OpenClaw shows how AI agents become high-privilege NHI actors

At a glance

What this is: OpenClaw-style AI agents turn personal experimentation into always-on, high-privilege non-human identity infrastructure with broad data and credential reach.

Why it matters: IAM and NHI teams need to treat these agents as privileged actors because once OAuth tokens, API keys, and SaaS access converge, a single compromise can span human, machine, and workflow boundaries.

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

👉 Read Cyera's research on OpenClaw and AI agent security boundaries

Context

OpenClaw is a useful shorthand for a broader governance problem in AI agent identity management. When a personal assistant starts reading mail, moving files, calling SaaS APIs, and acting inside cloud environments, it stops behaving like a utility and starts behaving like a privileged non-human identity.

The failure is not only technical. Security teams are still mapping privileges, secrets, and review cycles as if access is assigned to a known human or a narrowly scoped service account, but OpenClaw-style agents aggregate data and permissions across collaboration tools, runtime extensions, and external content sources.

That pattern is already familiar in NHI governance: broad OAuth consent, shared secrets, and unvetted integrations create an execution plane that grows faster than policy coverage. The result is not just more access, but harder-to-see access that can be steered by untrusted content or compromised plugins.

Key questions

Q: What breaks when an AI assistant is connected to enterprise email and cloud systems without tight scope limits?

A: The agent stops being a convenience layer and becomes a privileged identity with the ability to read, move, or export data across multiple systems. If its tokens cover mail, storage, chat, and calendar, a single poisoned input or compromised plugin can trigger organization-wide exposure. The failure is scope discipline, not just authentication.

Q: Why do AI agents complicate least-privilege governance more than normal SaaS integrations?

A: Because the agent reuses delegated permissions automatically and can combine them across content, collaboration, and cloud services in ways that are hard to predict at provisioning time. Least privilege is much harder to define when the same identity can read untrusted text, call APIs, and act at runtime without per-action approval.

Q: What do security teams get wrong about AI skills and plugins?

A: They often treat skills and plugins as optional add-ons instead of part of the access model. In practice, those extensions determine which secrets the agent can see, which APIs it can call, and which external sources can steer its actions. If the extension layer is weak, the identity boundary is weak.

Q: How should organisations offboard a shadow AI tool that was connected to company systems?

A: They should revoke OAuth grants, remove app registrations, rotate exposed secrets, and verify that no forwarding rules, shared tokens, or plugin permissions remain in place. Offboarding has to cover both the tool and the identity bindings it accumulated, or the agent can keep acting long after the project is abandoned.

Technical breakdown

OAuth tokens turn a personal assistant into a trusted enterprise actor

OpenClaw-style systems commonly use delegated OAuth scopes to act through existing user trust rather than separate machine identity boundaries. That matters because the token is reused automatically, so the agent inherits mail, storage, calendar, and collaboration permissions without a fresh authorization step for each action. When skills and plugins chain off that delegated access, the agent becomes an aggregation point for broad entitlement rather than a single application boundary. In practice, the control problem is not authentication alone but scope management, consent quality, and how much of the enterprise data plane one identity can reach before review or revocation.

Practical implication: Review delegated OAuth grants as high-risk NHI entitlements and restrict broad workspace scopes before agent rollouts.

Indirect prompt injection creates a control channel through ordinary content

The core exploitation pattern is not code execution in the classic sense. It is content execution: emails, documents, Slack messages, and calendar entries become instruction carriers when an agent is built to parse and act on them. If the agent can read untrusted content and then invoke high-privilege APIs, a malicious message can steer it toward exfiltration, mail forwarding, or data copying while using legitimate tokens. This collapses the line between input and instruction, which is why collaboration platforms become dangerous when attached to always-on automation.

Practical implication: Separate untrusted content ingestion from privileged action paths and block autonomous execution on externally sourced text.

Skill marketplaces expand the supply chain behind the identity boundary

OpenClaw-like ecosystems extend trust through community skills, IDE plugins, container images, and downloaded binaries. Each extension can request additional secrets, load helper code, or relay remote instructions into the agent runtime, which means the attack surface includes both identity permissions and software provenance. Once a skill can ask for raw secrets or broad SaaS authority, compromise is no longer limited to the core application. The supply chain becomes part of the identity plane, because code distribution determines who can indirectly use the agent's privileges.

Practical implication: Treat agent skills and plugins as privileged third-party dependencies and gate them through software provenance checks and pre-install review.

Threat narrative

Attacker objective: The attacker aims to use a trusted agent to exfiltrate data and expand access across email, SaaS, and cloud systems without needing a direct account takeover.

1. Entry begins when a user connects an OpenClaw-style agent to email, cloud, or SaaS systems through delegated OAuth consent and installed skills.
2. Credential access occurs when the agent reuses broad tokens, raw secrets, or plugin-granted permissions across collaboration surfaces that outsiders can write to.
3. Escalation follows when poisoned content or malicious skills steer the agent into exporting data, creating forwarding rules, or invoking higher-risk APIs without per-action approval.
4. Impact is enterprise-scale data exposure, because one compromised agent can concentrate mail, files, tokens, and cloud access into a single execution plane.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OpenClaw is a non-human identity problem before it is an application problem. The article shows an agent that accumulates delegated access, secrets, and plugin authority across collaboration systems, which is exactly how NHI risk becomes operational rather than theoretical. OWASP NHI guidance and zero trust architecture both matter here because the boundary being crossed is identity authority, not just software functionality. Practitioners should classify these agents as privileged NHIs from the point of onboarding.

Delegated OAuth consent becomes the new trust broker when agents can read and act across writable content surfaces. The control gap is not a missing alert or a weak scanner, it is the assumption that content and execution can remain separate once an identity can interpret both. That assumption fails when email, documents, and chat are all potential instruction channels. The implication is that collaboration systems feeding an agent must be treated as privileged input paths, not neutral data sources.

Skill marketplaces turn identity governance into supply chain governance. Once extensions can request Gmail, Drive, Slack, or raw secret access, the entitlement decision is no longer confined to the core platform. Trust amplification through community skills: this is the named concept OpenClaw exposes, where every added integration multiplies the blast radius of one identity. NHI governance teams should therefore treat third-party skills as part of the access model, not as optional add-ons.

Standing privilege inside an AI agent is structurally harder to justify than standing privilege inside a human workflow. Humans pause, review, and sometimes reject actions; agents reuse tokens automatically and can do so at machine speed. That makes the usual governance premise, that access can be certified after it exists, much weaker here. Practitioners should rethink whether their current review cadence can ever observe the full risk window.

Shadow AI becomes shadow enterprise infrastructure when personal projects connect to corporate systems. The article shows how hobby tools can inherit serious business data paths before security teams know they exist. That is a lifecycle failure as much as an access failure, because onboarding happened through informal consent and offboarding likely never happened at all. The right conclusion is to tighten discovery and ownership, not to assume experimental tooling stays personal.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader NHI lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for offboarding and lifecycle controls that apply when agents inherit enterprise access.

What this signals

Trust amplification through community skills: AI agents are moving from isolated assistants to connected execution layers, which means NHI discovery, entitlement review, and software provenance now need to be managed together. Where those controls are split across teams, shadow AI will continue to outpace ownership and revocation.

The practical signal for IAM and security teams is that delegated access now needs stronger segregation between readable content and writable authority. The more an agent can ingest from external sources and act through enterprise APIs, the more likely a single compromise becomes a multi-system incident.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the governance gap is already large enough for agent ecosystems to hide in plain sight. That is a lifecycle and access problem, not a niche AI problem, and it argues for tighter discovery before adoption expands further.

For practitioners

• Inventory agentic access paths Map every AI assistant, plugin, and workflow that can reach email, documents, chat, cloud APIs, or finance systems, then assign an owner and business purpose to each path. Include consumer-origin projects that have been connected to corporate SSO or OAuth.
• Restrict broad delegated scopes Remove workspace-wide or full-drive permissions where a narrower consent model will do, and separate read-only workflows from write-capable ones. Pay special attention to tokens that can modify mail, calendars, or shared drives because those scopes let a single agent perform irreversible actions.
• Block untrusted content from privileged execution Require explicit approval when an agent encounters external email, shared documents, or chat messages that can influence high-risk actions. Build controls that prevent an instruction-bearing message from directly triggering export, forwarding, or credential search behaviour.
• Treat skills and plugins as privileged suppliers Pre-screen community skills, IDE extensions, and downloaded binaries before installation, and revoke anything that requests secrets, raw keys, or unnecessary API reach. Supply chain review should cover what the extension can ask the agent to do, not just whether the code runs.
• Rework offboarding for shadow AI Add discovery and revocation steps for personal AI projects that were later attached to enterprise systems, including OAuth consent, app registrations, and stored secrets. Offboarding should remove both the tool and the identity bindings it accumulated over time.

Key takeaways

• OpenClaw shows that AI agents can function as privileged non-human identities when they are connected to enterprise collaboration and cloud systems.
• The risk is amplified by delegated OAuth access, reusable tokens, and marketplace skills that turn ordinary content and extensions into control channels.
• Practical governance now depends on restricting scope, treating skills as suppliers, and building offboarding that removes both the tool and its identity bindings.

Key terms

• Shadow AI: Undiscovered or unmanaged AI systems operating inside an organisation’s environment. In practice, this includes personal assistants, plugins, and workflows that have been connected to company data or credentials without central approval or lifecycle ownership.
• Delegated OAuth Access: A consent-based access model where one application acts on a user’s behalf through scoped tokens. For AI agents, the risk is that those scopes are often broad, reused automatically, and difficult to distinguish from direct user action once the agent begins chaining requests.
• Skill Marketplace: A distribution layer where third-party extensions add capabilities to an AI agent or assistant. The security issue is not just the code itself, but the access it requests, the data it can read, and the way it can steer privileged actions through the host runtime.
• Identity Blast Radius: The amount of data, systems, and permissions reachable through a single identity failure. For AI agents, blast radius expands quickly when one token, plugin, or content source can influence multiple enterprise services without fresh approval.

Deepen your knowledge

AI agent identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is now facing shadow AI, delegated access, and lifecycle sprawl, this course gives you a structured starting point.

This post draws on content published by Cyera: The OpenClaw Security Saga: How AI Adoption Outpaced Security Boundaries. Read the original.