There’s a consistent pattern when new technology enters the world that it’s adopted by well-meaning employees trying to work faster, automate routine tasks, or simplify how they interact with systems and data, then risks start to show through the cracks. Autonomous AI tool,OpenClaw is a current example of this shift.
OpenClaw is designed to help increase efficiency by connecting to applications, automating workflows, and carrying out actions on behalf of the person using it. While from a productivity perspective, the appeal is obvious, from a security and governance perspective it opens the door to a huge risk as organisations may not be structured to monitor or control this level of access and autonomy.
Big cyber risks often come from trusted users unintentionally creating risk exposure through tools, integrations, or shortcuts that appear harmless at the time. When technology is deployed independently organisation can lose visibility over how data is accessed, shared, and acted upon.
This is not a criticism of employees or innovation. In many cases, it reflects a gap between how quickly new tools can be adopted and how rapidly organisations should implement guardrails around them.
OpenClaw is an open-source artificial intelligence tool that allows users to automate tasks by connecting AI to business applications and digital services. Once installed and configured, it can be used to gather information, interact with systems, and carry out actions on behalf of the user.
Unlike traditional AI tools that simply provide responses or suggestions, platforms such as OpenClaw are designed to enable AI to perform tasks across multiple connected applications. The level of access and capability depends on how the tool is configured and what permissions the user grants it.
Because OpenClaw can be installed and customised by individuals, organisations may not always have visibility into where it is being used or what systems it is connected to. While tools like this can improve efficiency, they also introduce new considerations around oversight, data access, and operational control.
The concern is not simply that these tools exist – it’s how well you manage them. As they’re designed to trust, interact and act on information they receive (including sensitive data), opportunities arise for attackers to influence and manipulate the data or instructions of AI agent processes. Organisations may find that traditional controls, such as endpoint security, email filtering, and access management, do not fully address or manage the new extent that AI-driven automation tools can be exploited.
At the same time, visibility into where autonomous AI agents are deployed is often limited. Many organisations currently lack the ability to identify which tools are in use, what applications they are connected to, and what permissions have been granted. Without this visibility, it becomes difficult to assess exposure, enforce policy, or respond effectively if misuse or compromise occurs.
Addressing this challenge requires organisations to think beyond traditional cyber security controls. They must first understand where autonomous AI tools are being used, consider how to manage and restrict risky behaviour, and ultimately implement safeguards that ensure the AI tool can be used safely within the business.
One of the most significant risks introduced by autonomous AI agents such as OpenClaw is prompt injection. Unlike traditional software, AI agents are designed to interpret and act on natural language instructions. This means they can be influenced not only by direct user commands, but also by information they are exposed to through connected systems such as email, messaging platforms, or collaboration tools.
If an employee is using OpenClaw to help manage communications, automate responses, or summarise emails, the AI agent may be configured to read incoming messages and perform actions based on their content. This creates an opportunity for attackers to embed hidden or misleading instructions within otherwise legitimate-looking communications.
For example, an attacker may send an email that appears routine or business-related but contains language designed to influence how an AI agent interprets or processes the message. Because AI systems are built to follow instructions and extract meaning from text, they may treat these hidden prompts as legitimate operational instructions. Depending on how OpenClaw has been configured and what permissions it has been granted, this could result in the AI agent exposing sensitive information, triggering automated workflows, or interacting with business systems in ways the user did not intend.
The risk is amplified by the fact that the user may never see or recognise the embedded instruction. The AI agent may process the content in the background, acting on the manipulated prompt while appearing to operate normally. From an organisational perspective, this creates a new attack pathway that bypasses traditional security awareness, as the target is not just the employee, but the AI acting on their behalf.
As organisations adopt AI-driven automation, prompt injection represents a shift in how social engineering attacks can be delivered and executed, requiring new approaches to detection, monitoring, and control.
Not at all. Most enterprises already operate controls that, if consistently applied, materially reduce the likelihood that autonomous agents are deployed or misused, such as:
What’s new is not the control set, it’s the use case. The winning move is to connect these existing capabilities into a coherent AI usage policy and control plane, with explicit guidance on where agents are allowed, how they’re configured, and how their actions are monitored.
If you are unsure if you have the controls in place, our cyber advisory or managed security services teams can and will support you, just get in touch with Kieran Baker.
Rising insurer exposure to private credit is attracting increasing regulatory scrutiny, with concerns over transparency and systemic credit, liquidity and underwriting risks.
TPR has sharpened expectations for pension scheme administration, highlighting key risks around governance, data integrity and oversight that trustees must act on.
UK crypto regulation is accelerating as the FCA issues new consultations. Learn what firms must do to prepare for authorisation under the incoming regime.
The detect, investigate, and respond model is critical for your cyber resilience. Find out how to prepare and implement your strategy.
Ransomware attacks are evolving. How can you strengthen your defences to ensure your business stays protected?
Grant Thornton's incident responders are available 24/7 to provide you with prompt recommendations to mitigate and contain the incident, operating as an extension of your own cyber security team.