Back
Blog
Insights
Shadow AI Has a Good Reason: Securing OpenClaw and Hermes While Accelerating Humans

Frank Lyonnet
A few weeks ago, EDAMAME wrote about how it runs its own go-to-market on a self-improving AI operator. That post opened on a small, telling example: Justyna Bak, a marketer who pointed Claude Code at a folder of her marketing context instead of at code, and let the agent do the work. The real lesson was not that marketers can write code now. It was that the person directing a capable AI agent is, more and more often, not a security-trained engineer — and that is both the size of the market and the heart of the problem.
This is the sequel, and it is less comfortable. Because that same instinct — point a capable agent at a problem and let it run — does not stay on the marketing team. It walks into the largest, most regulated companies in the world, on the laptop of someone who started six weeks ago.
Two doors into the same room
Step back for a second, because this arrives through two doors at once. Through the front door, the enterprise itself is experimenting: platform, security, and innovation teams stand up OpenClaw and Hermes pilots, wire them to internal MCP tools, and — when a pilot earns its keep — begin deploying them to real users. Through the side door, individuals do not wait for the pilot. They install the same agents on their own laptops the week a deadline lands. One path is sanctioned and one is shadow, but both open into the same room: a capable agent, running on a trusted machine, reaching code, credentials, MCP tools, and production. Whether the deployment was blessed by a steering committee or spun up in an afternoon, the security question is identical — and so is the harder requirement behind it. Securing these agents is now imperative; doing it in a way that accelerates the humans instead of slowing them down is what actually makes the security stick. Take the side door first, because it is the one already open.
The new hire is already running shadow AI — for a good reason
Call her Maya. She joined one of the largest banks in Europe a month and a half ago, into an operations role — not engineering. She is sharp, ambitious, and drowning in the kind of work that does not show up in a job description: reconciling spreadsheets, stitching together three internal systems that do not talk to each other, drafting the same status note fifteen different ways. She filed a ticket for the official internal tooling. It is somewhere in a multi-week queue.
So she did what any motivated person with a deadline does in 2026. On her work laptop, she installed a self-hosted agent — OpenClaw — pointed it at her working folders, wired up a couple of MCP (Model Context Protocol) servers so it could reach the tools she uses, and let it run. A teammate two desks over is doing the same thing with Hermes. Within a week Maya is shipping. The grunt work evaporates. She looks like the best hire of the quarter.
This is shadow AI, and it is worth being precise about the part that matters: her reason is good. She is not exfiltrating data, not cutting a corner, not gaming a metric. She is trying to be useful, faster than the official process allows. That is the version of shadow AI you will actually meet — not sabotage, but initiative — and the more capable these agents become, the more of it there will be. Banning it does not make it rare. It makes it invisible. And Maya is not an outlier — in most organisations the people running these agents are already well ahead of any security team's visibility into them. You cannot secure what you cannot see.
Here is the uncomfortable second fact. The agent on Maya's laptop can reach files, shells, credentials, MCP tools, and the internal systems she has access to. And neither Maya nor the agent reliably knows what the agent is touching at any given moment. She did not read the agent's tool plan. She could not vet the MCP server she added in thirty seconds. If a poisoned tool description, a malicious package, or an injected instruction steers that agent off-task, it will use her credentials, on her trusted laptop, inside the bank — and the audit trail will read like a normal day at work.
And the job title is a red herring. OpenClaw and Hermes are coding-agent-like: they install packages, spawn shells, and pull dependencies locally, exactly like Cursor or Claude Code, so they carry the same risk surface — supply-chain compromise, credential theft, tool poisoning, intent divergence. What changes from one agent to the next is not the risk but the resource in reach. Code and secrets are the flagship case; on Maya's laptop that same agent also reaches the bank's production systems and other critical company resources.
The wrong answer is to slow her down
A security organisation's reflex, faced with Maya, is to reach for the brake: block self-hosted agents, mandate an approval queue, push an MDM profile that locks the laptop down, write a policy nobody reads. That feels like control. It is mostly theatre, and it loses twice.
It loses because Maya routes around it — onto a personal device, into a browser tab, further into the dark — so you have traded a little visibility for none. And it loses because the entire reason she was hired was to move fast, and you have just taxed exactly that. Securing AI agents should not mean slowing the humans down. The moment your security model only works by making your own team slower, you have already lost the argument inside your own company.
But “let it run blind” is not the answer either. The answer is the one nobody likes because it sounds harder than a policy: you have to watch the agent — from outside the agent. To see why that phrase carries all the weight, you have to look at where security for these agents actually sits in the stack.
Where the security layer sits: below the harness, between saying and doing
An AI agent has two distinct layers, and almost every confusion about agent security comes from mixing them up.
There is what the agent says it will do — its plan, which tool to call, the arguments, the “why”. This is the agent's declared intent.
And there is what the machine actually does — the processes it spawns, the files it opens, the sockets it creates, the credentials it touches. This is the ground truth on the host, and it is the only record an attacker cannot narrate for you.
On top of what the agent decides sits the harness: the agent's own guardrails. This is OpenClaw's gateway and Hermes' controls; it is reasoning-plane governance runtimes like Rippletide and AgentField; it is even the research-grade frameworks now being built specifically for these agents — ClawGuard, for instance, enforces a user-confirmed rule set at every tool-call boundary and disables raw shell access right at OpenClaw's gateway layer. Harnesses are good and you should run one. They decide what the agent is allowed to do, before it acts.
But a harness lives inside the agent itself, and that is its structural limit. A harness can be talked past. An agent hijacked through prompt injection, a poisoned MCP tool, or corrupted memory can be steered into doing harm while its own guardrails see nothing wrong — the instruction looks legitimate because it arrived through a legitimate channel. And the local log a harness writes can be edited by whatever just compromised the host. The security guidance for self-hosted agents like OpenClaw and Hermes lands on the same conclusion their own architecture implies: the only boundary that genuinely holds against a misbehaving agent is the operating system it runs on, or an independent watcher outside it — not the agent's internal guardrails.
So the layer that decides the outcome is not on top, with the harness. It is below the harness, where what the agent said meets what the machine did: a layer that independently observes the agent's actual behaviour on the host, compares it to what the agent declared it would do, and keeps an evidence trail the agent cannot silence — because it lives outside the agent. That seam is exactly where EDAMAME sits. One layer governs the decision; the other proves the outcome.
The state of the art for securing these agents
It is worth being honest about the landscape, because a lot of good work is being done and none of it, on its own, closes the gap Maya represents. The market is converging on three stacks.
Agent and LLM observability — Langfuse, Arize Phoenix, LangSmith, AgentOps, Helicone. Excellent at traces, sessions, evaluations, and replay. They can tell you that a tool was called. They live at the application layer, and they generally cannot tell you which local process, parent chain, file, or outbound destination that tool call actually produced on the machine.
Runtime AI security and guardrails — Promptfoo, NVIDIA NeMo Guardrails, Lakera, Prompt Security, HiddenLayer. Strong control primitives: prompt-injection defence, policy at the tool-call boundary, output filtering. They are, by design, the harness — they sit inside or beside the agent and decide what it may do.
Host and runtime telemetry — Falco, osquery, OpenTelemetry, OpenInference. Hard system-level evidence: processes, files, sockets, syscalls. But they are agent-blind. They can see a process opened a socket; they do not know which agent, which task, or which tool call led there.
The academic frontier is the most interesting signal, because it is all moving toward the action boundary and toward least privilege. ClawGuard makes tool-call enforcement deterministic and auditable instead of trusting the model to behave. Prompt Flow Integrity splits an agent into trusted and untrusted halves and tracks data flow between them, so injected content cannot escalate privilege. And the threat these defences answer is not hypothetical: the MCPTox benchmark poisoned 45 real-world MCP servers and pushed the most vulnerable frontier model to a 72.8% attack success rate — and, tellingly, more capable models were often more exploitable, because their instinct to follow instructions is stronger.
Read across all three stacks and one capability is conspicuously missing: nobody fuses host-native evidence with agent-native meaning. The observability tools have the agent's intent but not the machine's truth. The telemetry tools have the machine's truth but not the agent's intent. The guardrails sit inside the agent and can be bypassed with it. The question Maya's CISO actually needs answered — which agent did what, with which files, tools, and destinations, and why? — falls into the gap between them.
What EDAMAME does in that gap
That gap is the layer we build, and it follows from everything above. EDAMAME observes the agent from outside it — no plugin and no SDK inside the agent, so there is nothing for a compromised agent to disable. EDAMAME Security runs on the laptop; EDAMAME Posture runs on CI/CD runners and self-hosted agent hosts. It covers every deployment mode an agent shows up in — local on a laptop, remote, and headless on a runner or a server — because the observation point is the host, not the agent.
Correlating the two — what the agent said against what the machine did — yields two outputs:
A runtime-verification divergence score — the distance between what the agent declared it was doing and what the machine actually did, on an evidence trail you can hand to an auditor. The intent-versus-behaviour side rests on an ongoing research collaboration with academia on the formal verifiability of autonomous software systems.
Attack-pattern findings — credential harvest, token exfiltration, tool poisoning, and supply-chain behaviour — pulled from ML-enriched host telemetry, no signature database required. This is the half that already earns its keep: EDAMAME has caught the axios npm RAT, the litellm PyPI takeover, the tj-actions/changed-files compromise, the Trivy case, and the TanStack / Shai-Hulud payloads in our end-to-end suite — exactly the supply-chain class that reaches a workstation when an agent runs
npm installorpip installon its own.

AI → Divergence: each agent owns a sector, its declared forecast paints a quiet scaffold, and real activity that escapes the forecast lights up red — here an OpenClaw session that read ~/.aws/credentials and opened a reverse tunnel to a darknet host, flagged DIVERGENCE against what the agent said it would do. AI / Divergence feature docs.
This is deliberately a complement to the harness, not a replacement. Keep OpenClaw's gateway, keep Hermes' controls, keep Rippletide, AgentField, or ClawGuard if you run them — they govern the decision inside the agent. EDAMAME proves the outcome from outside it. Run both: one decides what the agent may do; the other is the independent record of what it actually did, which is the one a hijacked agent cannot rewrite.
This is not only our view of where the boundary belongs — Netskope has made the same case publicly, and named EDAMAME. In June 2026 its Field CTO Steve Riley argued that agents deserve a place in every Zero Trust strategy — building on the same Anthropic Zero-Trust-for-agents argument referenced below — and pointed to EDAMAME as a way to do it: “Edamame Technologies (our chief development officer and chief scientist are advisors) offers an AI detection and response platform that observes coding agents independently, from outside the agents themselves. It enforces posture-gated access when intent diverges from activity or attack patterns appear, such as when code starts touching credentials or sending unauthorized data.” That is a major incumbent describing, almost line for line, the two outputs above — observe from outside the agent, then gate access on intent divergence and attack patterns.
What you see: agent posture, from the laptop to the fleet
Concretely, here is what shows up on screen. On Maya's laptop, EDAMAME Security surfaces the agents running on her machine the same way it surfaces the state of the machine itself: which agent is live, what it is reaching right now, its divergence score, and any attack-pattern findings — in plain language. The agent stops being a black box she launched and forgot, and becomes something she can actually watch.

Agents → Inventory: a 30-second “AI work safety” read — spend, errors, token waste, the live divergence verdict, and an alert feed (here, a critical “process accessed multiple sensitive credential store paths”) — computed on the host with no LLM in the loop. Agents feature docs.
Across the company, the EDAMAME Hub turns that into a fleet view. Every workstation, CI/CD runner, and self-hosted agent host appears with its owner, the agents on it, what each one can reach — code, secrets, production — and the blast radius that follows. Maya's shadow OpenClaw and the Hermes instance two desks over are no longer invisible; they are two more entries in the fleet, each carrying a posture state that says whether it is still behaving as declared. This is EDAMAME's device posture check extended to the agents themselves: the agent becomes a first-class part of the posture, not a blind spot beside it.

Agents → Blast Radius: the host sits at the core; each agent (Cursor, Claude Code, OpenClaw…) is a petal with concentric rings for its MCP servers, tools, SBOM components and subprocesses, and red arcs where its reach touches the host. One “Secure my fleet” button resumes every paused observer and acknowledges every newly seen agent — no admin console, no ticket, no approval. Agents feature docs.
And that posture spans the whole stack, not just our slice of it. It factors in the harness — whether the agent is fenced by one at all, and whether that fence is holding or has quietly been talked past — because an unfenced agent, or a bypassed one, is a very different risk than an agent that is properly contained. On top of that sits EDAMAME's own system-plane evidence, correlated with what the agent's reasoning declared it would do: our layer wired into the agent's intent, not just reading raw telemetry beside it. The result is a single posture answer for an AI agent that takes in the reasoning plane, the harness, and the host at once.
That is the step beyond the old world of EDR. Endpoint detection watched the machine for malware and never knew an agent was there — it is agent-blind by construction. Extending the posture check to cover the agent, its harness, and the gap between what it intended and what it did is what AI detection and response actually means at the endpoint: the same posture discipline EDAMAME already brings to a laptop, now carried up to the agent and out across the fleet.
Maya keeps her speed; the CISO gets control
Here is why this is the answer that does not punish the human. EDAMAME is reporting-only and user-up: no remote wipe, no covert changes, no lockdown. Maya keeps her laptop, her admin rights, and her self-hosted agent. On her side, she gets to understand the risk in plain language and fix it — often in one click — rather than waiting on a queue. She does not get slower. She gets safer at the same speed.
On the other side, her CISO gets to act on what that fleet view shows — live control over agent blast radius. When an agent diverges — when the divergence score spikes or a credential-harvest pattern fires — access can be cut and the blast radius shrunk, reversibly, before the damage compounds: the same posture-gated Zero Trust access EDAMAME already enforces — binding access to code, secrets, production, and critical company resources across GitHub, GitLab, and internal systems — now driven by agent behaviour and not just identity. Shadow AI becomes seen AI. That is the whole move.
Beyond securing the agent: helping the human augment themselves
There is a second half to EDAMAME's motto, and it is the one people miss. The first half is what this whole piece has been about: secure the AI agents. The second half is why that security is worth having at all: help the humans embrace those agents to augment themselves. The same vantage point — watching the agent from outside, on the host — that lets you stop an agent when it turns is also what lets you see whether the human is actually getting leverage out of it, or just burning tokens and re-deriving the same work every session.
That is what the Augmentation view does. It answers a plain question — how good am I at augmenting myself? — as a per-workspace Path of Enlightenment: a glowing progression from Awakening (agents exist, but reuse is sparse) through Practicing, Flowing, and Mastering to Enlightened, driven by a single 0–100 Self-Augmentation Score computed entirely on the host, with no LLM in the loop.

Agents → Augmentation, the “Path of Enlightenment”: a per-workspace journey from Awakening to Enlightened, with the traveller placed by a 0–100 Self-Augmentation Score (41 — Practicing here), glowing gates that cap progress, and a “Best next step” card. Agents feature docs.
Two kinds of markers sit on that path, and together they make the motto concrete. Gates are the security half: they cap how far the path can advance until they are cleared, and they are attributed, never anonymous — a security finding on a named agent, an over-broad blast radius (unsandboxed, passwordless root, host filesystem access), a behavioral divergence, a paused observer that has gone blind, a blown token or cost budget. In the shot above, the gate is blunt: “reduce blast radius for Cursor — this unlocks progression beyond Flowing.” You cannot augment yourself safely on top of an agent you have not contained, so the path will not let you pretend otherwise.
Next steps are the augmentation half: deterministic hygiene actions that raise the score without ever capping it — fix broken skill references, capture the reusable skill you keep re-deriving instead of saving, consolidate duplicated skills, trim unused always-on rules, lighten the context-tax hotspots, describe hard-to-find skills, and collapse workspace sprawl where the same work is scattered across projects without a shared artifact. A single “Best next step” card names the one move that unlocks the most progress, and a “biggest drag” line names the axis holding the score back — so the human always knows exactly what to do next to get more leverage, more safely.
The next steps are where the human actually gets better at this, and they are easier to watch than to describe. Here is how we do it ourselves.

Minh Anh, our founding engineer, walks through the tools we use internally to make sure we properly leverage the agents we run — the same discipline, from coding agents to OpenClaw and Hermes, and soon the enterprise agents that follow: youtu.be/jWIrUf0TuMs
None of this is specific to coding. The gates and the next steps read the same whether the agent is Cursor writing code, OpenClaw reconciling Maya's spreadsheets, Hermes drafting on the desk two seats over, or the enterprise agents arriving next. Watch the agent from outside, and one layer gives you both halves of the motto at once: the organisation keeps the proof and the control, and the human keeps — and compounds — the speed.
The same principle as the last post
In that previous piece, EDAMAME argued that the honest path with agents runs through evidence and human judgement, not around them — a human is the first mover and the last word. This is the security version of the same argument. You do not get safe AI agents by slowing your humans down. You get them by watching the agent from outside, so the human keeps the speed and the organisation keeps the proof.
Maya should keep shipping. Justyna should keep pointing Claude Code at her marketing folder. You should simply be able to see what their agents are actually doing on the machine — and stop them if one turns. Shadow AI is not the enemy. Invisible shadow AI is.
Sources
A major incumbent placing agents in Zero Trust — and naming EDAMAME: Steve Riley (Field CTO, Netskope), “Agents Deserve a Place in Every Zero Trust Strategy” — describes EDAMAME as a platform that “observes coding agents independently, from outside the agents themselves [and] enforces posture-gated access when intent diverges from activity or attack patterns appear.”
Agent threat classes (prompt injection, supply chain): OWASP Top 10 for LLM Applications 2025 (LLM01 Prompt Injection, LLM03 Supply Chain).
Tool poisoning: Invariant Labs, “MCP Security Notification: Tool Poisoning Attacks”, and the MCPTox benchmark (45 real-world MCP servers; 72.8% attack success on the most vulnerable model).
Academic frontier — enforcement at the action boundary and least privilege: ClawGuard (deterministic, user-confirmed enforcement at every tool-call boundary, built around the OpenClaw gateway) and Prompt Flow Integrity (agent isolation + data-flow tracking to prevent privilege escalation).
The deterministic-boundary argument: Anthropic, “Zero Trust for AI agents” and the companion “How we contain Claude across products” — agents “may be a new category of software, but their system-level interactions are not.”
EDAMAME runtime detections referenced above: axios, litellm, TanStack / Shai-Hulud.
Get started
Download EDAMAME Security — free for macOS, Windows, Linux, iOS and Android; four users per tenant on the free plan.
EDAMAME Posture — free CLI for CI/CD runners, self-hosted agent hosts, and headless servers.
See the runtime side on the EDAMAME agents page, with a short demo on a Cursor session that applies identically to Claude Code, Codex, OpenClaw, and Hermes: youtu.be/zAN4u7ImWrU
Want to give security leaders live control over agent blast radius for your own fleet? Book a slot on our calendar.
This is a follow-up to How we run EDAMAME's go-to-market with a self-improving AI operator.

Frank Lyonnet
Share this post