TL;DR: A test OpenClaw AI agent moved from a least-privileged employee account to financial and infrastructure credentials in less than 10 minutes, after chaining cached tokens, active SSO, overpermissive app secrets, and broad cloud directory visibility, according to Orchid Security. The finding shows how quickly autonomous access paths can collapse identity assumptions when human-paced controls are applied to agent behaviour.
NHIMG editorial — based on content published by Orchid Security: From Least to Most Privilege in 10 Minutes
By the numbers:
- The 2026 Crowdstrike Global Threat Report found that adversaries are actively exploiting AI systems themselves, injecting malicious prompts into GenAI tools at more than 90 organizations and abusing AI development platforms.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams handle cached tokens and browser sessions that AI agents can reuse?
A: Security teams should treat cached tokens and browser sessions as active trust artefacts, not harmless convenience.
Q: Why do overpermissive app secrets create a bigger risk when AI agents are involved?
A: Overpermissive app secrets create bigger risk because an agent can discover and use them at machine speed, then chain the resulting access into other systems.
Q: What do security teams get wrong about cloud directory visibility?
A: Teams often treat cloud directory visibility as administrative plumbing rather than sensitive attack surface.
Practitioner guidance
- Audit cached session reuse paths Inventory browser sessions, cached tokens, and device-bound authentication artefacts that can be reused after the user steps away.
- Classify and scope every application secret Map each app secret to its exact data reach, storage location, and downstream system access.
- Reduce cloud directory visibility Limit who and what can enumerate users, groups, app registrations, and permissions across SaaS and cloud directories.
What's in the full article
Orchid Security's full blog covers the operational detail this post intentionally leaves for the source:
- The step-by-step OpenClaw attack path across OneDrive, M365, Azure, Teams, and internal application secrets.
- The specific artefacts the agent used at each stage, including cached tokens, active SSO sessions, and cloud directory data.
- The exact sensitive systems reached in the final privilege state, including banking, accounting, and domain hosting access.
- The surrounding research setup and reproducible test conditions that show how the identity chain was constructed.
👉 Read Orchid Security's analysis of how one AI agent climbed from least privilege to full access →
AI agent privilege sprawl: what practitioners need to know?
Explore further
Least privilege did not fail because the starting account was too powerful. It failed because the environment let an agent stitch together multiple weakly governed identity artefacts into a higher-privilege path. Cached tokens, active sessions, directory visibility, and cleartext secrets each looked manageable in isolation. Combined, they formed a privilege assembly line that no manual review process would have seen in time. Practitioners should treat cross-system identity stitching as a first-class attack pattern.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- Another finding from the same research shows that only 44% of organisations have implemented any policies to govern AI agents, which leaves most deployments without formal guardrails.
A question worth separating out:
Q: Who is accountable when an AI agent moves from low privilege to financial credentials?
A: Accountability sits with the team that allowed the identity artefacts to be reused across systems without clear boundaries. That includes IAM owners, application owners, and platform teams that left sessions, secrets, and directory permissions intertwined. The governance failure is structural, so accountability must follow the control plane, not just the user account.
👉 Read our full editorial: AI agent privilege sprawl can escalate from least access in minutes