As autonomous AI agents like OpenClaw spread across employee laptops and desktops, CISOs and IT leaders are confronting a familiar problem in a new form: powerful, ungoverned technology deployed at the edge of the enterprise, well ahead of formal policy. New York–based startup Runlayer is pitching itself as the control plane that turns OpenClaw from a shadow IT risk into a managed, audited corporate tool.
Runlayer’s new offering, “OpenClaw for Enterprise,” wraps the popular open source agent in a security and governance layer aimed at large organizations that cannot tolerate root-level automation without visibility, controls, and compliance assurances.
Why OpenClaw Became a Shadow AI Headache
OpenClaw, launched in November 2025, has quickly become a favorite among solopreneurs and employees inside large companies. The agent can autonomously perform tasks directly on a user’s machine and integrates with common workplace messaging apps, making it attractive for automating everyday workflows.
That utility has driven rapid, bottom-up adoption. Employees routinely connect OpenClaw to Slack, Jira, email, and other internal systems, often without informing security or IT. In many cases, this happens despite explicit corporate policies warning against unmanaged AI tools and documented security concerns around OpenClaw’s architecture.
Runlayer CEO Andy Berman characterizes this as an inflection point similar to the early “Bring Your Own Device” (BYOD) era, when employees abandoned locked-down corporate smartphones in favor of personal iPhones. Then, as now, user-preferred tools were simply more capable than officially sanctioned alternatives.
By 2024, Berman argued in posts on X, enterprises had “passed the point of telling employees no.” Attempts to block agents outright have not stopped employees from deploying them locally and wiring them into sensitive systems, but they have left CISOs with a growing inventory of unmonitored, high-privilege software in the environment.
That dynamic has prompted alarm from seasoned security leaders. Heather Adkins, a founding member of Google’s security team, went so far as to publicly warn: “Don’t run Clawdbot,” referring to OpenClaw’s primary agent. Yet in many organizations, variants of that agent are already running on production laptops.
Inside the ‘Master Key’ Risk: Root-Level Agents and Prompt Injection
At the core of the risk is how OpenClaw’s main agent, formerly known as Clawdbot, is designed to operate. Unlike web-based large language models that interact via APIs or browser sessions, Clawdbot can execute commands with root-level shell access on the local machine.
That means the agent effectively holds a digital “master key.” It can read and act on anything the OS can access: SSH keys, cloud credentials, local documents, configuration files, and authenticated sessions for services like Slack or Gmail. Critically, there is no native sandbox separating the agent’s execution environment from the rest of the system.
In an interview, Berman described how fragile this setup can be. One of Runlayer’s security engineers was able to gain full control of an OpenClaw instance in about an hour and roughly 40 messages, starting from a standard business user configuration with only an API key. The attack relied not on exotic exploits but on carefully crafted prompts.
Prompt injection is the primary technical threat Runlayer highlights. Malicious instructions can be embedded in everyday content—such as a forwarded email, shared document, or meeting notes—that the agent is asked to process. Those hidden directives might instruct the agent to ignore its original system prompt and exfiltrate all accessible customer data, API keys, or internal documents to a remote service.
Because the agent is both highly privileged and credulous by design, a single compromised input can “hijack” its decision logic. With no sandbox and no native inspection of outgoing actions, traditional endpoint and data-loss tools have little visibility into what the agent is doing once compromised.
From ‘Just Say No’ to Governed Adoption
For many enterprises, the initial reaction to tools like OpenClaw has been straightforward: ban them, or at least prohibit their connection to sensitive systems. But Berman and Runlayer argue this approach is now out of step with reality.
Employees are already investing hours to wire agents into their daily workflows. The perceived productivity and “quality of life” gains are strong enough that many will ignore or work around broad prohibitions. That leaves security teams with a proliferation of unmanaged “shadow AI” instances—agents with shell access, cloud keys, and messaging integrations, all operating with zero centralized oversight.
This creates a widening gap between policy and practice. On paper, the organization may prohibit local agents; in practice, high-value data and systems are being manipulated and sometimes automated by tools that security has never approved, integrated, or tested.
Runlayer’s thesis is that the only sustainable path forward is to meet employees where they are and bring governance to the tools they are already using, rather than fighting a rear-guard action against them. The goal is not to weaken OpenClaw’s capabilities, but to add a layer of detection, control, and audit that makes those capabilities acceptable in a corporate environment.
How Runlayer’s ToolGuard and Real-Time Blocking Work
Runlayer’s core technical answer is ToolGuard, an enforcement layer that sits between OpenClaw and the actions it performs. Instead of trusting every tool call the agent wants to make, ToolGuard analyzes those calls and their outputs in real time, with latency under 100 milliseconds according to the company.
That inspection focuses on patterns associated with remote code execution and destructive behavior—things like “curl | bash” pipelines or recursive delete commands such as “rm -rf”. The idea is to catch harmful sequences that would typically bypass simple prompt filters or static policies embedded in the agent.
Runlayer reports that, in its internal benchmarks, adding this layer increased resistance to prompt injection from 8.7% to 95%. While the exact test conditions are not detailed, the claim illustrates the company’s aim: shift from best-effort prompt hardening to guardrails that evaluate what the agent is actually about to do.
Beyond blocking dangerous commands, Runlayer organizes its OpenClaw capabilities around two pillars: discovery and active defense.
OpenClaw Watch helps security teams find “shadow” Model Context Protocol (MCP) servers—essentially unmanaged agent backends—across the fleet. Deployed via existing mobile device management (MDM) tools, it scans for unapproved OpenClaw-related configurations on employee machines.
Runlayer ToolGuard then acts as the runtime control layer for authorized agents, monitoring every tool invocation. It is designed to detect and stop more than 90% of credential exfiltration attempts, with specific attention to AWS keys, database credentials, and Slack tokens leaving the environment.
Berman positions this as analogous to how enterprises learned to govern earlier technology shifts: first cloud, then SaaS, then mobile. Rather than acting as a generic LLM gateway, Runlayer aims to be a dedicated control plane for AI agents that plugs into existing enterprise identity providers such as Okta and Microsoft Entra.
Licensing, Compliance, and the Security-Vendor Model
Runlayer’s offering is not another open-source script layered on top of an open-source agent. It is a commercial, proprietary product positioned explicitly as a security solution for enterprises, with certifications to match.
The platform is SOC 2 certified and HIPAA certified, which is intended to make it viable for organizations in regulated sectors that are otherwise wary of letting experimental agents near sensitive workloads. For many CISOs, these attestations are table stakes before allowing any new vendor to sit between users and production systems.
Berman is explicit that Runlayer’s ToolGuard model family is focused purely on identifying security risks. The company says it does not train those models on individual organizations’ data. Instead, data used by the platform is anonymized at the source, and the system does not depend on inference over customer content to provide its protections.
Contractually, Runlayer wants to look and behave like a traditional security vendor rather than an LLM inference provider. That means standard terms of service, privacy policies, and risk-sharing models familiar to security and compliance teams. For customers, the shift is from relying on a community-supported agent stack, with ambiguous guarantees, to one wrapped in enterprise-supported controls with defined obligations and auditability.
Pricing for Broad, Organization-Wide Coverage
Runlayer’s pricing departs from the common SaaS pattern of per-seat licensing. Instead, the company favors a platform-fee model, scoped to deployment size and the specific capabilities a customer activates.
Berman’s rationale is straightforward: if the goal is to bring all agent usage under governance, you do not want cost friction that encourages teams to run agents “off the books.” By charging at the platform level, Runlayer aims to encourage enterprise-wide deployment, so that developers, knowledge workers, and operations teams can all use OpenClaw under the same guardrails.
Because the product functions as a control plane encompassing “six products on day one,” as Berman describes it, pricing is aligned with the organization’s infrastructure footprint, not a simple headcount metric. Today the company is focused on mid-market and large enterprises, but Berman says offerings tailored to smaller companies are planned.
Integrating with Existing Stacks and Shifting IT’s Role
Runlayer is built to slot into the tooling that security and infrastructure teams already rely on. It can be deployed in the public cloud, inside a private virtual private cloud (VPC), or on-premise, depending on the organization’s architectural and regulatory constraints.
Every tool call made by an OpenClaw agent under Runlayer’s control is logged and auditable. Those logs can be exported into established security information and event management (SIEM) platforms such as Datadog or Splunk, allowing SOC teams to incorporate agent behavior into their existing monitoring and incident response workflows.
Berman highlights that securing agents can also have cultural impact. At payroll and HR platform Gusto, he says, the IT team rebranded itself as the “AI transformation team” after deploying Runlayer. According to Berman, the company went from limited use of these tools to roughly half the workforce using MCP-based agents daily, including non-technical staff.
A customer at home sales tech firm OpenDoor reported that “hands down, the biggest quality of life improvement” they noticed at the company was Runlayer, because it enabled safe connections between agents and sensitive, private systems. For security leaders, those anecdotes point toward a potential shift in posture: from barrier to enabler, provided that robust controls are in place.
What This Means for the Future of Agentic AI in the Enterprise
Runlayer already powers security for several well-known, fast-growing companies, including Gusto, Instacart, Homebase, and AngelList. Their adoption suggests that a “middle ground” is emerging: rather than banning powerful local agents or allowing them to operate unchecked, organizations are starting to wrap them in structured, real-time governance.
As token prices fall and model capabilities increase—Berman mentions advanced systems like “Opus 4.5” and “GPT 5.2” as examples—the capacity of agents to act autonomously and at scale will only expand. That amplifies both the upside and the downside. Without guardrails, a single compromised prompt could direct a highly capable agent to do significant damage. With the right controls, the same agent can safely orchestrate complex workflows across sensitive systems.
Berman frames the strategic question bluntly: it is no longer whether enterprises will use agents, but how quickly they can do so safely—and whether they will invest in governance before a serious incident forces the issue. For modern CISOs and IT leaders, the role is evolving from saying “no” to defining the conditions under which AI can be used responsibly.
Runlayer’s bet is that enterprises will choose to formalize and secure the agents employees are already adopting, rather than fighting a losing war against shadow AI. For organizations evaluating OpenClaw and similar tools, that decision may define not only their risk posture, but also how effectively they can tap into the next wave of automation.
Hi, I’m Cary Huang — a tech enthusiast based in Canada. I’ve spent years working with complex production systems and open-source software. Through TechBuddies.io, my team and I share practical engineering insights, curate relevant tech news, and recommend useful tools and products to help developers learn and work more effectively.
