The end of 'shadow AI' at enterprises? Kilo launches KiloClaw for Organizations to enable secure AI agents at scale
Our take
As generative AI matures from a novelty into a workplace staple, a new friction point has emerged: the "shadow AI" or "Bring Your Own AI (BYOAI)" crisis. Much like the unsanctioned use of personal devices in years past, developers and knowledge workers are increasingly deploying autonomous agents on personal infrastructure to manage their professional workflows.
"Our journey with Kilo Claw has been to make it easier and easier and more accessible to folks," says Kilo co-founder Scott Breitenother. Today, the company dedicated to providing a portable, multi-model, cloud-based AI coding environment is moving to formalize this "shadow AI" layer: it's launching KiloClaw for Organizations and KiloClaw Chat, a suite of tools designed to provide enterprise-grade governance over personal AI agents.
The announcement comes at a period of high velocity for the company. Since making its securely hosted, one-click OpenClaw product for individuals, KiloClaw, generally available last month, more than 25,000 users have integrated the platform into their daily workflows.
Simultaneously, Kilo’s proprietary agent benchmark, PinchBench, has logged over 250,000 interactions and recently gained significant industry validation when it was referenced by Nvidia CEO Jensen Huang during his keynote at the 2026 Nvidia GTC conference in San Jose, California.
The shadow AI crisis: Addressing the BYOAI problem
The impetus for KiloClaw for Organizations stems from a growing visibility gap within large enterprises. In a recent interview with VentureBeat, Kilo leadership detailed conversations with high-level AI directors at government contractors who found their developers running OpenClaw agents on random VPS instances to manage calendars and monitor repositories.
"What we’re announcing on Tuesday is Kilo Claw for organizations, where a company can buy an organization-level package of Kilo Claws and give every team member access," explained Kilo co-founder and head of product and engineering Emilie Schario during the interview.
"We can't see any of it," the head of AI at one such firm reportedly told Kilo. "No audit logs. No credential management. No idea what data is touching what API".
This lack of oversight has led some organizations to issue blanket bans on autonomous agents before a clear strategy on deployment could be formed.
Anand Kashyap, CEO and founder of data security firm Fortanix, told VentureBeat without seeing Kilo's announcement that while "Openclaw has taken the technology world by storm... the enterprise usage is minimal due to the security concerns of the open source version."
Kashyap expanded on this trend:
"In recent times, NVIDIA (with NemoClaw), Cisco (DefenseClaw), Palo Alto Networks, and Crowdstrike have all announced offerings to create an enterprise-ready version of OpenClaw with guardrails and governance for agent security. However, enterprise adoption continues to be low.
Enterprises like centralized IT control, predictable behavior, and data security which keeps them compliant. An autonomous agentic platform like OpenClaw stretches the envelope on all these parameters, and while security majors have announced their traditional perimeter security measures, they don't address the fundamental problems of having a reduced attack surface. Over time, we will see an agentic platform emerge where agents are pre-built and packaged, and deployed responsibly with centralized controls, and data access controls built into the agentic platform as well as the LLMs they call upon to get instructions on how to perform the next task. Technologies like Confidential Computing provide compartmentalization of data and processing, and are tremendously helpful in reducing the attack surface."
KiloClaw for Organizations is positioned as the way for the security team to say "yes," providing the visibility and control required to bring these agents in-house.
It transitions agents from developer-managed infrastructure into a managed environment characterized by scoped access and organizational-level controls.
Technology: Universal persistence and the "Swiss cheese" method
A core technical hurdle in the current agent landscape is the fragmentation of chat sessions.
During the VentureBeat interview, Schario noted that even advanced tools often struggle with canonical sessions, frequently dropping messages or failing to sync across devices.
Schario emphasized the security layer that supports this new structure: “You get all the same benefits of the Kilo gateway and the Kilo platform: you can limit what models people can use, get usage visibility, cost controls, and all the advantages of leveraging Kilo with managed, hosted, controlled Kilo Claw”.
To address the inherent unreliability of autonomous agents—such as missed cron jobs or failed executions—Kilo employs what Schario calls the "Swiss cheese method" of reliability. By layering additional protections and deterministic guardrails on top of the base OpenClaw architecture, Kilo aims to ensure that tasks, such as a daily 6:00 PM summary, are completed even if the underlying agent logic falters.
This is critical because, as Schario noted, “The real risk for any company is data leakage, and that can come from a bot commenting on a GitHub issue or accidentally emailing the person who’s going to get fired before they get fired”.
Product: KiloClaw Chat and organizational guardrails
While managed infrastructure solves the backend problem, KiloClaw Chat addresses the user experience. Schario noted that “Hosted, managed OpenClaw is easier to get started with, but it’s not enough, and it still requires you to be at the edge of technology to understand how to set it up”. Kilo is looking to lower that barrier for the average worker, asking: “How do we give people who have never heard the phrase OpenClaw or Claudebot an always-on AI assistant?”.
Traditionally, interacting with an OpenClaw agent required connecting to third-party messaging services like Telegram or Discord—a process that involves navigating "BotFather" tokens and technical configurations that alienate non-engineers.
“One of the number one hurdles we see, both anecdotally and in the data, is that you get your bot running and then you have to connect a channel to it. If you don’t know what’s going on, it’s overwhelming,” Schario observed.
“We solved that problem. You don’t need to set up a channel. You can chat with Kilo in the web UI and, with the Kilo Claw app on your phone, interact with Kilo without setting an external channel,” she continued.
This native approach is essential for corporate compliance because, as she further explained, “When we were talking to early enterprise opportunities, they don’t want you using your personal Telegram account to chat with your work bot”. As Schario put it, there is a reason enterprise communication doesn't flow through personal DMs; when a company shuts off access, they must be able to shut off access to the bot.
Looking ahead, the company plans to integrate these environments further. “What we’re going to do is make Kilo Chat the waypoint between Telegram, Discord, and OpenClaw, so you get all the convenience of Kilo Chat but can use it in the other channels,” Breitenother added.
The enterprise package includes several critical governance features:
Identity Management: SSO/OIDC integration and SCIM provisioning for automated user lifecycles.
Centralized Billing: Full visibility into compute and inference usage across the entire organization.
Admin Controls: Org-wide policies regarding which models can be used, specific permissions, and session durations.
Secrets Configuration: Integration with 1Password ensures that agents never handle credentials in plain text, preventing accidental leaks.
Licensing and governance: The "bot account" model
Other security experts note that handling bot and AI agentic permissions are among the most pressing problems enterprises are facing today
As Ev Kontsevoy, CEO and co-founder of AI infrastructure and identity management company Teleport told VentureBeat without seeing the Kilo news: "The potential impact of OpenClaw as a non-deterministic actor demonstrates why identity can’t be an afterthought. You have an autonomous agent with shell access, browser control, and API credentials — running on a persistent loop, across dozens of messaging platforms, with the ability to write its own skills. That’s not a chatbot. That’s a non-deterministic actor with broad infrastructure access and no cryptographic identity, no short-lived credentials, and no real-time audit trail tying actions to a verifiable actor."
Kilo is proposing to solve it with a major change in organizational structure: the adoption of employee "bot accounts".
In Kilo’s vision, every employee eventually carries two identities—their standard human account and a corresponding bot account, such as scott.bot@kiloco.ai.
These bot identities operate with strictly limited, read-only permissions. For example, a bot might be granted read-only access to company logs or a GitHub account with contributor-only rights. This "scoped" approach allows the agent to maintain full visibility of the data it needs to be helpful while ensuring it cannot accidentally share sensitive information with others.
Addressing concerns over data privacy and "black box" algorithms, Kilo emphasizes that its code is source available.
“Anyone can go look at our code. It’s not a black box. When you’re buying Kilo Claw, you’re not giving us your data, and we’re not training on any of your data because we're not building our own model,” Schario clarified.
This licensing choice allows organizations to audit the resiliency and security of the platform without fearing their proprietary data will be used to improve third-party models.
Pricing and availability
KiloClaw for Organizations follows a usage-based pricing model where companies pay only for the compute and inference consumed. Organizations can utilize a "Bring Your Own Key" (BYOK) approach or use Kilo Gateway credits for inference.
The service is available starting today, Wednesday, April 1. KiloClaw Chat is currently in beta, with support for web, desktop, and iOS sessions. New users can evaluate the platform via a free tier that includes seven days of compute.
As Breitenother summarized to VentureBeat, the goal is to shift from "one-off" deployments to a scalable model for the entire workforce: "I think of Kilo for orgs as buying Kilo Claw by the bushel instead of by the one-off. And we're hoping to sell a lot of bushels of of kilo claw".
Read on the original site
Open the publisher's page for the full experience
Related Articles
- Should my enterprise AI agent do that? NanoClaw and Vercel launch easier agentic policy setting and approval dialogs across 15 messaging appsFor the past year, early adopters of autonomous AI agents have been forced to play a murky game of chance: keep the agent in a useless sandbox or give it the keys to the kingdom and hope it doesn't hallucinate a catastrophic "delete all" command. To unlock the true utility of an agent—scheduling meetings, triaging emails, or managing cloud infrastructure—users have had to grant these models raw API keys and broad permissions, raising the risk of their systems being disrupted by an accidental agent mistake. That tradeoff ends today. The creators of the open source sandboxed NanoClaw agent framework — now known under their new private startup named NanoCo — have announced a landmark partnership with Vercel and OneCLI to introduce a standardized, infrastructure-level approval system. By integrating Vercel’s Chat SDK and OneCLI’s open source credentials vault, NanoClaw 2.0 ensures that no sensitive action occurs without explicit human consent, delivered natively through the messaging apps where users already live. The specific use cases that stand to benefit most are those involving high-consequence "write" actions. That is, in DevOps, an agent could propose a cloud infrastructure change that only goes live once a senior engineer taps "Approve" in Slack. For finance teams, an agent could prepare batch payments or invoice triaging, with the final disbursement requiring a human signature via a WhatsApp card. Technology: security by isolation The fundamental shift in NanoClaw 2.0 is the move away from "application-level" security to "infrastructure-level" enforcement. In traditional agent frameworks, the model itself is often responsible for asking for permission—a flow that Gavriel Cohen, co-founder of NanoCo, describes as inherently flawed. "The agent could potentially be malicious or compromised," Cohen noted in a recent interview. "If the agent is generating the UI for the approval request, it could trick you by swapping the 'Accept' and 'Reject' buttons." NanoClaw solves this by running agents in strictly isolated Docker or Apple Containers. The agent never sees a real API key; instead, it uses "placeholder" keys. When the agent attempts an outbound request, the request is intercepted by the OneCLI Rust Gateway. The gateway checks a set of user-defined policies (e.g., "Read-only access is okay, but sending an email requires approval"). If the action is sensitive, the gateway pauses the request and triggers a notification to the user. Only after the user approves does the gateway inject the real, encrypted credential and allow the request to reach the service. Product: bringing the 'human' into the loop While security is the engine, Vercel’s Chat SDK is the dashboard. Integrating with different messaging platforms is notoriously difficult because every app—Slack, Teams, WhatsApp, Telegram—uses different APIs for interactive elements like buttons and cards. By leveraging Vercel’s unified SDK, NanoClaw can now deploy to 15 different channels from a single TypeScript codebase. When an agent wants to perform a protected action, the user receives a rich interactive card on their phone. "The approval shows up as a rich, native card right inside Slack or WhatsApp or Teams, and the user taps once to approve or deny," said Cohen. This "seamless UX" is what makes human-in-the-loop oversight practical rather than a productivity bottleneck. The full list of 15 supported messaging apps/channels contains many favored by enterprise knowledge workers, including: Slack WhatsApp Telegram Microsoft Teams Discord Google Chat iMessage Facebook Messenger Instagram X (Twitter) GitHub Linear Matrix Email Webex Background on NanoClaw NanoClaw launched on January 31, 2026, as a minimalist and security-focused response to the "security nightmare" inherent in complex, non-sandboxed agent frameworks. Created by Cohen, a former Wix.com engineer, and marketed by his brother Lazer, CEO of B2B tech public relations firm Concrete Media, the project was designed to solve the auditability crisis found in competing platforms like OpenClaw, which had grown to nearly 400,000 lines of code. By contrast, NanoClaw condensed its core logic into roughly 500 lines of TypeScript—a size that, according to VentureBeat, allows the entire system to be audited by a human or a secondary AI in approximately eight minutes. The platform’s primary technical defense is its use of operating system-level isolation. Every agent is placed inside an isolated Linux container—utilizing Apple Containers for high performance on macOS or Docker for Linux—to ensure that the AI only interacts with directories explicitly mounted by the user. As detailed in VentureBeat's reporting on the project's infrastructure, this approach confines the "blast radius" of potential prompt injections strictly to the container and its specific communication channel. In March 2026, NanoClaw further matured this security posture through an official partnership with the software container firm Docker to run agents inside "Docker Sandboxes". This integration utilizes MicroVM-based isolation to provide an enterprise-ready environment for agents that, by their nature, must mutate their environments by installing packages, modifying files, and launching processes—actions that typically break traditional container immutability assumptions. Operationally, NanoClaw rejects the traditional "feature-rich" software model in favor of a "Skills over Features" philosophy. Instead of maintaining a bloated main branch with dozens of unused modules, the project encourages users to contribute "Skills"—modular instructions that teach a local AI assistant how to transform and customize the codebase for specific needs, such as adding Telegram or Gmail support. This methodology, as described on NanoClaw's website and in VentureBeat interviews, ensures that users only maintain the exact code required for their specific implementation. Furthermore, the framework natively supports "Agent Swarms" via the Anthropic Agent SDK, allowing specialized agents to collaborate in parallel while maintaining isolated memory contexts for different business functions. Licensing and open source strategy NanoClaw remains firmly committed to the open source MIT License, encouraging users to fork the project and customize it for their own needs. This stands in stark contrast to "monolithic" frameworks. NanoClaw’s codebase is remarkably lean, consisting of only 15 source files and roughly 3,900 lines of code, compared to the hundreds of thousands of lines found in competitors like OpenClaw. The partnership also highlights the strength of the "Open Source Avengers" coalition. By combining NanoClaw (agent orchestration), Vercel Chat SDK (UI/UX), and OneCLI (security/secrets), the project demonstrates that modular, open-source tools can outpace proprietary labs in building the application layer for AI. Community reactions As shown on the NanoClaw website, the project has amassed more than 27,400 stars on GitHub and maintains an active Discord community. A core claim on the NanoClaw site is that the codebase is small enough to understand in "8 minutes," a feature targeted at security-conscious users who want to audit their assistant. In an interview, Cohen noted that iMessage support via Vercel’s Photon project addresses a common community hurdle: previously, users often had to maintain a separate Mac Mini to connect agents to an iMessage account. The enterprise perspective: should you adopt? For enterprises, NanoClaw 2.0 represents a shift from speculative experimentation to safe operationalization. Historically, IT departments have blocked agent usage due to the "all-or-nothing" nature of credential access. By decoupling the agent from the secret, NanoClaw provides a middle ground that mirrors existing corporate security protocols—specifically the principle of least privilege. Enterprises should consider this framework if they require high-auditability and have strict compliance needs regarding data exfiltration. According to Cohen, many businesses have not been ready to grant agents access to calendars or emails because of security concerns. This framework addresses that by ensuring the agent structurally cannot act without permission. Enterprises stand to benefit specifically in use cases involving "high-stakes" actions. As illustrated in the OneCLI dashboard, a user can set a policy where an agent can read emails freely but must trigger a manual approval dialog to "delete" or "send" one. Because NanoClaw runs as a single Node.js process with isolated containers , it allows enterprise security teams to verify that the gateway is the only path for outbound traffic. This architecture transforms the AI from an unmonitored operator into a supervised junior staffer, providing the productivity of autonomous agents without forgoing executive control. Ultimately, NanoClaw is a recommendation for organizations that want the productivity of autonomous agents without the "black box" risk of traditional LLM wrappers. It turns the AI from a potentially rogue operator into a highly capable junior staffer who always asks for permission before hitting the "send" or "buy" button. As AI-native setups become the standard, this partnership establishes the blueprint for how trust will be managed in the age of the autonomous workforce.
- AI agent credentials live in the same box as untrusted code. Two new architectures show where the blast radius actually stops.Four separate RSAC 2026 keynotes arrived at the same conclusion without coordinating. Microsoft's Vasu Jakkal told attendees that zero trust must extend to AI. Cisco's Jeetu Patel called for a shift from access control to action control, saying in an exclusive interview with VentureBeat that agents behave "more like teenagers, supremely intelligent, but with no fear of consequence." CrowdStrike's George Kurtz identified AI governance as the biggest gap in enterprise technology. Splunk's John Morgan called for an agentic trust and governance model. Four companies. Four stages. One problem. Matt Caulfield, VP of Product for Identity and Duo at Cisco, put it bluntly in an exclusive VentureBeat interview at RSAC. "While the concept of zero trust is good, we need to take it a step further," Caulfield said. "It's not just about authenticating once and then letting the agent run wild. It's about continuously verifying and scrutinizing every single action the agent's trying to take, because at any moment, that agent can go rogue." Seventy-nine percent of organizations already use AI agents, according to PwC's 2025 AI Agent Survey. Only 14.4% reported full security approval for their entire agent fleet, per the Gravitee State of AI Agent Security 2026 report of 919 organizations in February 2026. A CSA survey presented at RSAC found that only 26% have AI governance policies. CSA's Agentic Trust Framework describes the resulting gap between deployment velocity and security readiness as a governance emergency. Cybersecurity leaders and industry executives at RSAC agreed on the problem. Then two companies shipped architectures that answer the question differently. The gap between their designs reveals where the real risk sits. The monolithic agent problem that security teams are inheriting The default enterprise agent pattern is a monolithic container. The model reasons, calls tools, executes generated code, and holds credentials in one process. Every component trusts every other component. OAuth tokens, API keys, and git credentials sit in the same environment where the agent runs code it wrote seconds ago. A prompt injection gives the attacker everything. Tokens are exfiltrable. Sessions are spawnable. The blast radius is not the agent. It is the entire container and every connected service. The CSA and Aembit survey of 228 IT and security professionals quantifies how common this remains: 43% use shared service accounts for agents, 52% rely on workload identities rather than agent-specific credentials, and 68% cannot distinguish agent activity from human activity in their logs. No single function claimed ownership of AI agent access. Security said it was a developer's responsibility. Developers said it was a security responsibility. Nobody owned it. CrowdStrike CTO Elia Zaitsev, in an exclusive VentureBeat interview, said the pattern should look familiar. "A lot of what securing agents look like would be very similar to what it looks like to secure highly privileged users. They have identities, they have access to underlying systems, they reason, they take action," Zaitsev said. "There's rarely going to be one single solution that is the silver bullet. It's a defense in depth strategy." CrowdStrike CEO George Kurtz highlighted ClawHavoc (a supply chain campaign targeting the OpenClaw agentic framework) at RSAC during his keynote. Koi Security named the campaign on February 1, 2026. Antiy CERT confirmed 1,184 malicious skills tied to 12 publisher accounts, according to multiple independent analyses of the campaign. Snyk's ToxicSkills research found that 36.8% of the 3,984 ClawHub skills scanned contain security flaws at any severity level, with 13.4% rated critical. Average breakout time has dropped to 29 minutes. Fastest observed: 27 seconds. (CrowdStrike 2026 Global Threat Report) Anthropic separates the brain from the hands Anthropic's Managed Agents, launched April 8 in public beta, split every agent into three components that do not trust each other: a brain (Claude and the harness routing its decisions), hands (disposable Linux containers where code executes), and a session (an append-only event log outside both). Separating instructions from execution is one of the oldest patterns in software. Microservices, serverless functions, and message queues. Credentials never enter the sandbox. Anthropic stores OAuth tokens in an external vault. When the agent needs to call an MCP tool, it sends a session-bound token to a dedicated proxy. The proxy fetches real credentials from the vault, makes the external call, and returns the result. The agent never sees the actual token. Git tokens get wired into the local remote at sandbox initialization. Push and pull work without the agent touching the credential. For security directors, this means a compromised sandbox yields nothing an attacker can reuse. The security gain arrived as a side effect of a performance fix. Anthropic decoupled the brain from the hands so inference could start before the container booted. Median time to first token dropped roughly 60%. The zero-trust design is also the fastest design. That kills the enterprise objection that security adds latency. Session durability is the third structural gain. A container crash in the monolithic pattern means total state loss. In Managed Agents, the session log persists outside both brain and hands. If the harness crashes, a new one boots, reads the event log, and resumes. No state lost turns into a productivity gain over time. Managed Agents include built-in session tracing through the Claude Console. Pricing: $0.08 per session-hour of active runtime, idle time excluded, plus standard API token costs. Security directors can now model agent compromise cost per session-hour against the cost of the architectural controls. Nvidia locks the sandbox down and monitors everything inside it Nvidia's NemoClaw, released March 16 in early preview, takes the opposite approach. It does not separate the agent from its execution environment. It wraps the entire agent inside four stacked security layers and watches every move. Anthropic and Nvidia are the only two vendors to have shipped zero-trust agent architectures publicly as of this writing; others are in development. NemoClaw stacks five enforcement layers between the agent and the host. Sandboxed execution uses Landlock, seccomp, and network namespace isolation at the kernel level. Default-deny outbound networking forces every external connection through explicit operator approval via YAML-based policy. Access runs with minimal privileges. A privacy router directs sensitive queries to locally-running Nemotron models, cutting token cost and data leakage to zero. The layer that matters most to security teams is intent verification: OpenShell's policy engine intercepts every agent action before it touches the host. The trade-off for organizations evaluating NemoClaw is straightforward. Stronger runtime visibility costs more operator staffing. The agent does not know it is inside NemoClaw. In-policy actions return normally. Out-of-policy actions get a configurable denial. Observability is the strongest layer. A real-time Terminal User Interface logs every action, every network request, every blocked connection. The audit trail is complete. The problem is cost: operator load scales linearly with agent activity. Every new endpoint requires manual approval. Observation quality is high. Autonomy is low. That ratio gets expensive fast in production environments running dozens of agents. Durability is the gap nobody's talking about. Agent state persists as files inside the sandbox. If the sandbox fails, the state goes with it. No external session recovery mechanism exists. Long-running agent tasks carry a durability risk that security teams need to price into deployment planning before they hit production. The credential proximity gap Both architectures are a real step up from the monolithic default. Where they diverge is the question that matters most to security teams: how close do credentials sit to the execution environment? Anthropic removes credentials from the blast radius entirely. If an attacker compromises the sandbox through prompt injection, they get a disposable container with no tokens and no persistent state. Exfiltrating credentials requires a two-hop attack: influence the brain's reasoning, then convince it to act through a container that holds nothing worth stealing. Single-hop exfiltration is structurally eliminated. NemoClaw constrains the blast radius and monitors every action inside it. Four security layers limit lateral movement. Default-deny networking blocks unauthorized connections. But the agent and generated code share the same sandbox. Nvidia's privacy router keeps inference credentials on the host, outside the sandbox. But messaging and integration tokens (Telegram, Slack, Discord) are injected into the sandbox as runtime environment variables. Inference API keys are proxied through the privacy router and not passed into the sandbox directly. The exposure varies by credential type. Credentials are policy-gated, not structurally removed. That distinction matters most for indirect prompt injection, where an adversary embeds instructions in content the agent queries as part of legitimate work. A poisoned web page. A manipulated API response. The intent verification layer evaluates what the agent proposes to do, not the content of data returned by external tools. Injected instructions enter the reasoning chain as trusted context. With proximity to execution. In the Anthropic architecture, indirect injection can influence reasoning but cannot reach the credential vault. In the NemoClaw architecture, injected context sits next to both reasoning and execution inside the shared sandbox. That is the widest gap between the two designs. NCC Group's David Brauchler, Technical Director and Head of AI/ML Security, advocates for gated agent architectures built on trust segmentation principles where AI systems inherit the trust level of the data they process. Untrusted input, restricted capabilities. Both Anthropic and Nvidia move in this direction. Neither fully arrives. The zero-trust architecture audit for AI agents The audit grid covers three vendor patterns across six security dimensions, five actions per row. It distills to five priorities: Audit every deployed agent for the monolithic pattern. Flag any agent holding OAuth tokens in its execution environment. The CSA data shows 43% use shared service accounts. Those are the first targets. Require credential isolation in agent deployment RFPs. Specify whether the vendor removes credentials structurally or gates them through policy. Both reduce risk. They reduce it by different amounts with different failure modes. Test session recovery before production. Kill a sandbox mid-task. Verify state survives. If it does not, long-horizon work carries a data-loss risk that compounds with task duration. Staff for the observability model. Anthropic's console tracing integrates with existing observability workflows. NemoClaw's TUI requires an operator-in-the-loop. The staffing math is different. Track indirect prompt injection roadmaps. Neither architecture fully resolves this vector. Anthropic limits the blast radius of a successful injection. NemoClaw catches malicious proposed actions but not malicious returned data. Require vendor roadmap commitments on this specific gap. Zero trust for AI agents stopped being a research topic the moment two architectures shipped. The monolithic default is a liability. The 65-point gap between deployment velocity and security approval is where the next class of breaches will start.
- Microsoft takes Agent 365 out of preview as shadow AI becomes an enterprise threatMicrosoft last week took Agent 365, its management platform for AI agents, out of preview and into general availability — a move that signals the software giant believes the governance challenge around autonomous AI is no longer theoretical but operational and urgent. The product, first announced at Microsoft's Ignite conference in November, positions itself as a unified control plane that lets enterprise IT and security teams observe, govern, and secure AI agents wherever they run: inside Microsoft's own ecosystem, on third-party cloud platforms like AWS Bedrock and Google Cloud, on employee endpoints, and increasingly across a sprawling ecosystem of SaaS agents built by partner software companies. But the most striking element of the launch isn't the general availability milestone itself. It's Microsoft's aggressive push into discovering and managing local AI agents — the coding assistants, personal productivity tools, and autonomous workflows that employees are installing on their own devices, often without IT's knowledge or blessing. Microsoft calls this phenomenon "shadow AI," and it is an entirely new category of enterprise security risk that most organizations are only beginning to grapple with. "Most enterprises are trying to figure out how to harness the potential of autonomous agents," David Weston, Corporate Vice President of AI Security at Microsoft, told VentureBeat in an exclusive interview. "They're trying to find a balance between what we call YOLO — just let anything run — and 'oh no,' where nothing works at all." Why Microsoft says rogue AI agents are already a security crisis inside the enterprise The timing of Agent 365's general availability reflects an uncomfortable reality: AI agents have already outpaced the governance infrastructure designed to manage them. Enterprises that spent years building controls for cloud applications and SaaS software now face a fundamentally different kind of sprawl — one where autonomous software can invoke tools, access sensitive data, chain together with other agents, and take actions on behalf of users or entirely on their own. Weston described three specific categories of security incidents that Microsoft is already observing across its enterprise customer base. The first, and most common, involves developers rushing to connect agents to backend systems and inadvertently exposing sensitive infrastructure. "A canonical thing we're seeing a lot across the board is these MCP servers that are then being connected to a sensitive back end system and then exposed unauthenticated to the internet," Weston said. "That can lead to PII or data leaks." The second category involves what security researchers call cross-prompt injection — attackers embedding malicious instructions in data sources like software tickets, websites, or wikis that an agent is likely to ingest. "We are seeing attackers use untrusted data sources to put in what we call cross-prompt injection prompts, which will basically direct your agent to do whatever the attacker wants," Weston explained. While he noted this attack vector remains less common, "when we do see it, it's higher impact." The third and perhaps most pervasive issue is more mundane but no less dangerous: agents connected to data sources and DLP systems that simply aren't designed to understand agentic access patterns. "Data sources and DLP systems that are not agent-aware are exposing high-sensitive data down to maybe a vendor," Weston said, adding that such incidents carry "a lot of costs and a lot of risk." Inside Agent 365, the $15-per-user control plane for governing AI agents at scale At its core, Agent 365 functions as a centralized registry and policy engine for AI agents. It provides IT administrators with a single view of every agent operating within their environment — whether that agent was built with Microsoft Copilot Studio, deployed on AWS Bedrock, running as a SaaS integration from a partner like Zendesk or SAP, or installed locally on a developer's Windows machine. The platform supports three distinct categories of agents, each with different availability status at launch. Agents working on behalf of users through delegated access — such as an inbox organizer operating with a user's permissions — are now generally available within the control plane. Agents operating behind the scenes with their own access credentials, like an autonomous system triaging support tickets, are also generally available. A third category, agents participating in team workflows with their own access, enters public preview today. Agent 365 is available as part of the new Microsoft 365 E7 suite or as a standalone product priced at $15 per user per month. Each license covers an individual who manages, sponsors, or uses agents to work on their behalf. The pricing model is designed to scale predictably: organizations pay per person who interacts with the agent ecosystem, not per agent — a structure that acknowledges the reality that agent counts are a moving target in most enterprises. How Microsoft hunts for unauthorized AI tools hiding on employee laptops Perhaps the most significant new capability in today's launch is Agent 365's ability to discover and manage local AI agents — the tools that developers and knowledge workers are installing directly on their Windows devices, often without any oversight from IT. Starting today, organizations enrolled in Microsoft's Frontier program can use Agent 365, powered by Microsoft Defender and Intune, to detect OpenClaw agents running on managed Windows devices. Administrators can view which devices are running OpenClaw, and they can apply Intune policies to block common execution methods. A new "Shadow AI" page in the Microsoft 365 admin center serves as the central dashboard for this discovery process. The choice to begin with OpenClaw was deliberate. "Our criteria is simply customer demand," Weston told VentureBeat. "We're hearing across the board that enterprises understand OpenClaw represents a new type of software. They want to be on the frontier, they want to leverage all the benefits, but they also want the deterministic control that lets them establish a clear boundary in their enterprise." Microsoft plans to expand local agent discovery to 18 different agent types by June 2026, including GitHub Copilot CLI and Claude Code. The company is leveraging its existing endpoint telemetry to identify applications calling inference endpoints, then surfacing that information to IT and security teams. "Using our visibility on the endpoint, we can see the variety of apps that are basically calling inference endpoints," Weston explained. "And then we can give a collection of that to the IT and security folks, and they can decide whether that's appropriate or something that's putting them at risk." Microsoft Defender maps the 'blast radius' when an AI agent goes wrong Starting in June, Microsoft Defender will provide what the company calls "asset context mapping" for each discovered agent. This feature builds a relationship graph showing which devices an agent runs on, which MCP servers it connects to, which identities are associated with it, and which cloud resources those identities can reach. The goal is to let security teams assess the potential blast radius if an agent is compromised or misbehaves. Weston explained the technical underpinning: "Blast radius is computed by taking an asset inventory and converting each asset into a node in a graph. The edges represent how different assets or data sources are connected." The system overlays contextual detail onto each node — for instance, flagging that a particular device runs an untrusted AI agent and is simultaneously connected to a critical business database or a machine with thousands of user accounts. "It's highly accurate because it's computed from an asset graph that's typically cloud-based, or built from endpoint data if you've got something like NDE deployed," Weston said. "We're computing it based on what you already have — which is essentially ground truth." This kind of exposure mapping is precisely what CISOs are asking for, Weston added. "One of the first things you want to know when assessing agent risk is: what is this connected to? Is it connected to something I care about, or is it something moderate?" The platform doesn't stop at visibility. Agent 365 introduces policy-based controls that let administrators set guardrails for what agents can and cannot do. If a managed agent exhibits malicious behavior patterns — such as attempting to access or exfiltrate sensitive data — Microsoft Defender can block the agent at runtime and generate alerts with rich incident context for investigation. Weston emphasized that Defender's existing classification capabilities translate directly to the agentic world. "Injecting code into the process that manages logins, whether you're OpenClaw or browser, that's always going to be a strong signal," he said. Context mapping, policy-based controls, and runtime blocking will enter public preview through Intune and Defender in June 2026. Agent 365 reaches into AWS and Google Cloud to govern agents across rival platforms In a notable competitive move, Microsoft is extending Agent 365's governance reach to rival cloud platforms. A new public preview of Agent 365 registry sync enables IT teams to connect with AWS Bedrock and Google Cloud (specifically, Google Gemini Enterprise Agent Platform, formerly Google Vertex AI). Through these connections, administrators can automatically discover and inventory agents running on those platforms and perform basic lifecycle governance actions such as starting, stopping, or deleting agents. "If we're going to be a single control plane, we have to meet customers where they are, and many of them are multi-cloud," Weston told VentureBeat. He acknowledged that the depth of available controls varies somewhat by cloud provider. "Once you know it's there, what kind of guardrails or blocking can you provide? And that's going to be slightly different depending on what the cloud provider works with." But he added that the platforms offer "pretty comparable capabilities" in most scenarios and expressed optimism that cross-cloud consistency will improve over time. Also generally available today: Agent 365 extends Microsoft Entra network controls to cover agent traffic from Microsoft Copilot Studio agents and local agents like OpenClaw. These controls let security teams inspect agent network activity, identify unsanctioned AI usage, restrict connections to approved web destinations, filter risky file transfers, and help block malicious prompt-based attacks at the network layer before they result in harmful actions. The combination of cloud registry sync and network-layer enforcement gives Microsoft an unusually broad governance surface — one that spans cloud, endpoint, and network in a way few competitors currently match. Windows 365 for Agents gives enterprises a sandbox for high-risk AI workloads For organizations that want the productivity benefits of autonomous agents but aren't comfortable running them directly on employee endpoints, Microsoft is also launching Windows 365 for Agents in public preview, currently limited to the United States. The offering creates a new class of Cloud PCs purpose-built for agentic workloads, managed through Intune, and governed by the same identity and security controls applied to human employees. Weston framed the capability as a segmentation play. "From a security principle standpoint, the more segmentation you can achieve, the better," he said. "If you don't want this on your endpoint, but you still want the capability, you can choose to have it sandboxed, isolated. We've seen large companies like Nvidia talk about doing this. We're creating this pattern for everyone." How critical that isolation is, Weston added, depends on context. "If you're working in a military installation, it goes without saying, you probably want to segment away that information. If you're working in a company that's primarily creative and you have a little higher risk tolerance, you may not want to do that." The public preview requires an Agent 365 license, an Intune license, and an active Azure subscription. Microsoft builds a broad partner network to manage the agentic AI ecosystem Microsoft is positioning Agent 365 not as a walled garden but as an open management layer. The company announced that ecosystem partner agents from Genspark, Zensai, Egnyte, Zendesk, and agents built on platforms including Kasisto, Kore.ai, and n8n are now fully enabled for management through Agent 365 — with no integration work required from IT teams. Additional software development company launch partners include Adobe, SAP, Manus, Nvidia, and Celonis. For partner-built SaaS agents, onboarding begins with identity. "We have the ability for you to simply give it an identity and or use our SDK depending on the level of capability you need," Weston explained. "Just starting with the identity, we're able to basically see, especially for Entra users, what capabilities the application needs and what constraints should be put on that." Deeper SDK integration provides richer observability data, but identity alone gives the platform substantial governance leverage. On the services side, Microsoft has enlisted firms including Accenture, KPMG, Capgemini, Protiviti, Slalom, and nearly two dozen others as Agent 365 Launch Partners. These firms have collaborated with Microsoft engineering to build offerings around inventory assessment, least-privilege enforcement, compliance, multi-platform threat analysis, and ongoing lifecycle management. Microsoft's bigger bet: agents are the new apps, and they need the same enterprise controls Microsoft's bet with Agent 365 arrives at a moment when the enterprise software industry is racing to define what the "agentic era" actually looks like in production. Competitors including Google, Amazon, and Salesforce are all developing their own agent orchestration and governance tools, but Microsoft's approach — leveraging its deeply entrenched position in endpoint management (Intune), threat detection (Defender), identity (Entra), and productivity (Microsoft 365) — gives it an unusual cross-surface advantage. For enterprises considering Agent 365, Weston outlined a phased adoption model. "First things first, they'll get visibility and an inventory — you can't really secure what you don't know about," he said. "The next thing they're able to do is assign identities and start to manage the access those agents have, which is a huge first step in managing the risk." The deeper capabilities — isolation through Windows 365 for Agents, runtime blocking, blast radius mapping — come next. "Crawl is inventory. Walk is getting identity and access. Run is getting isolation, better control, deeper visibility," Weston summarized. "I think that's something that's reasonable in a 90-day period." Whether enterprises actually move that fast will depend on the maturity of their existing security infrastructure and the pace at which shadow AI proliferates within their walls. A live "Ask Microsoft Anything" session on Agent 365 is scheduled for May 12, giving IT and security professionals a chance to press the engineering team on specifics. But the most telling detail from the interview may have been the most offhand. "I have 18 agents running behind my team chat right now," Weston said. If even Microsoft's own security chief has a small army of autonomous agents operating in his daily workflow, the question for every other enterprise is no longer whether to govern the agentic workforce — it's whether they can do it before the workforce governs itself.