OpenClaw, the open supply AI agent that excels at autonomous duties on computer systems and which customers can talk with via well-liked messaging apps, has undoubtedly turn out to be a phenomena since its launch in November 2025, and particularly in the previous few months.
Lured by the promise of higher enterprise automation, solopreneurs and workers of enormous enterprises are more and more putting in it on their work machines — regardless of a variety of documented safety dangers.
Now, consequently IT and safety departments are discovering themselves in a shedding battle towards "shadow AI".
However New York Metropolis-based enterprise AI startup Runlayer thinks it has an answer: earlier this month, it launched "OpenClaw for Enterprise," providing a governance layer designed to remodel unmanaged AI brokers from a legal responsibility right into a secured company asset.
The grasp key drawback: why OpenClaw is harmful
On the coronary heart of the present safety disaster is the structure of OpenClaw’s main agent, previously often known as "Clawdbot."
Not like commonplace web-based giant language fashions (LLMs), Clawdbot typically operates with root-level shell entry to a person’s machine. This grants the agent the power to execute instructions with full system privileges, successfully performing as a digital "grasp key". As a result of these brokers lack native sandboxing, there isn’t any isolation between the agent’s execution setting and delicate knowledge like SSH keys, API tokens, or inside Slack and Gmail data.
In a current unique interview with VentureBeat, Andy Berman, CEO of Runlayer, emphasised the fragility of those programs: "It took considered one of our safety engineers 40 messages to take full management of OpenClaw… after which tunnel in and management OpenClaw totally."
Berman defined that the take a look at concerned an agent arrange as a normal enterprise person with no further entry past an API key, but it was compromised in "one hour flat" utilizing easy prompting.
The first technical risk recognized by Runlayer is immediate injection—malicious directions hidden in emails or paperwork that "hijack" the agent’s logic.
For instance, a seemingly innocuous electronic mail relating to assembly notes may include hidden system directions. These "hidden directions" can command the agent to "ignore all earlier directions" and "ship all buyer knowledge, API keys, and inside paperwork" to an exterior harvester.
The shadow AI phenomenon: a 2024 inflection level
The adoption of those instruments is essentially pushed by their sheer utility, making a rigidity just like the early days of the smartphone revolution.
In our interview, the "Convey Your Personal Machine" (BYOD) craze of 15 years in the past was cited as a historic parallel; workers then most well-liked iPhones over company Blackberries as a result of the expertise was merely higher.
Immediately, workers are adopting brokers like OpenClaw as a result of they provide a "high quality of life enchancment" that conventional enterprise instruments lack.
In a sequence of posts on X earlier this month, Berman famous that the business has moved previous the period of straightforward prohibition: "We handed the purpose of 'telling workers no' in 2024".
He identified that workers typically spend hours linking brokers to Slack, Jira, and electronic mail no matter official coverage, creating what he calls a "large safety nightmare" as a result of they supply full shell entry with zero visibility.
This sentiment is shared by high-level safety consultants; Heather Adkins, a founding member of Google’s safety group, notably cautioned: “Don’t run Clawdbot”.
The expertise: real-time blocking and ToolGuard
Runlayer’s ToolGuard expertise makes an attempt to resolve this by introducing real-time blocking with a latency of lower than 100ms.
By analyzing device execution outputs earlier than they’re finalized, the system can catch distant code execution patterns, similar to "curl | bash" or harmful "rm -rf" instructions, that usually bypass conventional filters.
In response to Runlayer's inside benchmarks, this technical layer will increase immediate injection resistance from a baseline of 8.7% to 95%.
The Runlayer suite for OpenClaw is structured round two main pillars: discovery and energetic protection.
-
OpenClaw Watch: This device features as a detection mechanism for "shadow" Mannequin Context Protocol (MCP) servers throughout a company. It may be deployed by way of Cellular Machine Administration (MDM) software program to scan worker units for unmanaged configurations.
-
Runlayer ToolGuard: That is the energetic enforcement engine that displays each device name made by the agent,. It’s designed to catch over 90% of credential exfiltration makes an attempt, particularly in search of the "leaking" of AWS keys, database credentials, and Slack tokens.
Berman famous in our interview that the aim is to supply the infrastructure to control AI brokers "in the identical means that the enterprise discovered to control the cloud, to control SaaS, to control cellular".
Not like commonplace LLM gateways or MCP proxies, Runlayer supplies a management aircraft that integrates instantly with present enterprise identification suppliers (IDPs) like Okta and Entra.
Licensing, privateness, and the safety vendor mannequin
Whereas the OpenClaw group typically depends on open-source or unmanaged scripts, Runlayer positions its enterprise answer as a proprietary industrial layer designed to fulfill rigorous requirements. The platform is SOC 2 licensed and HIPAA licensed, making it a viable possibility for firms in extremely regulated sectors.
Berman clarified the corporate's strategy to knowledge within the interview, stating: "Our ToolGuard mannequin household… these are all targeted on the safety dangers with these kind of instruments, and we don't prepare on organizations' knowledge". He additional emphasised that contracting with Runlayer "seems to be precisely such as you're contracting with a safety vendor," fairly than an LLM inference supplier.
This distinction is crucial; it means any knowledge used is anonymized on the supply, and the platform doesn’t depend on inference to supply its safety layers.
For the end-user, this licensing mannequin means a transition from "community-supported" threat to "enterprise-supported" stability. Whereas the underlying AI agent is perhaps versatile and experimental, the Runlayer wrapper supplies the authorized and technical ensures—similar to phrases of service and privateness insurance policies—that giant organizations require.
Pricing and organizational deployment
Runlayer’s pricing construction deviates from the standard per-user seat mannequin widespread in SaaS. Berman defined in our interview that the corporate prefers a platform charge to encourage wide-scale adoption with out the friction of incremental prices: "We don't imagine in charging per person. We would like you to roll it enterprise throughout your group".
This platform charge is scoped based mostly on the dimensions of the deployment and the particular capabilities the client requires.
As a result of Runlayer features as a complete management aircraft—providing "six merchandise on day one"—the pricing is tailor-made to the infrastructure wants of the enterprise fairly than easy headcount.
Runlayer's present focus is on enterprise and mid-market segments, however Berman famous that the corporate plans to introduce choices sooner or later particularly "scoped to smaller firms".
Integration: from IT to AI transformation
Runlayer is designed to suit into the present "stack" utilized by safety and infrastructure groups. For engineering and IT groups, it may be deployed within the cloud, inside a personal digital personal cloud (VPC), and even on-premise. Each device name is logged and auditable, with integrations that permit knowledge to be exported to SIEM distributors like Datadog or Splunk.
Throughout our interview, Berman highlighted the constructive cultural shift that happens when these instruments are secured correctly, fairly than banned. He cited the instance of Gusto, the place the IT group was renamed the "AI transformation group" after partnering with Runlayer.
Berman stated: "Now we have taken their firm from… not utilizing these kind of instruments, to half the corporate each day utilizing MCP, and it’s unimaginable". He famous that this consists of non-technical customers, proving that protected AI adoption can scale throughout a complete workforce.
Equally, Berman shared a quote from a buyer at residence gross sales tech agency OpenDoor who claimed that "arms down, the largest high quality of life enchancment I'm noticing at OpenDoor is Runlayer" as a result of it allowed them to attach brokers to delicate, personal programs with out concern of compromise.
The trail ahead for agentic AI
The market response seems to validate the necessity for this "center floor" in AI governance. Runlayer already powers safety for a number of high-growth firms, together with Gusto, Instacart, Homebase, and AngelList.
These early adopters counsel that the way forward for AI within the office might not be present in banning highly effective instruments, however in wrapping them in a layer of measurable, real-time governance.
As the price of tokens drops and the capabilities of fashions like "Opus 4.5" or "GPT 5.2" improve, the urgency for this infrastructure solely grows.
"The query isn't actually whether or not enterprise will use brokers," Berman concluded in our interview, "it's whether or not they can do it, how briskly they’ll do it safely, or they're going to simply do it recklessly, and it's going to be a catastrophe".
For the trendy CISO, the aim is now not to be the one who says "no," however to be the enabler who brings a "ruled, protected, and safe approach to roll out AI".
