Phishing the agent: Why AI guardrails aren’t enough

AI agents are reshaping how enterprises automate work, but their effectiveness depends on access to sensitive systems and data.

The paradox is that granting them the permissions they want creates new attack surfaces that organizations aren’t yet equipped to handle.

This is the defining tension of the AI era.

Director, Okta threat Intelligence.

AI agents are proliferating across enterprises with 91% of organizations already using them yet only 10% have a clear IT management strategy in place.

This gap matters because as these systems grow more autonomous and more deeply embedded in workflows, enterprises are operating without clear visibility, meaningful oversight and control over how their AI agents behave.

The access problem

Our recent research revealed how agents running on OpenClaw, an open-source AI agent automation platform, could expose credentials and leak sensitive information when attackers compromised the communication channels controlling them.

To appreciate the scale of this risk, we must first understand the platform itself. OpenClaw combines a chatbot-style interface with access to external tools and large language models.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Users can then configure agents to browse the web, read and write files, manage inboxes, execute commands, or interact with other machines. In many cases, they’re designed to operate autonomously with minimal human oversight.

That level of access is what makes agents powerful, helping many to manage everyday admin and time-consuming tasks. However, this power is a double edged-sword and can make them a risk to businesses.

When agents become attack surfaces

Agents need access to tools, accounts, applications, the web and more to be useful. Often, this means an agent needs access to secrets: API keys, personal access tokens, credentials, .env files, OAuth tokens.

The agents/models are by default prompted to be as helpful as possible, and that characteristic starts to pose some particular concerns when it comes to credentials and tokens. If an agent such as OpenClaw can’t access a resource, it will ask for credentials right in the chat, exposing those secrets within the context window. Agents will happily store API keys in their unencrypted configuration files, which information-stealing malware is starting to target.

Remote access capabilities could effectively create a back door into enterprise environments. If an attacker gained access to the communication channel controlling an agent, such as a messaging or remote access platform, they could potentially gain access to everything the agent itself could access. In an enterprise context, this is a nightmare.

The paradox of recognized risk

Perhaps the most revealing finding was that some agents recognize risky behavior while simultaneously carrying it out. This underlines how their decision-making ability and autonomous operations can be a business risk.

In one test, an agent correctly identified that exposing an OAuth refresh token through an unencrypted communication channel represented a serious security violation. But it then proceeded to share the token anyway before expressing concern about its own decision.

Organizations should not rely on the invisible guardrails that frontier model providers put around agents. They’re easily circumvented.

But an AI agent cannot divulge credentials that it doesn’t have access to. This is why the conversation around AI agent security cannot focus solely on stronger guardrails. Attackers are already finding ways to manipulate agent behavior through prompt injection, social engineering, and compromised communication channels.

Governance, not just guardrails

AI agents are essentially identities within enterprise systems and need to be managed as such. They perform actions and make operational decisions in ways that increasingly resemble human employees or privileged service accounts. Yet many organizations are deploying these systems without applying the same governance standards.

Most businesses already understand the importance of least-privilege access, audit logging, identity management, and access reviews for employees. AI agents should be subject to the same principles. That means limiting what agents can access, avoiding long-lived credentials wherever possible, and ensuring sensitive information is stored securely through centralized systems with human oversight.

Organizations also need visibility into where agents are deployed, what tools they can interact with, and how to disable them quickly if something goes wrong. If an agent goes rogue, there needs to be a “kill switch,” a way to immediately revoke an agent’s access to resources and shut it down.

Agentic AI systems could deliver major operational upsides, but deploying them without robust identity and access governance introduces significant security risk. As these systems become more deeply embedded across enterprise environments, organizations must stop treating them as experimental tools and start governing them as part of the digital workforce.

This means managing the full lifecycle of agents, from knowing which agents are deployed, what resources they access to and keeping a full audit trail so no one can say, “I don’t know what happened. The agent did it.”

There’s no reason why conventional security wisdom, such as the principle of least privilege, lifecycle management and robust logging, should be thrown out in an agentic age. In fact, it’s more relevant than ever.

We've tested and reviewed the best cloud storage.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit