TL;DR: Tens of thousands of OpenClaw instances are exposed, with many vulnerable to remote code execution, according to SecurityScorecard. Prompt injection can turn agent access to data, email, APIs, and services into direct operational harm, and the real problem is not model intelligence but identity authority without tight guardrails.
At a glance
What this is: This is an analysis of exposed OpenClaw deployments and the security risk of agentic AI, with the key finding that vulnerable agents inherit broad privileges and can be manipulated through prompt injection.
Why it matters: It matters because IAM, PAM, and NHI teams now have to govern AI agents as identities with authority, not as harmless automation, or exposed tools and broad permissions will become an attacker’s easiest path.
👉 Read SecurityScorecard’s analysis of OpenClaw exposure and agentic AI risk
Context
OpenClaw exposures are a reminder that agentic AI is an identity and access problem before it is a model problem. When an agent can read data, send messages, call APIs, and execute actions, every exposed deployment becomes part of the organisation’s attack surface and every permission becomes part of the blast radius.
The governance gap is straightforward: many teams are evaluating agentic tools as software features rather than as runtime identities with authority. Once an agent can interact with internal systems, untrusted input and broad privileges create a control combination that traditional application security reviews do not fully capture.
Key questions
Q: How should security teams govern AI agents that can call tools and APIs?
A: Treat the agent as a governed identity, not a feature. Define exactly what it can read, execute, and publish, then separate sensitive workflows from general-purpose access. If the agent can change infrastructure or send data outward, add containment, review gates, and short-lived credentials before deployment.
Q: Why do AI agents create more risk than ordinary automation?
A: Because they can react to new prompts, combine context with tool access, and choose actions at runtime. That makes their authority harder to predict than scheduled automation, especially when the same runtime can access sensitive data and act on it without a human checkpoint.
Q: What breaks when prompt injection reaches a privileged AI agent?
A: The trust boundary breaks. A malicious prompt can redirect the agent’s instructions, causing it to disclose data, contact external systems, or perform actions the operator never intended. The failure is strongest when the agent can both receive untrusted input and execute outbound actions.
Q: Who is accountable when an AI agent misuses its access?
A: Accountability stays with the organisation that granted the authority and failed to constrain it. Governance teams, IAM owners, and application owners all need a defined revocation path, a permission owner, and a documented decision trail for what the agent is allowed to do.
Technical breakdown
Why exposed agent runtimes become privilege amplifiers
An agentic framework is not just an LLM wrapper. It is a runtime that can hold credentials, invoke tools, and execute multi-step actions across systems. If that runtime is exposed and vulnerable to remote code execution, the attacker does not need to defeat the model. They only need to reach the process that already has access. At that point, the compromise is not theoretical: inherited permissions become the attack path, and the agent’s own authority becomes the payload. This is why treating agent runtimes like ordinary applications misses the real risk surface.
Practical implication: classify every agent runtime by the privileges it can exercise, then harden the runtime before expanding tool access.
How prompt injection turns trusted context into attacker control
Prompt injection works because agentic systems act on prompts and surrounding context at runtime. A malicious input can alter the agent’s interpretation of what to do, especially when the agent can both consume sensitive data and publish output externally. The danger grows when the same system can read private information, receive untrusted content, and send messages or execute actions. That combination creates a fast path from influence to disclosure or misuse. The technical failure is not model hallucination. It is uncontrolled instruction mixing inside a system that has real authority.
Practical implication: isolate untrusted input from privileged instruction paths and review every tool-enabled action as a possible exfiltration route.
Why role-based access is necessary but not sufficient for AI agents
Role-based access control can limit damage, but only if the role itself is narrow and the runtime is constrained. Agentic systems often accumulate permissions that reflect convenience rather than necessity, especially when teams want the agent to send email, call APIs, deploy services, or modify infrastructure. Once those permissions exist, compromise of the agent becomes a direct path into production systems. The control problem is therefore not just authorization at login. It is ongoing authority shaping, token scope discipline, and containment of what the agent can touch after it starts running.
Practical implication: pair RBAC with segmented environments, short-lived credentials, and explicit restrictions on outward publishing or infrastructure change.
Threat narrative
Attacker objective: The attacker wants to turn a vulnerable AI agent into a trusted execution path for data theft, system abuse, or operational disruption.
- Entry occurs when a public OpenClaw deployment is reachable from the internet and the attacker finds a vulnerable runtime or abuses a prompt injection path.
- Escalation follows when the attacker leverages the agent’s inherited permissions to call APIs, access internal files, send emails, or modify services.
- Impact lands when the compromised agent is used to disclose sensitive data, execute fraudulent actions, or change infrastructure at scale.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic AI governance is an identity problem, not a model-comprehension problem. The article shows that the operational risk comes from what an agent can do after it is granted authority, not from whether the model itself appears intelligent. Once agents can send email, call APIs, and deploy services, the security boundary moves from content generation to runtime privilege.
Least privilege was designed for access that is stable long enough to review. That assumption fails when the actor can combine context, tool use, and execution in a single runtime session. The implication is that traditional entitlement thinking does not fully describe how agentic systems create risk because authority is exercised dynamically, not only assigned statically.
OpenClaw-style exposure creates identity blast radius, not just application exposure. A vulnerable agent is dangerous because compromise inherits the permissions already attached to the runtime. That changes the governance question from whether the tool is approved to how far the agent can move if one control fails.
Prompt injection is a control-plane problem for agentic AI. The article’s own framework shows that the lethal combination is sensitive data, untrusted input, and outbound action. When those three coexist, the agent becomes a trusted relay for attacker intent, and normal application trust assumptions collapse.
Security teams should now treat AI agents as governed identities with lifecycle, not as one-off deployments. The article’s warning is that the attack surface expands whenever permissions are granted faster than containment is built. Practitioners should use OWASP-AGENTIC, OWASP-NHI, and NIST-AIRMF language to align AI governance with identity controls.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.
- For a broader breach lens, The 52 NHI breaches Report shows how quickly identity failures become enterprise incidents once privileged access escapes governance.
What this signals
Identity programmes will need a separate control path for agentic systems. The question is no longer whether AI can be allowed into workflows, but whether the organisation can prove what each agent can access, what it can send, and how quickly it can be shut down. That shift aligns with the control logic in the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework.
Identity blast radius is the concept practitioners should now measure. If an agent can reach sensitive data and execute actions outward, one compromised runtime can create cross-system impact faster than many conventional users. The practical programme response is to map every agent to a bounded access profile, then test whether the profile still makes sense when the agent is exposed to untrusted input.
A security team that already uses NHI governance language can absorb agentic AI faster than one that treats it as a special category. The same lifecycle questions apply. Who owns it, what permissions does it have, how is it revoked, and what happens when the workflow outlives the original use case?
For practitioners
- Classify every agent runtime as an identity with authority Record what each agent can read, invoke, publish, and change before allowing production use. Use that inventory to separate harmless assistants from systems that can touch internal files, APIs, email, or infrastructure.
- Constrain tool use behind segmented execution zones Keep agent workloads on separate networks and isolate them from production change paths. If an agent must interact with sensitive systems, limit the reachable services and block direct infrastructure modification by default.
- Block the lethal trio of data, input, and outbound action Do not allow one agent to simultaneously consume private data, accept untrusted content, and send messages or execute actions outward without a review gate. That combination is the shortest route from prompt injection to real-world harm.
- Scope credentials to the narrowest runtime purpose Issue short-lived credentials and restrict token scopes so an agent cannot inherit broad standing access from the environment it runs in. Recheck every permission that exists only because deployment was convenient.
- Review agent offboarding and revocation paths Document how you disable an agent, revoke its tokens, and remove its tool permissions when the workflow ends or the deployment is retired. Without a clear revocation path, the identity persists longer than the use case.
Key takeaways
- Agentic AI becomes a governance problem the moment it is granted tool access, data access, and outbound execution rights.
- SecurityScorecard’s research says 80% of organisations have already seen AI agents act outside intended scope, which makes this a present control failure, not a future risk.
- Practitioners should narrow agent authority, isolate execution, and treat revocation and review as lifecycle controls for a governed identity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | TBD | Prompt injection and tool misuse are central risks in this agentic AI exposure analysis. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on exposed non-human identities with excessive runtime authority. |
| NIST AI RMF | MANAGE | Agent governance and containment align with managing AI risk in operational systems. |
| NIST Zero Trust (SP 800-207) | Segmentation and continuous verification are directly relevant to exposed agent runtimes. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management is the core defensive theme in the article. |
Inventory agent identities, then constrain privileges and revoke unused access on a strict lifecycle.
Key terms
- Agentic AI: An AI system that can select actions and use tools at runtime, often across multiple steps. In governance terms, it behaves like a non-human identity with authority, which means access scope, revocation, and containment matter as much as model quality.
- Prompt Injection: A malicious input that tries to override or steer an AI system’s intended instructions. In agentic systems, the risk rises when the same runtime can read sensitive data and take outward actions, turning manipulated context into real operational harm.
- Identity Blast Radius: The amount of damage a compromised identity can cause based on the permissions attached to it. For AI agents and other non-human identities, blast radius is shaped by tool access, data exposure, and whether the runtime can act without human review.
- Runtime Authority: The permissions an identity can exercise while it is active, not just what it was granted on paper. For autonomous or agentic systems, runtime authority is the practical boundary that determines whether a compromise becomes a local event or an enterprise incident.
What's in the full article
SecurityScorecard’s full analysis covers the operational detail this post intentionally leaves for the source:
- STRIKE’s exposure trends and vulnerability categories updated every 15 minutes for OpenClaw deployments.
- The practical risk framework for judging whether an agent’s data access, untrusted input exposure, and outbound actions create a lethal combination.
- Direct discussion of exposed runtime conditions, including remote code execution and inherited privileges in agent deployments.
- The team’s detailed guidance on standard security guardrails such as segmentation and role-based access for agentic systems.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org