Let's start with the uncomfortable truth: AI agents can cause harm. An agent with access to your systems can send incorrect information to clients, misclassify sensitive documents, leak confidential data, or make decisions that violate regulations. Anyone who tells you their AI agents are risk-free is either lying or hasn't thought carefully about the problem.
The goal is not to eliminate risk — that would require eliminating the AI agents entirely. The goal is to manage risk to a level that is lower than the risk of your current manual processes while maintaining the operational benefits.
The permission model: principle of least privilege
Every AI agent should have the minimum permissions required to do its job. No more.
System access
A documentation agent needs read access to email and read/write access to the DMS. It does not need access to the CRM, the accounting system, or the HR platform.
For each agent, maintain an explicit permission manifest:
| System | Access Level | Justification |
|---|---|---|
| Email (IMAP) | Read | Receives incoming documents |
| DMS (iManage) | Read/Write | Validates against matter files, stores processed docs |
| OCR Engine | Read | Processes document images |
| CRM | No access | Not required for documentation processing |
Data access
Within each system, agents should see only the data relevant to their role. A healthcare scheduling agent needs access to appointment calendars and patient contact information. It does not need access to clinical notes, diagnoses, or treatment plans.
Healthcare agents must comply with HIPAA minimum necessary standards. Legal agents must respect matter-based access controls and privilege designations.
Action permissions
- Read: Can view data but not modify it
- Draft: Can create outputs but they're staged for human review
- Execute: Can take action autonomously
- Escalate: Can route work to humans or other agents
New agents start at "Draft" level for high-risk actions and graduate to "Execute" after a supervised period.
Audit trails: every action recorded
Every agent action produces an audit record including timestamp, agent identity, input data, processing logic, output, confidence score, escalation events, and system interactions.
Audit trails serve compliance (regulators can trace actions), debugging (root-cause analysis), and continuous improvement (pattern identification).
What can go wrong: a realistic threat model
Hallucination
AI agents can generate plausible-sounding but incorrect information.
Mitigation: Every agent output with factual claims is validated against source data. Confidence scores below threshold trigger automatic escalation.
Data leakage
An agent could inadvertently include Client A's information in a communication to Client B.
Mitigation: Client-scoped data isolation. Cross-client data access is architecturally blocked, not just instructionally prohibited.
Prompt injection
Malicious content in incoming data could attempt to manipulate agent behavior.
Mitigation: Agent instructions are architecturally separated from user-provided data. This is enforced at the OpenClaw platform level.
Scope creep
Successful agents tend to accumulate additional responsibilities over time.
Mitigation: Formal scope review for any agent capability expansion. Every new capability goes through the same boundary-definition and supervised-deployment process.
Human over-trust
The team stops reviewing agent outputs because the agent has been accurate for weeks.
Mitigation: Mandatory audit cadence that does not decrease below a minimum floor. Random sampling of autonomous outputs for human review.
Industry-specific security considerations
Healthcare (HIPAA)
- All patient data processed in HIPAA-compliant infrastructure
- Business Associate Agreements in place with all platform providers
- PHI is never stored in agent logs — only de-identified reference IDs
Legal (privilege and confidentiality)
- Matter-based access controls prevent cross-matter data leakage
- Privileged documents flagged by David are never included in agent training data
- Contract analysis outputs are always attorney-reviewed
Financial services and accounting
- SOC 2 Type II compliance for the AI workforce platform
- Anomaly detection agents operate in read-only mode
- Multi-party approval for any agent action that affects financial data
The security assessment process
Before any deployment, we conduct a security assessment covering data classification, threat modeling, permission design, audit requirements, and incident response.
If you're evaluating whether an AI workforce can meet your organization's security requirements, start with a workforce discovery session. The security assessment is included.