How to Securely Deploy AI Agents in Business
Tools
• OPENCLAW • ZEROCLAW • AI AGENTS • LLM • AI • CLAUDE •
What Is an AI Agent?
Every business operating today needs an AI agent strategy — because agents are a fundamentally different category of software, and they are quickly becoming as essential to business operations as, for example, web servers were in the late 1990s.
An AI agent is software that connects a large language model (LLM), such as Claude, Gemini, or DeepSeek, to tools, data sources, and external systems, so that it can act autonomously on the behalf of human user. Unlike a chatbot that responds to messages, an agent can execute multi-step tasks, call APIs, read and write files or e-mails, navigate interfaces, and operate continuously in the background.
Frameworks like OpenClaw and ZeroClaw provide the runtime scaffolding that makes this possible: they handle state management, tool execution, scheduling, and integration with messaging platforms or internal systems. The LLM provider is, in effect, your «electricity» — a metered service you consume to «fuel» agents. But the agent framework itself is open-source, free software you deploy and operate.
Much of the public conversation around AI agents focuses on personal assistants, such scheduling, summarising emails, answering questions, finding a grocery discount in a supermarket or what not. This, however, understates the opportunity for any business. In fact, agents are already delivering measurable value in:
- Accounting & Finance — Automated e-invoice validation, reconciliation checks, and anomaly flagging. An agent can review a batch of invoices against PO records and flag discrepancies, exactly as a junior accountant would — but at scale and without fatigue.
- Logistics & Supply Chain — Monitoring shipment statuses, triggering reorder workflows, cross-referencing delivery exceptions against SLAs, and escalating only what requires human judgment.
- Marketing & Advertising — Setting up and adjusting ad campaigns on platforms like Meta or Google Ads based on performance thresholds, drafting and scheduling content, and compiling cross-channel performance reports.
- Customer Operations — Triaging support tickets, routing queries, drafting responses for human review, and escalating edge cases.
- Compliance & Audit — Continuously scanning documents and transaction logs against regulatory criteria, producing structured audit trails, and many other fields.
The common thread is that agents handle high-volume, rule-governed routine tasks where the cost of errors is manageable and the cost of human time is significant. This is why, no meaningful digital transformation or process automation initiative today should be planned without considering where agents fit in the workflow.
What Are Barriers to AI Agent Adoption?
The barriers to AI agent adoption are not primarily cost, since the economics are favorable: LLM API costs continue to fall, and the frameworks themselves are free. The real challenges are:
- Conceptual — Most organisations do not yet have a mental model for what agents can and cannot do safely, or how to scope their authority appropriately.
- Security — Agents that can act autonomously can also cause harm autonomously. A misconfigured agent with broad permissions is a significant operational and data risk.
These two challenges are connected, and organisations that understand agents well tend to deploy them securely, because secure deployment is a natural consequence of thinking carefully about scope and authority.
What Can Go Wrong with AI Agents?
AI agents introduce a category of security risk that most organisations are not yet thinking about carefully: autonomous reach. A misconfigured web server exposes data, but a misconfigured agent can also take action — delete records, send messages, call APIs, modify files. The failure mode is not merely passive exposure but active execution.
The cybersec community has already documented the repeatable patterns. Across multiple research reports, more than 30,000 publicly exposed agent control surfaces were identified — gateways left open, discovered, and probed within hours of deployment. In one high-profile audit of a major agent ecosystem, 341 malicious skills were found circulating in the skill marketplace. What web plugins and browser extensions became as an attack surface in the 2010s, agent skill repositories are becoming now. Credential leakage is a consistent secondary finding: local configuration files and session tokens make attractive loot once an attacker has any foothold. And loss of control — agents continuing to act after the operator wanted them stopped — appears frequently enough to be considered a design risk rather than an edge case.
The memorable pattern is not that agents are insecure in some abstract sense. It is that they fail in repeatable, predictable ways once they have reach, persistent state, and permissions. That combination — three properties that define a useful agent — is also what makes a compromised or misbehaving agent dangerous.
A concrete example illustrates why prompt-based controls are insufficient. In a widely discussed incident, an agent was set up to clean an email inbox. It had worked correctly on a smaller test dataset. On the real inbox, context window compaction appears to have displaced the critical «do not act yet» instruction that was living in the working prompt — and the agent continued pursuing the inbox-cleanup goal it still understood. No tool crashed, no permission was violated, but the approval system simply ceased to exist as far as the agent was concerned, because it had been written in text rather than enforced structurally. Context drift is, indeed, a policy-placement failure: prompt instructions are too fragile to serve as the only approval gate for destructive or irreversible actions.
Layered AI Agent Security
The practical implication is that security and efficiency of AI agents point in the same direction. Smaller tool surfaces, narrower permissions, and structurally enforced approval paths — rather than prompt-level instructions — reduce both token waste and blast radius simultaneously. An agent that can only do what it needs to do is cheaper to run (burns less tokens) and harder to misuse. So the design goal is not to hobble the agent but to give it exactly the reach it requires, with hard limits that cannot be prompted, confused, or compacted away.
The appropriate mental model for agent security is the same one that has governed server security for decades: defense in depth. No single control is sufficient. What you want is multiple independent layers, each limiting the blast radius of a failure in the layers above it.
For agent deployments, we work with three layers:
Layer 1 — Framework Security Settings
Agent frameworks like OpenClaw and ZeroClaw provide their own security primitives: allowlists, scope restrictions, and rate limits. These are your first line of defense and should be configured conservatively. However, they should never be treated as sufficient on their own. Framework defaults are designed for convenience, not for production security.
Layer 2 — OS Hardening
The agent process should run as a dedicated system user with no login shell and minimal privileges. On a hardened Debian machine, this means:
- A
zeroclawsystem user with/usr/sbin/nologinas its shell — the agent cannot open an interactive session under any circumstances, no sudo or root access. - Strict filesystem permissions: the agent user can execute tools it needs, but cannot modify them. Tools are owned by a separate human admin account and are read-only to the agent.
- Clear separation of concerns between the agent user and the human administrator user. The agent’s ability to cause harm through a compromised or misbehaving session is constrained at the OS level, independent of what the framework allows.
A pre-deployment provisioning script handles this consistently, for example:
#!/bin/bash
set -e
CLI_TOOLS_DIR="/home/human-user/tools"
ZC_TOOLS_DIR="/opt/zeroclaw-tools"
ZC_USER="zeroclaw"
ZC_GROUP="zeroclaw"
HUMAN_USER="human-user"
# Create shellless system user
adduser --system --no-create-home --group --shell /usr/sbin/nologin "$ZC_USER"
# Deploy tools: owned by human operator, executable by agent group only
cp -a "$CLI_TOOLS_DIR"/* "$ZC_TOOLS_DIR"/
chown -R "$HUMAN_USER:$ZC_GROUP" "$ZC_TOOLS_DIR"
chmod -R 750 "$ZC_TOOLS_DIR"
Layer 3 — Virtual Machine Sandboxing
The agent runs inside a dedicated virtual machine (VM). This provides hardware-level isolation: even a complete compromise of the agent process cannot affect the host system or other workloads. VM snapshots also enable rapid rollback if something goes wrong. Why not run zeroclaw or openclaw in Docker? The core advantage of VM deploy is isolation depth: a VM provides hardware-level separation with its own kernel, so a container escape or kernel exploit cannot reach the host — whereas Docker shares the host kernel, meaning a kernel vulnerability potentially compromises everything on the machine regardless of container boundaries. VM is «cleaner» in the security sense, but heavier operationally. Docker is faster to spin up, easier to update, and more portable. The tradeoff is straightforward: if the agent is handling sensitive data or has real system permissions, the VM’s stronger isolation boundary is worth the overhead.
Custom CLI Tools for Agents
The most important design decision in a secure agent deployment is what tools you give the agent and how those tools are built.
We build custom CLI programs — typically in Python — that define precisely what the agent is permitted to do. Rather than giving an agent broad access to a filesystem, an API, or a database, each tool encodes a narrow, well-defined operation with hard limits built into the code itself.
Key principles that govern how these tools are built:
- Hard capability caps — Every bounded parameter (record limits, traversal depth, request counts, timeouts) has a corresponding constant in code that the caller cannot exceed. Passing a higher value results in silent clamping and a log entry, never an unbounded operation.
- Scope allowlists enforced before execution — Target paths, hostnames, and endpoints are validated against environment-variable allowlists before any operation begins. Out-of-scope targets are rejected with a structured error and logged.
- Secrets via environment variables only — API keys and credentials are never accepted as command-line arguments. If a secret is detected in
argvat startup, the process exits immediately. - Structured audit logging — Every invocation writes a JSON record (timestamp, user, sanitised arguments, resolved scope, effective caps, exit code) to a rotating log file. Audit failure never blocks execution, but it is always surfaced.
- Dry-run by default for mutations — Any operation that modifies state supports
--dry-run, which previews changes and exits with a distinct code (200) without executing. High-risk operations require explicit confirmation. - Untrusted data stays untrusted — Content returned from filesystems, APIs, or web pages is never interpolated into shell commands, log format strings, or subprocess calls. It is treated as opaque data throughout.
The result is an agent that can only do what it needs to do, with every action logged, and with hard limits that cannot be argued, prompted, or confused away.
OpenClaw vs ZeroClaw
Both OpenClaw and ZeroClaw are viable agent frameworks, and choosing between them depends on your operational context. Here is a direct comparison:
| OpenClaw | ZeroClaw | |
|---|---|---|
| Language | TypeScript / Swift | Rust |
| Binary size | Larger (Node.js runtime) | ~3–5 MB |
| Startup time | Seconds | Milliseconds |
| Resource footprint | Moderate–High | Very low |
| Security defaults | Functional; requires configuration | Conservative by design |
| Messaging integrations | Telegram, Discord, WhatsApp, and others | Minimal built-in; API-first; but full Messaging integration, including Telegram |
| Community & ecosystem | Large, active community; many plugins | Smaller, focused community |
| Migration | — | Reads OpenClaw config and memory natively |
| Best suited for | Feature-rich deployments, rapid prototyping, broad messaging integration | Production deployments on constrained hardware, security-critical workloads, VM-based sandboxing |
OpenClaw is a feature-rich framework with a large ecosystem. Its broad integration support makes it well-suited to deployments where connectivity to messaging platforms is a primary requirement and the operational environment is already reasonably controlled.
ZeroClaw is the better choice when security and resource efficiency are the primary constraints, such is the case in business. Its Rust foundation eliminates entire categories of memory-safety vulnerabilities. Its small footprint means it runs comfortably inside a minimal VM with no excess attack surface. Its conservative security defaults align naturally with the hardened OS and VM sandboxing approach described above. For organisations deploying agents in production environments where the consequences of misbehaviour are significant, ZeroClaw’s design philosophy — secure by default, minimal by design — is the more appropriate foundation.
The migration path from OpenClaw to ZeroClaw is straightforward: ZeroClaw reads OpenClaw configuration and memory data natively, meaning existing tool definitions and workflows can typically be carried over with minimal rewriting.
What a Secure Deployment Looks Like in Practice
A production agent deployment may look like this:
- A hardened Debian VM with no unnecessary services, a minimal attack surface, and automatic security updates enabled.
- A shellless
zeroclawsystem user with no home directory, separated from the human operator account. - ZeroClaw running with customized framework settings: scope allowlists configured, rate limits set, no capabilities beyond what the specific workflow requires.
- Custom Python CLI tools deployed to a directory owned by the human admin, readable and executable by the agent group, not writable by the agent (CLI tools that we give to AI agent must be immutable to that agent).
- Structured audit logs written per invocation, rotated automatically, and shipped to a log management system.
- Dry-run validation performed before any new tool or workflow goes live, confirming what the agent will do before it does it.
The agent can only traverse paths within configured roots, can only reach permitted hostnames, can only execute the specific operations its CLI tools expose, and every action is logged with enough detail to reconstruct exactly what happened and why.
Conclusion
AI agents are not a future consideration, they are a present-tense operational tool that businesses across every sector are deploying now. The productivity gains in accounting, logistics, marketing, and operations are real and accessible. But the organisations that capture those gains without creating new risks are the ones that approach agent deployment with the same rigor they would apply to any other piece of production infrastructure, with certain specifics.
The good news is that the security architecture is well understood. Three independent layers — framework settings, OS hardening, and VM sandboxing — combined with purpose-built CLI tools that encode strict operational limits, produce deployments that are both highly capable and genuinely safe to run. The worst-case scenario is always worth planning for, and with the right deployment architecture, it is also the scenario the system is built to contain.
For questions about agent deployment, agentic CLI tools development, or security assessments for your specific workflow, get in touch.
Prijavi se na tečaj kibernetske varnosti za podjetja
Kibernetski napadi danes niso več vprašanje »če«, ampak »kdaj«. Napadalci ciljajo podjetja vseh velikosti, najpogosteje pa vstopijo skozi najšibkejši člen – človeka. E-pošta, gesla, lažne povezave, priponke ali telefonski klici so vsakodnevna tveganja, ki jih lahko zaposleni z znanjem prepoznajo in ustavijo pravočasno. Prijava – Izpolnite spletni obrazec za pridobitev ponudbe.