- OpenClaw made it easy to deploy self-hosted agents that can execute actions across tools, services, and workflows.
- Execution-capable AI agents evolved from controlled experimentation into everyday use, without governance keeping pace.
- This shifts security risk from model behavior to delegated authority and runtime control.
- Agent execution is becoming a new control surface with implications across identity, endpoint, network, and SaaS security categories.
The signal
In the past weeks, OpenClaw adoption accelerated sharply, driven almost entirely by self-hosting rather than enterprise deployment. Agents were integrated directly into daily workflows, often outside any formal security or IT approval process.
Internet-wide scans found tens of thousands of OpenClaw instances reachable from the public internet, often left with weak or default access controls. In parallel, security research showed that the emerging OpenClaw skills ecosystem introduced additional risk. Publicly shared skills functioned as a new supply chain, with documented cases of insecure or unsafe behavior, extending execution risk beyond the core platform.
During this adoption phase, a high-severity vulnerability affecting gateway connection behavior was disclosed and patched, enabling token leakage and takeover scenarios under specific conditions. The timing mattered: exposure and delegated authority were already widespread.
This is a familiar pattern: rapid adoption, ungoverned deployment, and an expanding attack surface meeting real vulnerabilities.
Why it matters: agent execution collapses security boundaries
Security categories were built around a stable assumption: humans initiate actions, systems enforce controls.
Agent execution breaks that assumption.
OpenClaw-style agents persist, accumulate context, and act across systems using delegated authority. Once trusted, their actions inherit legitimacy by default. Identity systems see valid tokens. Networks see allowed traffic. Endpoints see normal processes. Abuse happens inside approved paths.
This creates an enforcement problem.
Identity and Access Management determines who can authenticate, but does not govern how delegated authority is exercised over time. Secure Access Service Edge governs access paths, but has limited leverage once access is granted. Endpoint Detection and Response focuses on device integrity, not operators acting through APIs and gateways.
Each category touches part of the problem but it is not solving it.
Control must move closer to execution. Policy, enforcement, and auditability need to apply at the moment an action is taken, not at login, not at network entry, and not after the fact.
Implications for investors
Agent frameworks expand the attack surface and impact the security market in several verticals.
Yet, I’m not expecting this to be a broad-based uplift for cybersecurity. It is a relative repricing driven by where enforcement can no longer be optional.
The first effect shows up in identity. As agents operate with long-lived tokens and delegated OAuth grants, authentication loses relevance as a sufficient risk control. Login strength does not constrain downstream behavior. Investments flow toward vendors positioned around runtime authorization and revocation, and away from identity products priced primarily on authentication depth.
The second effect is margin pressure in visibility-led network and SSE/SASE platforms. Agent traffic is legitimate, encrypted, and API-native. It does not look anomalous because it is not. Products priced on inspection and awareness struggle to justify premium multiples when they cannot change outcomes. Enforcement capability becomes highly relevant for valuation.
The third effect is selective repricing inside endpoint security. This is not necessarily a return to endpoint importance in general. Vendors tied to telemetry-heavy models (EDR and XDR) lose differentiation as execution shifts off-device. Vendors able to impose containment or execution constraints on non-human operators retain value. Most do not benefit.
The important point is what does not happen.
Budgets do not expand evenly. Spend is pulled from controls that fail at runtime and reallocated toward those that can intervene. Valuation follows execution control, not proximity to AI narratives.
Implications for vendors
Agent frameworks force vendors to confront a boundary they were not designed to cross: delegated execution.
This is not a feature gap. It is a control gap.
Products built around login-time decisions, network admission, or device posture lose authority once software agents act autonomously across APIs and services using valid credentials. In these environments, vendors inherit responsibility without leverage.
For identity vendors, the strategic fork is unavoidable in my view. Treating agents as another type of actor does not solve the problem if delegated authority cannot be constrained, scoped, or revoked during execution. Vendors that stop at authentication will drift. Vendors that govern authorization in motion become infrastructure.
For network and SSE/SASE vendors, the constraint is structural. Agent traffic is policy-compliant by default. Visibility into flows does not change outcomes. Vendors unable to apply policy at the action level are pushed into defensive positioning, regardless of how comprehensive their telemetry appears.
Endpoint vendors face a different problem: coverage. Agent execution increasingly bypasses the device entirely. Stretching device-centric models upward produces partial control and diluted messaging. Vendors must re-anchor around execution context and containment.
Across all segments, platform vendors will bundle baseline agent controls quickly. This compresses differentiation and shifts competition toward policy engines, authorization layers, and execution control primitives.
The practical test for vendors is straightforward: Can your product change what happens when an agent takes an action?
If the answer is no, the product competes on visibility. And visibility without outcome control is increasingly difficult to price.
What to watch next
Enterprise policies will start changing tone. Early reactions tend to be bans. The next phase is conditional allowance: where agents are permitted, but only with scoped tokens, limited tools, and explicit guardrails.
Procurement language will follow. Look for RFPs and vendor evaluations that reference agent governance, token and session lifecycle control, tool allowlists, and the ability to reconstruct what an agent actually did, not just that it ran.
Incident reporting will also change. Instead of classic breach narratives, more events will be described as agent misuse, misconfiguration, or over-delegation. The failure is not compromise, but delegated access doing the wrong thing at scale.
M&A activity is another tell. Acquisitions will cluster around authorization engines, token and session control, browser or runtime enforcement, and sandboxing of execution environments. These are the control gaps agents expose.
Finally, watch the agent ecosystems themselves. Frameworks that survive will harden quickly: safer defaults, reduced exposure, clearer deployment guidance, and opinionated constraints. The ones that don’t will be treated as liabilities, not platforms.
