Insights, updates, and best practices for AI agent security and identity management
We contributed 6 security fixes to OpenClaw (205K+ stars). 4 PRs merged directly, 2 adopted by maintainers. Fixes cover credential redaction, code safety scanning, path traversal, file permissions, timing side-channels, and npm lifecycle attacks.
AI agents are making decisions, calling APIs, and accessing sensitive data autonomously. But most have no real identity — just shared API keys and bearer tokens. Here's how to give every agent a cryptographic identity that's verifiable, auditable, and enforceable at runtime.
OAuth 2.0 and OpenID Connect power human authentication across the web. But AI agents aren't humans — they don't click consent screens, bearer tokens can't prove which agent acted, and scopes can't enforce capabilities at runtime. Here's the identity gap the industry is ignoring and how AIM solves it.
OASB (Open Agent Security Benchmark) is an open security benchmark for AI agents. 46 controls across 10 categories with L1/L2/L3 maturity levels. The CIS Benchmark for agentic AI.
PR #9806 merged 1,721 lines of code into OpenClaw (169K GitHub stars), adding a built-in skill security scanner that detects malicious patterns across 6 check categories before skills can execute. The scanner runs automatically at install and update time.
HackMyAgent v0.4.0 ships the first automated detection for CVE-2026-25253 (CVSS 8.8), expanded ClawHavoc campaign IOCs, and 11 new security checks for OpenClaw installations.
HackMyAgent is an open-source security toolkit for AI agents. 55 attack payloads, 100+ security checks, OASB-1 compliance benchmarks. The missing OWASP ZAP for agentic AI.
We scanned 97,013 internet-facing hosts for AI agent vulnerabilities. 14.4% had confirmed security issues. 1,190 had system instructions publicly readable. 645 had MCP tool definitions exposed. Here's what we found and what we're doing about it.
Traditional NHI platforms manage service accounts and API keys. But AI agents represent a fundamentally different class of non-human identity that requires purpose-built governance. Here's the gap in your NHI strategy.
The ClawHavoc campaign planted 341 malicious skills on ClawHub. Combined with GHSA-g8p2's 1-click RCE vulnerability, OpenClaw users face credential theft, reverse shells, and persistent backdoors. We built a scanner to detect it.
OWASP released their Top 10 for Agentic Applications in December 2025. Here's how each risk maps to NHI governance capabilities — and what you can do about it.
January 2026 marked a turning point in AI security. ServiceNow disclosed what researchers called 'the most severe AI-driven vulnerability uncovered to date'—exposing 85% of Fortune 500 companies to potential takeover through improperly secured AI agents.
AIM (Agent Identity Management) is now available. Secure your AI agents with one line of code. Cryptographic identity, MCP attestation, trust scoring, and comprehensive audit logging for production AI deployments.
This article discusses critical vulnerabilities in AI agent systems, particularly focusing on CVE-2025-32711 (EchoLeak) affecting Microsoft Copilot and CVE-2025-49596 in MCP servers. Learn how to secure your AI agents with Agent Identity Management (AIM).
Subscribe to our newsletter for weekly insights, vulnerability alerts, and best practices
Get started with AIM and protect your AI infrastructure with just one line of code