By NHI Mgmt Group Editorial TeamPublished 2026-02-05Domain: Agentic AI & NHIsSource: Knostic

TL;DR: AI agents can leak secrets, display PII, and execute destructive commands unless guardrails are enforced at the tool layer, not just in prompts or transcript scanning, according to Knostic. The deeper lesson is that agent security depends on runtime enforcement, because policy text alone cannot reliably stop harmful execution paths.


At a glance

What this is: This is an analysis of openclaw-shield, a five-layer security plugin for OpenClaw agents, and its finding that prompt-only controls are too weak to stop secret exposure or destructive actions.

Why it matters: It matters because practitioners securing AI agents need controls that govern tool use, output handling, and execution timing, not just policy text injected into a model prompt.

By the numbers:

👉 Read Knostic's post on openclaw-shield and AI agent guardrails


Context

AI agent security is not just about preventing bad prompts. When an agent can read files, invoke shell commands, and persist outputs into a conversation, the real question is whether the runtime can stop unsafe actions before they become irreversible.

This article is about layered control design for agentic systems, but the governance lesson applies broadly across AI agents, workload identities, and privileged automation. Prompt guidance, transcript scanning, and observe-only hooks are useful signals, yet they do not create reliable enforcement unless they sit inside the execution path.

The article’s starting position is typical of many early agent deployments: a model is given useful access first, then security is added around the edges after the fact. That sequence is exactly where identity and control assumptions break down.


Key questions

Q: How should security teams stop AI agents from exposing secrets or running unsafe commands?

A: Put enforcement in the tool path, not only in the prompt. Agents that can read files or run shell commands need a deterministic allow-or-deny gate before high-risk actions, plus early output scanning for secrets and PII. Prompt policy and transcript redaction help, but they cannot substitute for runtime control over execution.

Q: Why do prompt-based guardrails fail against AI agent misuse?

A: Prompt-based guardrails are advisory, so they can shape behaviour but not reliably block a direct command or tool call. When an agent has execution rights, the control point must be the action boundary itself. Otherwise, policy text becomes guidance instead of enforcement, which is too weak for privileged agent workflows.

Q: What do security teams get wrong about scanning AI outputs for secrets?

A: They often treat post-processing redaction as if it were prevention. Scanning after tool output is persisted can still leave a window where raw data reaches the model or the current response. Effective protection requires earlier interception when feasible, along with strict limits on what the agent can read in the first place.

Q: Who is accountable when an AI agent leaks data or deletes files?

A: Accountability sits with the team that granted the agent its access, defined its tool permissions, and failed to enforce runtime controls. For agentic systems, ownership cannot be delegated to the model itself. The responsible programme is the one that allows the agent to act, not the one that merely observes the outcome.


Technical breakdown

Prompt guardrails vs runtime enforcement in AI agents

Prompt guardrails try to influence model behaviour by placing policy text into the agent’s context. That can shape outputs, but it does not reliably stop a direct instruction to run a command or read a file. Runtime enforcement is different because the decision point sits inside the tool call path, where the system can allow, deny, or redact before the action completes. In agentic systems, that distinction matters more than in ordinary chat interfaces because the model is not just answering, it is acting.

Practical implication: treat prompt policy as advisory and place hard controls on tool execution, file access, and command invocation.

Output scanning and transcript persistence

Output scanning protects the session history by redacting secrets and sensitive personal data after tool output is received. That helps prevent later exposure in the transcript, logs, or downstream persistence layers. But it is not the same as blocking disclosure to the model during the active turn. If the model sees raw values before redaction occurs, it may still incorporate them into the current response. That makes timing a core security property, not a minor implementation detail.

Practical implication: scan and redact before model consumption when possible, not only before storage.

Security gates for shell commands and file reads

A security gate tool changes the execution model by inserting an explicit approval step before high-risk actions. Instead of relying on the model to remember policy, the system forces the action through a machine-readable allow or deny decision. This is the strongest pattern in the article because it connects policy to execution. In NHI terms, the tool call becomes the control point where privilege is evaluated at runtime rather than assumed at design time.

Practical implication: put a deterministic gate in front of destructive commands, file reads, and sensitive tool parameters.


Threat narrative

Attacker objective: The objective is to coerce the agent into revealing sensitive information or carrying out destructive actions that the user should never receive.

  1. Entry occurs when a user or prompt provides the agent with access to files, shell commands, and tool execution within the OpenClaw session.
  2. Escalation occurs when the agent is able to reach sensitive files or command execution paths without a hard runtime gate stopping the action before the tool call completes.
  3. Impact occurs when the agent leaks secrets, exposes PII, or executes destructive commands that remove data or exfiltrate credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Prompt policy is not a control boundary for AI agents: This article confirms that text injected into the model context cannot be treated as enforcement when the same agent can still execute commands or read files. Policy copy in the prompt may influence behaviour, but the decision boundary remains in the tool chain. For practitioners, that means governance must move from guidance to runtime control.

Security gate design creates the only reliable pause point: A real allow-or-deny tool call is materially stronger than observe-only hooks because it changes the agent’s execution path. That is the difference between monitoring a decision and governing it. The lesson for identity teams is that agent privilege must be evaluated where actions are formed, not after the fact.

AI agent secret exposure is an NHI problem before it is an AI problem: Once an agent can read .env files, shell histories, or API keys, it behaves like a privileged non-human identity with broad ambient access. The security model then becomes familiar: scope, visibility, and revocation all matter, but only if the control point is real. Practitioners should treat agent access as production identity, not experimentation.

Runtime timing is the hidden failure mode in agent security: The article shows that redaction after persistence and hook logic that never fires both leave a window where raw data can still reach the model or the command path. That is a timing problem, not a content problem. The implication is that review-based and transcript-based governance cannot be the final control for autonomous execution paths.

Tool APIs are becoming the new privilege surface for AI systems: The most powerful place to secure an agent is the API that lets it act, because that is where policy becomes execution. This is the same shift that identity teams saw when service accounts moved from niche automation to first-class production actors. The practitioner conclusion is simple: govern the tool boundary as you would privileged access.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is why delegated access remains a control gap rather than a convenience feature.
  • That visibility problem is one reason to pair agent tooling analysis with the Ultimate Guide to NHIs when redesigning runtime access and offboarding decisions.

What this signals

Agent security programmes need to be built around privilege boundaries, not model behaviour. The article’s lesson is that the governance problem appears when a system can act, not when it can talk. That is why teams should map agent tool access with the same seriousness they apply to production NHIs, and keep runtime decisions inside enforceable control points.

With 1 in 4 organisations already investing in dedicated NHI security capabilities according to The State of Non-Human Identity Security, the market is signalling that agent access control is no longer a niche concern. The programme implication is clear: visibility, policy, and runtime gating now belong in the same operating model.

Identity review cadences do not solve within-session abuse: if an agent can access, act, and persist data in one turn, the old review cycle arrives after the risk has already materialised. Teams should therefore design for inline decisions, especially where shell execution and file access are exposed through AI workflows.


For practitioners

  • Treat agent tools as privileged identities Inventory every shell command, file-read path, and external tool available to the agent, then classify each one by the data it can touch and the damage it can cause. Use the same access review discipline you would apply to high-risk service accounts and other production NHIs.
  • Move enforcement into the execution path Require an explicit allow-or-deny decision before destructive commands or sensitive file access can proceed. A prompt warning is not enough when the agent can still comply with a direct user instruction; a runtime gate is what changes behaviour.
  • Redact before persistence and, where possible, before model use Scan tool outputs for secrets and PII as early as the architecture allows, then prevent raw values from reaching the transcript, logs, or the next model turn. Timing is part of the control, not just the scanner’s detection logic.
  • Verify hook invocation, not just hook definition Test every security hook in the published runtime binary and confirm it actually executes in the live tool chain. Defined hooks that are never invoked create a false sense of coverage and leave critical actions uncontrolled.
  • Separate observe-only telemetry from blocking controls Use message logging and input auditing for visibility, but do not mistake those signals for prevention. If the control cannot stop the action before completion, it should be treated as monitoring rather than enforcement.

Key takeaways

  • AI agents create NHI-style governance problems the moment they can act on files, commands, and tool calls.
  • Prompt-only guardrails and observe-only hooks do not provide reliable enforcement when the agent has runtime privileges.
  • Practical control now depends on gating actions before execution and scanning outputs before sensitive data spreads.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10NHI-03Agent tool misuse and unsafe action paths are central to the post.
OWASP Non-Human Identity Top 10NHI-03The article focuses on secrets, privileged tool use, and NHI-style runtime control.
NIST CSF 2.0PR.AC-4Least privilege and access enforcement are the core governance issues here.
NIST SP 800-53 Rev 5AC-6The post is about limiting what a privileged system can do in runtime.
NIST AI RMFMANAGEThe article concerns operational controls for risky AI behaviour.

Treat agent tool permissions like NHI credentials and review them for scope, exposure, and revocation.


Key terms

  • AI Agent Runtime Gate: A runtime gate is an enforcement point that evaluates an agent’s proposed action before the action completes. In agentic systems, this matters because the model can make decisions and invoke tools. A gate converts policy into a blocking or allowing control instead of leaving it as guidance.
  • Output Scanning: Output scanning inspects tool results or generated text for secrets, PII, and other sensitive material before it is stored or shared. In AI agent workflows, the key issue is timing. If scanning happens too late, the model may already have consumed the raw content and exposed it in the current turn.
  • Prompt Guardrail: A prompt guardrail is policy text injected into an agent’s context to influence behaviour. It can reduce unsafe outputs, but it is not a hard control because the model may still follow a direct user instruction or choose a risky tool action. Its value is advisory unless paired with enforcement.
  • Privileged Tool Surface: The privileged tool surface is the set of commands, APIs, file paths, and connectors an AI agent can reach at runtime. It functions like production access for a non-human identity. The larger the surface, the more important it becomes to review scope, logging, and blocking behaviour.

What's in the full article

Knostic's full blog post covers the operational detail this post intentionally leaves for the source:

  • The exact OpenClaw hook chain and which hooks are registered but not actually invoked in the published runtime.
  • The plugin-level implementation pattern for the security gate tool that turns policy into a runtime allow-or-deny decision.
  • The observed behaviour of destructive command blocking, PII handling, and secret redaction in live tests.
  • The compatibility limitations tied to the current OpenClaw version and why runtime verification mattered.

👉 The full Knostic post covers the hook chain, security gate design, and test outcomes in more implementation detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org