Security Firm Finds AI Agent Tool With 500,000 Deployments Lacks Enterprise Kill Switch

Researchers at Cato Networks have identified a serious security gap in OpenClaw, an AI personal assistant tool with more than 500,000 active deployments: the software has no enterprise-level kill switch, leaving organizations unable to remotely disable or revoke compromised instances. The findings were presented at RSAC 2026 by Etay Maor, VP of Threat Intelligence at Cato Networks. Maor disclosed that a threat actor posted a compromised OpenClaw instance for sale on BreachForums on February 22, weeks before Cato went public with its research. The listing demonstrated that once an attacker gains access to an AI agent's session, the owning organization has no centralized mechanism to invalidate that access. The core problem, according to Maor, is architectural. The enterprise software industry adopted zero trust, least privilege, and assume-breach frameworks precisely because credentials and sessions get stolen. But AI agent platforms have largely been deployed with the kind of ambient access and long-lived sessions that security teams spent years eliminating from traditional software. "Your AI? It's my AI now," Maor said, summarizing the threat model in an interview with VentureBeat. OpenClaw is capable of bypassing endpoint detection and response tools, data loss prevention systems, and identity and access management platforms without triggering alerts, according to earlier Cato research. The absence of an enterprise kill switch compounds that risk: a stolen agent session remains operational until the victim discovers the compromise and manually rotates credentials across potentially dozens of integrated systems. Cato Networks said it disclosed its findings to OpenClaw's developer prior to publication. The company has not issued a public statement in response.