OpenClaw and agent assistants: what IAM teams need to change

TL;DR: OpenClaw’s security checklist argues that AI agents act with human permissions, rely on untrusted content, and sit outside conventional visibility, making prompt injection, tool abuse, and identity risk an enterprise control problem, according to Zenity. The real issue is assumption failure: traditional IAM presumes the identity responds to requests, but agents initiate and execute actions themselves.

NHIMG editorial — based on content published by Zenity: OpenClaw Security Checklist for CISOs: Securing the New Agent Attack Surface

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: What breaks when AI agents are treated like normal applications instead of identities?

A: When AI agents are treated like ordinary applications, their delegated permissions, runtime decisions, and tool use are not governed as identity behaviour.

Q: Why do AI agents complicate least-privilege access models?

A: AI agents complicate least privilege because they can select tools and actions at runtime, while traditional privilege design assumes the access pattern is known in advance.

Q: How do organisations know if an AI agent is operating outside its intended boundary?

A: They know by correlating the input that triggered the action, the tool called, the parameter set used, and the systems touched.

Practitioner guidance

• Classify every agent as an identity subject Assign an owner, register the agent centrally, and map its human inheritance, connected systems, and permitted actions before broad deployment.
• Reduce connector and token scope to the smallest workable set Inventory every tool, connector, and access token, then default non-essential access to read-only and remove broad delegated authority that widens the blast radius.
• Build runtime controls around input-to-action links Log which message, document, or URL triggered each action, then block destructive actions by default and force approval for high-impact operations.

What's in the full article

Zenity's full blog post covers the operational detail this post intentionally leaves for the source:

• The eight-control checklist with step-by-step deployment guidance for agent inventory, tool restriction, visibility, persistence, and prompt-injection defence.
• The specific runtime controls and inspection points Zenity recommends for catching harmful tool sequences before they complete.
• Examples of how OpenClaw-style agents are being mapped to non-human identity governance in practice.
• The vendor's own security program language and checklist structure for teams that need implementation detail rather than analytical framing.

👉 Read Zenity's checklist for securing OpenClaw and the agent attack surface →

OpenClaw and agent assistants: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →