As AI tools proliferate inside corporate environments, a security gap is forming that traditional endpoint protection cannot close. A new acquisition signals the industry may finally be paying attention.
When a solo developer released an AI agent called OpenClaw, it took less than a week to rack up millions of downloads — and less than a week more for researchers to find 135,000 exposed instances and hundreds of malicious extensions hiding inside its marketplace. The incident was not a sophisticated nation-state attack. It was a preview of what enterprise security teams are now racing to address: the unmanaged, largely invisible layer of AI software quietly operating inside corporate networks with employee-level permissions and machine-level speed.
AI Agents Are the New Insider Threat — And Most Companies Can’t See Them
The modern corporate endpoint has changed in ways that security tooling has not kept pace with. Where once the perimeter was defined by executables and known binaries, today’s working environment is shaped by a sprawling layer of code packages, browser extensions, IDE plugins, local servers, containers, model artifacts, and AI agents — most of them installed directly by employees and developers, without centralized oversight.
Because these components are not classic binaries, they often fall outside the visibility and control of traditional endpoint security tooling. This means that a growing portion of what runs on corporate machines is, from a security standpoint, effectively invisible.
The Agent Problem
AI agents add a particular dimension of risk to this already complex picture. They are legitimate tools that operate with the user’s credentials and permissions, enabling them to read, write, move data and take privileged actions across systems. When compromised or misused, agents become the “ultimate insider.” They can autonomously discover, invoke and even install additional components at machine speed, accelerating risk across an already expanding, largely unmanaged software layer.
The implications are significant. An agent that behaves legitimately during vetting could later be updated to include malicious capabilities — and because it already has permission to act, it can do so without triggering conventional alarms.
A Cautionary Case: OpenClaw
The recent emergence of OpenClaw offers a cautionary tale for the agentic era. Developed by a single individual in just one week, it rapidly secured millions of downloads while gaining broad permissions across users’ emails, filesystems and shells. Within days, researchers identified 135,000 exposed instances and more than 800 malicious skills in its marketplace, underscoring how a single unvetted agent can create an immediate, global attack surface.
OpenClaw is not an isolated case. Researchers have documented a pattern of risk emerging from the tools that developers and knowledge workers now depend on daily. An AI extension in VS Code was found leaking code from 1.5 million developers. This tool could read any open file and send it back to the developer, collect mass files without user interaction, and track users with commercial analytics SDKs.
Separately, researchers documented the first malicious Model Context Protocol (MCP) server in the wild. When developers added a specific skill to tools like Claude Code or Cursor, it silently forwarded every email to the plugin creator — a capability that was added after developers had already started using it. That last detail is particularly telling. The malicious behavior was introduced via an update, after the tool had passed whatever informal scrutiny users applied when first adopting it. There is currently no systematic mechanism in most organizations to catch this kind of post-install change.
The Visibility Gap in Security Operations
Autonomous agent actions are often difficult to trace or reconstruct, leaving Security Operations Centers without the visibility they need when an incident occurs. Traditional endpoint detection tools were built around a world of known file types and process behaviors. They were not designed to monitor whether an AI coding assistant is silently exfiltrating source code, or whether an MCP server has been updated to redirect outbound communications. This gap has prompted the emergence of what some in the industry are beginning to call a distinct product category.
An Acquisition and a New Category
Palo Alto Networks announced its intent to acquire Koi Security, a company focused specifically on AI-native endpoint protection. The rationale centers on three capabilities that Koi has developed: gaining complete visibility into AI tools, agents, and non-binary software running inside an environment; continuously analyzing the intent and risk level of that software; and enforcing policy in real time to block risky behaviors. Palo Alto Networks intends to integrate Koi’s capabilities across its platforms following the closing of the proposed acquisition.
The acquisition reflects a broader recognition that the expansion of AI tooling inside organizations has outpaced the security frameworks designed to govern it. Whether this category of protection becomes a standard enterprise requirement — as some in the industry expect — will depend on how quickly organizations recognize that the software running inside their environments has fundamentally changed. What is clear is that the risk is already present. The agents are already installed. Many of them are already active. And in most organizations, no one is watching.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de