OpenClaw, one of the most popular autonomous agent frameworks, disclosed nine CVEs between March 18-21, 2026. One scored 9.9 out of 10 on the CVSS scale. Over 135,000 instances sit exposed on the internet, 63% with zero authentication. This is the crisis Cisco addressed at RSA Conference 2026 with DefenseClaw, a Zero Trust framework for agentic AI. Enterprises aren’t just adopting AI tools anymore—they’re giving them workforce-level access with no governance framework.
The Security Gap Is a Chasm
Eighty-eight percent of organizations reported confirmed or suspected AI agent security incidents in the past year, according to the State of AI Agent Security 2026 report. But here’s the disconnect: 82% of executives believe their existing policies already protect against unauthorized agent actions. The field data tells a different story. Over half of all deployed agents operate without security oversight or logging.
The numbers get worse when you examine deployment versus governance. Seventy-three percent of organizations have deployed AI tools, but only 7% have real-time security governance—a 66-point structural deficit. Eighty-one percent of teams have moved past the planning phase for AI agent adoption, yet only 14.4% have obtained full security approval. The gap between adoption velocity and security readiness has become a chasm.
What Cisco Built
At RSA Conference 2026, Cisco introduced three interconnected products designed to close this gap.
DefenseClaw: Scan Before Execute
DefenseClaw is an open-source enterprise governance layer that sits between AI agents and the infrastructure they access. The principle is straightforward: nothing runs until it’s scanned, and anything dangerous gets blocked automatically.
The framework integrates four scanning tools. Skills Scanner analyzes the underlying code for malicious intent or hidden network calls. MCP Scanner verifies Model Context Protocol servers, which mediate agent access to potentially sensitive systems. CodeGuard runs static analysis on code the agent itself generates to catch hallucinated vulnerabilities. AI BoM automatically generates a manifest of every model, tool, and plugin the agent touches.
Enforcement happens in tiers. Findings rated HIGH or CRITICAL trigger automatic blocks. MEDIUM and LOW severity findings install with warnings. Clean components pass through. All scan results feed into a SQLite audit store and forward to SIEM for analysis.
Duo Agentic IAM: Treat Agents as Identities
The fundamental mistake most enterprises make is treating AI agents as tools rather than entities. Only 21.9% of teams currently treat agents as independent, identity-bearing entities. Every agent is effectively a privileged identity with broad access, but traditional IAM was built for slow-changing human identities. Agents spin up at machine speed and continuously evolve.
Cisco’s Duo Agentic IAM extends zero trust principles to agents. Each agent gets registered in Duo’s identity system and mapped to an accountable human owner. Permissions follow least-privilege principles: fine-grained access for specific tasks with short-duration grants. All tool traffic routes through an MCP gateway, enabling policy enforcement and eliminating blind spots.
AI Defense: Test Resilience in 20 Minutes
AI Defense: Explorer Edition democratizes red teaming. The free developer tool uses algorithmic testing to evaluate agent behavior across more than 200 risk categories—intellectual property theft, toxicity, sensitive data extraction, prompt injection, and jailbreaks. A comprehensive security assessment that would take days or weeks manually completes in approximately 20 minutes. The tool integrates directly with CI/CD pipelines through GitHub Actions, GitLab, and Jenkins.
The MCP Problem
Model Context Protocol sits at the center of Cisco’s security focus. Anthropic introduced MCP in November 2024 to standardize how AI agents integrate with external tools and data sources. OpenAI and Google DeepMind adopted it shortly after. In April 2025, security researchers published an analysis identifying multiple critical issues: prompt injection vulnerabilities, tool permissions that enable data exfiltration, and lookalike tools that can silently replace trusted ones.
MCP servers mediate agent access to file systems, databases, and APIs—making them a prime attack surface. Cisco’s MCP Scanner specifically targets this vulnerability by verifying servers before agents connect. The MCP gateway in Duo routes all tool traffic, applying policy at every invocation rather than trusting initial authentication.
OpenClaw’s CVE Flood Was the Warning
The OpenClaw vulnerability disclosure reinforces why the MCP security gap matters. Between March 18 and March 21, 2026, nine CVEs were publicly disclosed. CVE-2026-33579 exposed privilege escalation. CVE-2026-25253 enabled one-click remote code execution through authentication token theft, scoring 8.8 on the CVSS scale. One vulnerability reached 9.9 out of 10 in severity.
The exposure is widespread: more than 135,000 OpenClaw instances are accessible on the internet, with 63% running zero authentication. A Cisco engineer wrote in the DefenseClaw announcement blog: “I Run OpenClaw at Home. That’s Exactly Why We Built DefenseClaw.”
RSA 2026: Agent Security Goes Mainstream
Cisco’s announcement wasn’t isolated. AI agent security dominated RSA Conference 2026, the cybersecurity industry’s largest annual gathering. CrowdStrike unveiled Falcon Data Security to prevent data theft across agentic enterprises and Agentic MDR for automated threat response. Google Cloud introduced agentic SOC capabilities—AI agents securing AI agents. Microsoft strengthened Edge for Business with AI-specific protections. Yubico demonstrated hardware-backed “Human-in-the-Loop” authorization systems for agent actions.
When the dominant product category at RSA shifts to a new threat vector, it signals that enterprises have moved past “should we adopt this?” to “how do we secure what we’ve already deployed?”
What This Means for Developers
If you use Claude Code, Cursor, Aider, or similar AI coding tools, you’re on the front line of this security shift. These tools communicate through MCP to access your file system, databases, and external APIs. DefenseClaw’s open-source model means you can scan your own agent workflows today. AI Defense’s free tier lets you test for 200+ risks in 20 minutes.
The question isn’t whether agent security will affect your workflow. It’s whether you’re among the 63% running agents with inadequate authentication and the 93% operating without governance. The 66-point gap between AI deployment (73%) and real-time governance (7%) is closing, but enterprises are racing to catch up.
