There's a beautiful moment happening right now, and by "beautiful" I mean "horrifying in that can't-look-away-from-the-car-crash sense”.
People are giving OpenClaw access to, well, pretty much their entire lives.
The results are exactly what you'd expect…
One user gave his agent $500 and watched it create 25 trading strategies, generate 3,000+ reports, build 10 new algorithms, scan every post on X, and trade 24/7 non-stop. The result? It lost everything. Not most of it. Everything. The agent traded the portfolio down to zero with the kind of efficiency that would make a casino jealous.
The user was fascinated by the process. Like watching a very expensive bonfire consume your life savings while taking notes on the colour of the flames.
Others have handed OpenClaw the keys to their social media accounts. The posts it's generating are, by all accounts, absolutely unhinged. And people are loving it.
From a security perspective, this is a nightmare rendered in code. Many users have left OpenClaw accessible without proper authentication. It's got API access to financial systems, social platforms, and who knows what else. It's making autonomous decisions with real money and real reputational consequences.
And here's the thing that should terrify every CISO on the planet: this is going to be completely normal in about eighteen months.
The Normalisation Curve
Every technology follows the same path: novelty → experimentation → chaos → grudging acceptance → "wait, how did we ever live without this?".
Right now, OpenClaw is full of early adopters and tech enthusiasts with $500 they can afford to lose in exchange for content. The kind of folks who think "what's the worst that could happen?" is a challenge, not a warning.
But it won’t be long before someone's OpenClaw will accidentally make money. That screenshot will go viral. A business publication will write it up as "innovative portfolio management". A startup will raise $10 million to build "the same thing but enterprise-ready". Your CEO will forward you the article with the subject line: "Thoughts?".
And suddenly, you're in a meeting explaining why the company shouldn't give an AI agent access to the IT budget with instructions to "maximise efficiencies".
The Trust Collapse
What OpenClaw reveals isn't a technology problem, it's a trust problem.
People don’t fully understand what AI agents can do, but they trust it anyway because it feels like they will get left behind if they don’t embrace it all.
Your employees are already experimenting with AI agents. Maybe not with $500 and bank access (yet), but with company data, customer information, strategic documents. They're giving these tools access because the tools are useful, the barriers are low, and nobody's given them a compelling reason not to.
Meanwhile, security researchers are screaming into the void. Censys found 21,639 publicly exposed OpenClaw instances. ZeroLeaks gave it a security score of 2 out of 100—successfully extracting system prompts in 84% of attempts. Koi Security found that 11.9% of the OpenClaw marketplace consists of malware. Even the creator urges extreme caution and advises non-experts to avoid it entirely.
When the person who built the thing is telling you it's dangerous, that's usually a sign you should listen.
The Inevitable Future
Despite all the warnings - we can’t stop the adoption.
You cannot policy your way out of AI agents becoming embedded in workflows. You cannot firewall your way to safety when the call is coming from inside the house or more accurately, from inside Jacob’s browser extension that he installed because it "writes really good emails".
OpenClaw is a preview of a future where AI agents operate with increasing autonomy, access, and consequence. Where the line between tools and people making decisions disappears entirely.
The organizations that will survive this transition aren't the ones building higher walls. They're the ones designing systems that assume AI agents are already operating inside the perimeter—because they are.
They're implementing real-time behavioral monitoring that works across human and AI activity. They're creating governance frameworks that apply to any decision-maker, regardless of substrate. They're building cultures where people understand why handing an AI agent your bank password is a terrible idea, not just that policy section 4.7.2 says they shouldn't.
The Lesson
OpenClaw is teaching us something valuable, even if the tuition is $500 in vaporized trading capital: humans will trust AI with almost anything if you make it easy enough.
The question for security professionals isn't whether this will happen in your organization. It's whether you'll have the visibility, controls, and culture in place to manage it when it does.
Because the workforce is already hybrid. The agents are already operating. The trust has already been extended.
And somewhere right now, someone is giving an AI agent access to something they absolutely shouldn't, convinced they're glimpsing the future.
Javvad Malik is Lead CISO Advisor at KnowBe4 and has never given an AI agent access to his bank account, though he's had several ask nicely.
