure and agent takeover risk
Context
OpenClaw exposure is a governance problem, not a speculation problem. The article describes internet-facing AI agent control panels, weak authentication, vulnerable defaults, and leaked credentials that make agent infrastructure reachable from outside the organisation. For IAM and NHI teams, the key issue is that an agent with delegated access behaves like a privileged workload identity, not a harmless application feature.
The primary security failure is overexposed access to systems that can execute actions on behalf of users or organisations. That makes the intersection with NHI governance direct: if the control panel, tokens, or service credentials are exposed, the agent’s authorised reach becomes the attacker’s reach. This is typical of fast-moving agent deployments that prioritise convenience over lifecycle controls and access containment.
Key questions
Q: What breaks when AI agents are given broad standing access?
A: Broad standing access breaks governance because the agent can move from one task to another without a fresh authorization check. That creates a control gap between intended scope and actual runtime behaviour. The result is weak accountability, limited containment, and audit trails that show activity without explaining why the activity was allowed.
Q: Why do AI agents create new access risk for enterprises?
A: AI agents create access risk because they can operate with delegated authority while processing untrusted inputs. If prompts, tools, or permissions are abused, the agent may expose data or trigger actions faster than a human reviewer can intervene. The risk is not only compromise, but overreach built into the design.
Q: How do security teams know if an AI agent has too much access?
A: Look for agents that can reach multiple systems without task-specific limits, use persistent tokens, or touch high-value services such as email, chat, cloud consoles, and file stores. A healthy deployment leaves a clear audit trail of what the agent can do, what it actually did, and which credentials it used.
Q: Who is accountable when a compromised AI agent misuses delegated access?
A: Accountability usually spans the business owner of the workflow, the team that issued or approved the credential, and the vendor if a third-party integration was involved. The critical governance question is not who logged in, but who allowed the delegation chain to exist and remain valid. That chain must be documented before incidents occur.
Technical breakdown
Exposed agent control planes create direct initial access
Agentic AI frameworks like OpenClaw often ship with web panels, APIs, and integrations that can manage the agent’s behaviour and reach. When those surfaces are internet-facing, authentication gaps, default settings, or known exploits become direct initial access paths. The architectural mistake is treating the control plane as a normal app front end instead of a privileged management boundary. In practice, that boundary often governs tokens, filesystem access, messaging channels, and downstream services. Once reached, the panel can expose far more than configuration. Practical implication: place agent control planes behind strong authentication and network isolation before deployment.
Practical implication: place agent control planes behind strong authentication and network isolation before deployment.
Agent credentials and local secrets turn access into privilege escalation
The article shows how compromised OpenClaw environments can expose credentials directories, OAuth tokens, service passwords, SSH keys, browser profiles, and password manager data. That is classic credential access, but amplified by the fact that an AI agent already operates with delegated authority. Once those secrets are harvested, the attacker is no longer limited to the panel itself. They can reuse the agent’s standing access across messaging tools, cloud services, browsers, and internal systems. In NHI terms, the agent is acting as a privileged identity with a broad blast radius. Practical implication: separate agent runtime credentials from user-facing secrets and remove standing privilege wherever possible.
Practical implication: separate agent runtime credentials from user-facing secrets and remove standing privilege wherever possible.
Persistence and legitimate-looking actions delay detection
OpenClaw’s scheduled tasks, heartbeat hooks, and continuous operation features can support persistence after compromise. Because the attacker is operating through the agent’s own authorised workflows, malicious activity can resemble legitimate automation. That makes collection, lateral movement, and exfiltration harder to spot than in a standard web app breach. The real architectural problem is that agent behaviour is often judged by output, not by the access path it used or the systems it touched. Practical implication: log agent actions, tool calls, and identity transitions as first-class telemetry, not just application events.
Practical implication: log agent actions, tool calls, and identity transitions as first-class telemetry, not just application events.
Threat narrative
Attacker objective: The attacker wants to convert exposed agent infrastructure into a trusted execution path for credential theft, impersonation, persistence, and downstream system access.
- Entry occurs when attackers identify exposed OpenClaw control panels or vulnerable internet-facing deployments through public reconnaissance and fingerprinting.
- Escalation follows when weak authentication, known exploits, or leaked secrets let the attacker inherit the agent’s delegated permissions and local credentials.
- Impact occurs when the compromised agent is used to access downstream services, impersonate users, persist through automation hooks, and extend the breach across connected systems.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agents are becoming privileged identities before most organisations have a governance model for them. The article shows that exposed control panels, tokens, and integrations can grant an attacker the same authority the agent legitimately has. That is an identity problem as much as an AI problem, because the security boundary is defined by delegated access, not by model behaviour. Practitioners should govern agents as runtime identities with scoped privileges, lifecycle controls, and auditability.
OpenClaw exposure is a named example of the agent control-plane exposure gap. When the management surface is reachable from the internet, the organisation has effectively published the keys to the automation layer. This gap is not closed by better model guardrails, because the failure sits in access design, secrets handling, and network exposure. Security teams should treat control-plane reachability as a board-level risk indicator for agentic deployments.
Standing privilege is the force multiplier in agent compromise. The article makes clear that once an attacker enters an agent environment, the inherited access can extend into browsers, messaging tools, file systems, and external services. That means the blast radius is determined less by the exploit itself and more by what the agent can already do. Practitioners should reduce the reachable authority of every agent before increasing deployment scale.
Visibility gaps make agent governance incomplete by default. If teams cannot inventory exposed instances, running versions, and connected secrets, they cannot measure exposure or prove containment. The article’s internet-wide recon findings show that this is a discovery and accountability challenge, not simply a patching challenge. Security leaders should demand continuous inventory and action logging for every AI agent deployment.
Agentic AI security is converging with NHI governance, not replacing it. The more an agent can act, the more it behaves like a non-human identity with delegated credentials, privileges, and persistence. That means existing identity governance disciplines remain relevant, but they must expand to cover runtime autonomy, tool access, and agent-to-system delegation. Practitioners should align AI rollout with NHI controls rather than treating it as a separate security stack.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- That visibility gap is why OWASP NHI Top 10 matters for agent governance, because access control failures become operational failures once agents can act independently.
What this signals
Agent control-plane exposure will increasingly be managed like exposed infrastructure, not like an AI novelty. Security teams should expect discovery, secret scanning, and perimeter controls to become the first line of defence for agent deployments. Where agents can touch cloud consoles, chat systems, or browser sessions, the governing question is who can reach the control plane and what authority that plane can confer.
Agent governance debt is the accumulation of delegated access, weak defaults, and missing audit trails that enterprises create when they deploy agentic tools faster than they define ownership. That debt becomes expensive quickly because a single exposed instance can bridge identity, data, and automation risk in one compromise path.
The operating model should shift toward continuous inventory, short-lived credentials, and action-level logging for every agent that can change state or touch sensitive systems. For teams already working on NHI programmes, the next step is to extend those controls into agent runtime and tool delegation, using resources such as the 52 NHI Breaches Analysis and the Ultimate Guide to NHIs , Key Challenges and Risks.
For practitioners
- Inventory every exposed agent control plane Build a complete list of internet-facing agent consoles, APIs, and plugin endpoints, then confirm which ones are bound to public interfaces, which use default settings, and which are reachable without strong authentication. Prioritise systems that can issue tokens or control downstream services.
- Remove standing privilege from agent runtime identities Replace broad, persistent access with scoped service accounts, short-lived credentials, and explicit tool permissions for each agent. Where an agent can reach browsers, chat platforms, cloud consoles, or file systems, reduce those permissions to the smallest viable set and separate them from user credentials.
- Treat leaked secrets as immediately actionable exposure Search source repositories, configuration files, and agent directories for tokens, passwords, SSH keys, OAuth secrets, and webhook credentials tied to agent deployments. Rotate anything that may have been reachable through public exposure, and verify that old secrets no longer authenticate anywhere.
- Add telemetry for agent actions and identity transitions Log tool calls, credential use, session creation, privilege changes, and unusual execution timing so compromise can be distinguished from normal automation. Feed those events into detection rules that watch for scheduled activity, cross-system reach, and sudden expansion in the agent’s authority.
Key takeaways
- AI agents are now a privileged attack surface when their control planes, tokens, and integrations are exposed to the internet.
- SecurityScorecard’s research found 42.9K exposed OpenClaw IPs, 15.2K RCE-risk instances, and 53.3K deployments tied to prior breach activity.
- The control problem is governance of delegated authority, which means inventory, scope reduction, secret rotation, and action logging must move together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article is about exposed AI agent control planes and delegated tool abuse. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | The core issue is exposed credentials and overprivileged non-human identities. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0003 , Persistence | The threat path includes exposed secrets, downstream reach, and persistent misuse. |
| NIST CSF 2.0 | PR.AC-4 | The article centers on weak access control and excessive delegated authority. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is directly implicated by overbroad agent permissions. |
Map agent deployments to agentic AI controls for tool access, scope limits, and identity governance.
Key terms
- Agent Control Plane: An agent control plane is the policy layer that decides what an AI agent may do before execution. It connects discovery, identity, and authorization so the organisation can enforce task-scoped limits instead of relying on static registration or after-the-fact review.
- Delegated Agent Authority: The permission granted to an AI agent to act on behalf of a human user or another agent, inheriting some or all of their access rights. Delegated authority must be explicitly scoped, time-limited, and auditable.
- Standing Privilege: Persistent access that remains available beyond the immediate task or session. For AI agents, standing privilege increases blast radius because compromise can be reused across later actions, integrations, and systems unless the access is time-bound and narrowly scoped.
- Agent Governance: Agent governance is the set of policies, controls, and evidence required to manage autonomous software as a non-human identity. It covers consent, tool access, lifecycle review, audit logging, and revocation so that an agent remains bounded as its workflows change.
What's in the full report
SecurityScorecard's full research covers the operational detail this post intentionally leaves for the source:
- Live exposure breakdowns by country, ASN, vulnerability status, and control panel reachability.
- The dashboard view of vulnerable versions, CVE mapping, and breach correlation across OpenClaw instances.
- Public ecosystem signals such as GitHub leaks, credential exposure patterns, and tutorial-driven insecure deployments.
- The full analysis of how compromised agent access extends into messaging, browsers, and local credentials.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and agentic AI identity. It helps security practitioners align identity controls with the way modern automation actually operates.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org