TL;DR: OpenClaw shows how an agentic loop can combine persistent memory, local-machine access, and autonomous action to create a security problem that conventional app consent models do not solve, according to 1Password. The broken assumption is that one-time approval can govern adaptive behaviour; once the agent changes context, that model no longer holds.
NHIMG editorial — based on content published by 1Password: OpenClaw, the locally running AI agent, and the security model it exposes
Questions worth separating out
Q: How should security teams govern AI agents that can act autonomously?
A: Security teams should govern AI agents as runtime identities, not as ordinary applications.
Q: Why do one-time consent screens fail for AI agents?
A: One-time consent screens fail because they assume future behaviour will match the original approval moment.
Q: What breaks when AI agent memory is stored in readable files?
A: Readable memory files expand the impact of a compromise far beyond a single token leak.
Practitioner guidance
- Define agent identities as first-class subjects Assign each agent its own identity, ownership, and audit trail so its actions are not collapsed into the human operator or a generic application account.
- Move secrets out of plain-text agent storage Do not leave API keys, session tokens, transcripts, or long-term memory in readable local files where infostealers can collect them in seconds.
- Mediate access at runtime for each action Require per-action authorization for sensitive tool use so the agent cannot rely on one approval to justify later context changes.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- How OpenClaw stores memory, tokens, and configuration on disk in ways that change the threat model.
- Why a dedicated Mac mini, separate email, and separate account were used to reduce blast radius.
- How the agent’s autonomous loop changes what runtime mediation must look like in practice.
- What 1Password proposes as the access mediation layer for agent identities.
👉 Read 1Password's analysis of OpenClaw, AI agent identity, and runtime access control →
AI agent identity risk and runtime control: what changes now?
Explore further
One-time approval is a broken governance assumption for adaptive agents. Consent models were designed for systems whose future behaviour stays close to the moment of approval. That assumption fails when the actor is autonomous because the agent changes task, context, and tool use mid-session. The implication is not simply that controls need to be stronger. It is that identity governance must stop treating initial approval as a durable statement of intent.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can IAM teams tell whether agent access is actually under control?
A: IAM teams should look for per-action authorization, complete audit trails, separate ownership, and fast revocation of agent privileges. If an agent can make sensitive tool calls without a logged decision point, control is weak. If the answer to who approved each action is unclear, the programme is not yet governable.
👉 Read our full editorial: AI agent identity risk shows why runtime access control matters