I want to explain why I think the security industry is going a bit too all in on AI to those who are unfamiliar with the topic. From the outside there’s a lot of impressive magic and a lot of terrible takes. To explain, I have a woodworking story. Back in 2016 I was a grad student at Johns Hopkins studying equivariant algebraic topology. This is not very applicable to the real world and so I took about $200 and built a Paul Sellers workbench in my mudroom. This bench is now in Philly under the care of the friend who asked me a machine learning question in 2016, that sent me on my current path. As I was nearly broke and the mudroom connects to the kitchen I used only hand tools, with a few old planes, a japanese hand saw, and some beautiful chisels.

After seeing a very poor showing from the “M” in STEM in 2012 at the USA Science & Engineering Festival in DC (AWM were the only table, major kudos to them). I wanted to bring the JHU math department, and convinced the undergraduate math club to sponsor it. The objective was to bring the young second and third year students to be the ambassadors as their love for mathematics is still obviously infectious, and they haven’t learnt the nasty habit of not explaining things to non-mathematicians. We still needed props so I built 2 huge baltic birch stands with joinery behind them. These were some of my first dovetails and I made them with hand tools following Seller’s tutorials.

I needed a CNC router, some electronics, a lathe, a laser etcher, a router, and a table saw which the Baltimore Hackerspace had (they’re awesome, a few battlebots are based there). It was the first time I had used power tools beyond the common drill. The head of the space, Bryson, is missing most of a finger and half a thumb and was still in bandages when he trained me on safety. He had an accident with the router a few weeks prior. These tools are terrifying, which is another reason I avoided them.

Power tools are also very constraining. I got a lot of compliments from the people at the hackerspace who had done many more woodworking projects than me on my dovetails. If you look at power tool based tutorials you buy a special tool just for dovetails, mark the layout with a pencil, and get to cutting. The way a woodworker lays them out with hand tools is with a few gauges and a marking knife. This marking knife is not only much more accurate than a pencil it also helps tremendously with the quality of the final cut. For dovetails and many other joints, an expert with hand tools will easily beat someone with power tools, until it comes to presetup jigs that automate the layout. Even then, it’s more difficult to get right so people often choose to do a joint that’s easier for power tools to accomplish.

Code is far more powerful than wood. Critical code is running nuclear power plants and robots on other planets. LLMs are a programmer’s power tools and agents are giving these power tools to everyone. New coders should be very careful around them. Experts working in a topic they’re not familiar with should be even more careful. Before AI agents most of the automation in this world required an expert human to program it and there was a professional pride in making it right. The security community at RSAC is built from the people whose job it is to make this world of advanced automation safe.

Running code on your computer is the ultimate mark of trust. We as an industry have had a panic for years about supply chain vulnerabilities. The walled gardens of Apple’s ecosystem are a huge part of its company’s value. The maintainers of the Arch package set are responsible for keeping me and millions of other people safe. The non-walled gardens put the onus on the developer. I don’t trust NPM after this last year of constant alerts. I check every Rust crate for active maintainers before I include it. Even in the walled gardens we have to put some of the responsibility onto the users as their security posture is personal. iOS and Android ask for exact permissions before you install and run any application. We have built a system of care where professional programmers are keeping everyone safe. But, there is currently no system of care for AI powered systems.

Now, OpenClaw is going to write and run code for us to do arbitrary tasks. Now anyone can automate things, and many are losing fingers. An agent has no idea what the business logic we want to maintain is. It also is very capable of just ignoring us and doing something else even when it doesn’t face prompt injections. The response to this is going to be “add the logic into the prompt!”. Even when you do this the agent can and will often ignore requests like this. Enough that you can’t trust it. However, even if the agent perfectly followed instructions, unless the user carefully thought through the problem they wouldn’t know all the edgecases and seemingly obvious constraints the agent needs to follow. How can we expect people to put all of that in the prompt for a technology that is designed to take away the mental effort of a task?

We can’t add more security layers to keep OpenClaw in line. It’s designed to be powerful and easy to set up. The constraints and requirements are too varied for users to manage. People are going to give it full access to their email and expect it not to delete any. It’s an obvious constraint you would never say to another human and you’re communicating with it with natural language. Sandboxes won’t help with this, they just make sure your computer doesn’t break when it decides to do something stupid. Wrappers like NemoClaw do make it safer, but you’re still relying on the agent to follow instructions.

For now we have to say “Agents are a power tool, you should be trained to use them”. Carefully crafted agents are already widely in use, but the clunky requirements of setting up MCP, setting up a loop, and hooking a LLM into your agent were needed barriers that kept people out. Even experts are having difficulty securing LLM powered tools, and there aren’t that many real experts in a field that’s effectively 3 years old. Simplifying the process made things worse, and now even the experts are losing fingers. Going slow isn’t bad. The joke of “I took 10 hours to automate this task that takes me 10 minutes” means you carefully thought about the task. It’s not just about the automation, it’s also about the care. Agents really don’t care, they just automate.