Three of IBM's top security minds — an IBM Fellow, an X-Force Incident Command leader, and a Distinguished Engineer — sat down on the Security Intelligence podcast to discuss AI agent security. Their conclusions were sobering, specific, and directly relevant to anyone running an AI agent today.
We listened to the whole episode. Here are the risks they identified — and how ClawMoat addresses every single one.
The Experts:
- Sridhar Mupidi — IBM Fellow & CTO, IBM Security
- Nick Bradley — X-Force Incident Command, IBM Security
- Jeff Crume — Distinguished Engineer & Master Inventor, AI and Data Security, IBM
1. "We're giving agents system-level privileges and turning them loose"
"You're going to turn that loose on your system and give it maybe system-level privileges so that it can modify files, enter terminal commands… This is something that is tremendously powerful if it's used well. But the fact of the matter is most people — this is going to be very opaque."
— Jeff Crume, IBM Distinguished Engineer
Jeff nailed the core problem. AI agents aren't regular apps. They have shell access, file system access, and network access. Most users don't understand what they're granting when they install one.
The Risk: An agent with unconstrained system access can read credentials, modify files, and execute arbitrary commands — all while the user thinks it's just "helping with code."
ClawMoat's Answer: Host Guardian monitors file system access, credential exposure, and system-level operations in real time. Secret Scanner catches credentials before they leak through agent outputs. Network Egress Logger tracks every outbound connection the agent makes.
2. "Treat every agent like a privileged insider"
"Treat every agent like an insider or a privileged account. Whether it's open source or not, make sure they're only allowed to do what they're allowed to do — nothing more, nothing less."
— Sridhar Mupidi, IBM Fellow & CTO"The principle of least privilege. We have to lock these things down, only give them access that is absolutely necessary, that we approve of, that we understand, and don't give it to them for any longer than is necessary."
— Jeff Crume, IBM Distinguished Engineer
Both Sridhar and Jeff independently converged on the same point: least privilege isn't optional for agents. It's the single most important security principle in the agentic era.
ClawMoat's Answer: McpFirewall enforces tool-level access control — define exactly which tools an agent can call and with what parameters. FinanceGuard applies domain-specific constraints (transaction limits, approved recipients) so agents can't exceed their authority even if compromised.
3. "It processed exactly what it was supposed to — and got busted"
"By the time you realize, it's too late and you run into situations like what happened with OpenClaw where it was running the direct prompt injections and it thought it wasn't doing anything wrong. It was processing exactly what it was supposed to, and you get busted."
— Nick Bradley, X-Force Incident Command
Nick describes the fundamental nature of prompt injection: the agent can't tell the difference between legitimate instructions and malicious ones injected through data. It faithfully executes both.
The Risk: Prompt injection through web pages, emails, documents, or inter-agent messages. The agent follows malicious instructions embedded in content it was asked to process.
ClawMoat's Answer: Prompt Injection Scanner analyzes inputs using pattern matching and heuristic analysis across 10+ attack vectors — before they reach the model. Zero dependencies, no API calls, runs entirely locally. Catches injection attempts in web content, emails, and inter-agent messages.
4. "These are agents doing things for you based on very minimum supervision"
"The reality is that these are agents that are doing things for you based on very minimum supervision. And that's scary to me. That is scary in terms of how much you want to give them permission to do."
— Sridhar Mupidi, IBM Fellow & CTO
Agents operate autonomously. That's the whole point. But autonomy without monitoring is just unsupervised code execution with extra steps.
ClawMoat's Answer: Skill Integrity Checker verifies that agent skills haven't been tampered with — catching supply chain attacks before they execute. Network Egress Logger creates a full audit trail of every external connection. Every ClawMoat scanner produces structured alerts you can pipe to any monitoring system.
5. "Don't say no — say how"
"Don't say no, say how. If we just tell people don't do it, and we don't give them a sanctioned option, then they're just going to go do it in the bad way."
— Jeff Crume, IBM Distinguished Engineer"Embrace that, give people a sanctioned option… provide things like OpenClaw or Claude with some more guardrails, some rules on which they can act."
— Sridhar Mupidi, IBM Fellow & CTO
This is the argument for runtime security layers over outright bans. People are going to use AI agents regardless. The question is whether they do it with protection or without.
ClawMoat's Answer: ClawMoat is the "how." It doesn't block agents — it makes them safe to run. One npm install, zero configuration required, and your agent has prompt injection scanning, secret detection, egress monitoring, and tool-level access control. Say yes to agents. Say yes with guardrails.
6. "Security is the brakes that let you go fast"
"The question of why you put brakes on a car — the answer is not to stop, it's so you can go really fast. And the reason I know that's the case is: how fast would you drive a car that had no brakes? You wouldn't. So security is the brakes on the car that let you take calculated risk."
— Jeff Crume, IBM Distinguished Engineer
This might be the single best framing of AI agent security we've heard. Security isn't the thing that slows you down — it's the thing that lets you go faster with confidence.
ClawMoat adds less than 2ms of latency per scan. It has zero dependencies. It runs entirely locally. These are brakes designed for a Formula One car, not a school bus.
The Pattern IBM Keeps Pointing To
Across the entire conversation, three themes repeat:
- Least privilege is non-negotiable. Every agent is a privileged insider. Constrain it accordingly.
- Monitoring must be continuous. Autonomy without observability is reckless.
- Banning agents doesn't work. Give people a secure way to use them, or they'll use them insecurely.
These aren't hypothetical concerns from academics. These are the conclusions of IBM's CTO of Security, their X-Force incident response leader, and a Distinguished Engineer with decades of experience. They've seen what happens when organizations skip security for speed.
ClawMoat was built for exactly the world they're describing.
Add Runtime Protection in 30 Seconds
277 tests. Zero dependencies. MIT license. The guardrails IBM's experts say you need.
npm install clawmoat
Source: IBM Security Intelligence Podcast · Quotes lightly edited for clarity
Top comments (0)