On June 11, security researchers showed how to subvert OpenClaw, one of the most widely used AI agents. Instructions hidden in something as ordinary as a shared contact or a pinned location could make the agent run an attacker’s code and hand over its secrets. One flaw has been patched. The other could not be, because it was inherent in how the agent works.
This incident is a vivid illustration of the central problem that is going to slow AI adoption: Businesses can’t just bolt AI systems onto existing processes. They’re going to have to redesign how work is done.
An AI agent’s potential can only be tapped if it can work freely inside a system. Take away that freedom, and what’s left is a chatbot. At the same time, no agent can be trusted. Openness is both an enabler and a threat.
This dilemma is not new. In the 14th century, the city-state of Ragusa, near present-day Dubrovnik on the Dalmatian coast, grew rich from trade. Its openness drew ships from across the Mediterranean — and let the plague in. Ragusa could not close its port without risking economic devastation and could not leave it open without inviting a human catastrophe. So it did something new: In 1377, it ordered ships and travelers from plague-stricken places to wait in isolation, at first for 30 days, before they could enter. The wait was later stretched to 40, quaranta in Italian. It’s where we get the term quarantine.
Yet the striking thing isn’t what Ragusa did, it’s what it didn’t do. The city didn’t just post a few guards or tell the harbormaster to be more careful. It redesigned the entire way it handled trade and created an entirely new institution to manage it by having visitors wait on deserted islands off the coast until it was safe.
The analogy with agentic AI is hard to ignore. To fulfill its promise, it needs permission to read a firm’s files, query its databases, and act on what it finds. In other words, it needs an open port. But the machinery used to govern access was built for a different kind of actor. “The way we secure companies today was built for the internet of the 1990s,” explains Christian Wentz, the CEO of the cybersecurity firm Gradient. “You prove who you are once, that trust sits on your laptop for months, and if something goes wrong it takes hours to revoke — while an attacker is inside in minutes. Agents turn that gap into a crisis, because even an honest agent is dynamic and imperfect and acts in fractions of a second.”
This means that if someone is using agents, they can’t secure their systems by hardening what they already have, because that assumes the thing in their systems is more like a person that has been vetted than an agent that will follow whatever instructions it gets. The security architecture itself must be redesigned.
In some ways the AI security problem is worse than Ragusa’s, because AI makes offense easier even as agents tempt systems to lower their defenses. The UK’s National Cyber Security Centre has said that AI will almost certainly keep making intrusions more effective and efficient. It’s not a theoretical concern. Between late December and February, according to the threat-intelligence firm Gambit Security, a single operator used AI to breach nine Mexican government agencies and take more than 150 gigabytes of data, on the order of 195 million records. The attacker leaned on old weaknesses, unpatched systems and reused passwords. The AI compressed months of work into weeks.
This isn’t really about security. That’s just where the catastrophes are most likely to happen. An agent is only worth using if it’s woven into how the work gets done — and that means changing how the work gets done. Anything less would be as pointless as Ragusa thinking it could protect itself with a night watchman at the dock.
Gartner, the business and technology consulting firm, expects that by the end of this year, 40% of enterprise applications will ship with task-specific agents built in, up from less than 5% in 2025. Organizations will have barely begun the rebuilding process by then. That means that the rate-limiting step on the impact of AI is going to be organizational, not technological. Until companies have invested in, and even invented, the capabilities and new organizational practices — like cybersecurity — that AI will need to work, it’s unlikely we will see the huge bursts of productivity improvement that AI seems to offer.
The companies that harvest the gains from AI won’t be the ones that lean forward the most on technology. They’ll be the ones that do the expensive and unglamorous work of transformation. The companies that just try to graft agents onto their current mode of operation will be as vulnerable to attack as Ragusa was to the plague. They might even do well for a little while. But the plague always comes.
A message from Advisor Perspectives and VettaFi: Discover something new! Click here to register for our upcoming webcasts.
Bloomberg News provided this article. For more articles like this please visit
bloomberg.com.
Read more articles by Gautam Mukunda
