Tenable’s senior vice president of product Jason Merrick disclosed that his company found 12 unmanaged OpenClaw instances operating inside a single enterprise client’s environment, each with access to API feeds, source code repositories, and a contractor communicating through Telegram. “What could go wrong, right?” Merrick said during a panel at the Snowflake Summit in San Francisco, according to ZDNET.
The panel, which included security executives from 1Password and Resolve AI, converged on a central warning: AI agents are evolving from chatbots into digital workers authorized to take actions across applications and data, and most enterprises have no visibility into what those agents are actually doing.
The Permission Problem
Mayank Agarwal, founder and CTO of Resolve AI, described the fundamental shift from deterministic software to agentic systems. “If you go back just two years, an engineer knew exactly how they were going to connect APIs across different systems,” he told the panel. “In the agentic world, it’s completely unpredictable. The agent wires the stuff on the fly. Give it a goal, solve this problem, and it goes out and tries all the paths that it has access to.”
That unpredictability creates a specific exfiltration risk. An agent can read sensitive data from one tool and write it to another tool that sends it somewhere it should never go. “The agent may read from a tool and use another tool to write it to someplace it shouldn’t be,” Agarwal said.
Identity Collapse
Nancy Wang, CTO of 1Password, raised a separate problem: enterprises can no longer distinguish between human and agent activity. “Who actually took an action against this system? Is it a human? Is it a service account? Or is it an agent?” Wang said. “Your team probably doesn’t know, or there’s not 100% certainty to that answer. Because today, agents look like humans, but they also could look like a service account, because they have all your permissions.”
Wang identified the greatest risk as “an agent that’s over-permissioned with longstanding credentials,” and recommended applying traditional identity best practices, including least-privilege access and credential rotation, to agent deployments.
Balancing Governance and Productivity
The panel agreed that blocking agents entirely defeats their purpose. “You don’t want to just block everything or firewall everything,” Wang said. The challenge, she explained, is designing security around “non-deterministic beings” while preserving the productivity gains that make agents valuable.
Merrick recommended that security teams start by auditing agent configurations directly. “Look at the user pieces the employees are creating, through Copilot, Claude Chat, or Gemini,” he said. “Look at their configurations. Is AI misconfigured? What type of data is it accessing? And be able to take action on that.”
The Intern Model
Wang’s summary framed the governance approach in human terms: agents need “very, very specific instructions,” and even then, “they still veer off the desired path.” The remediation model she proposed centers on full visibility, intent persistence across every action, and treating remediation as continuous rather than periodic.
The Tenable case study puts a number on what many enterprises suspect but haven’t measured. Twelve unmanaged agent instances, each with production-grade access, operating with minimal oversight. The question for security teams is not whether shadow agents exist in their environment, but how many.