Annie Britton, Julian Berman, Arkady Nemerovsky, & Yad Konrad
PERSPECTIVE
Claws are an emerging category with real capability and real risk, but most of the governance infrastructure needed to deploy them safely in enterprise environments is still being built. The organizations that establish controls during early pilots will be significantly better positioned when deployment pressure arrives. Quantum Rise helps organizations move into Claw adoption at the right pace: identifying the use cases that are genuinely ready, building the foundations that make deployment safe without slowing development, and avoiding the shortcuts that become expensive problems at scale.
WHAT ARE CLAWS?
A Claw is an AI agent that takes actions, often persistently and in the background. It can browse the web, read and write files, send messages, navigate business systems, and run multi-step tasks without being prompted each time. In March 2026, Anthropic launched a research preview taking this further: Claude can now operate directly on a user’s computer, opening applications, navigating the browser, filling in spreadsheets — anything a person would do sitting at their desk. A companion feature called Dispatch lets users assign tasks from their phone and have Claude complete them on the desktop autonomously while the user is elsewhere.
Claws are, in theory, like a new category of staff member: one that works fast, doesn’t sleep, but needs clear boundaries, oversight, and often a human-in-the-loop just like anyone with access to systems. The key difference from AI tools organizations have used before is that a Claw acts with its own credentials. That means the key question isn’t “what can it generate?” — it’s “what can it do, to what, and on whose authority?”
WHERE THE MARKET IS
High enthusiasm, uneven readiness. Claws have strong developer traction. OpenClaw, the leading open-source framework, has over 330k GitHub stars, reflecting lots of experimentation but not necessarily hardened enterprise deployment. Scaled deployments today are sparse, largely experimental, and rarely documented publicly. Most vendors explicitly label their enterprise governance features as preview or early-stage, including Anthropic’s new desktop control capability. Three major platform vendors have moved to address the governance gap since March. NVIDIA’s NemoClaw adds enterprise security on top of OpenClaw (agent isolation, policy enforcement, and a privacy router) and remains in early alpha. Microsoft’s Agent Governance Toolkit (April 2026) maps to all ten OWASP agentic AI risks with compliance grading for the EU AI Act, HIPAA, and SOC2. Anthropic launched Claude Managed Agents on April 8: hosted infrastructure that runs Claude agents in production without organizations building their own runtime, already in beta with Notion, Rakuten, and Asana. A managed single-vendor runtime trades deployment speed for orchestration flexibility, and organizations will need to weigh that before committing.
The conversation organizations need to have is not “can Claws do impressive things?” but “which use cases are actually ready, what does safe deployment look like, and what do we need in place before we expand scope?” Vendors are selling capability. The harder and more valuable question is provability: can organizations show auditors, boards, and regulators what their Claws did and why.
THE RISKS WORTH UNDERSTANDING
The scale of exposure is significant. A Cloud Security Alliance survey from April 2026 found that only 38% of organizations monitor AI agent traffic end-to-end, and only 17% monitor agent-to-agent communications — confirming that most organizations are running agents with significant visibility gaps. Separately, 97% of enterprise security respondents expect a significant AI agent security incident within the next twelve months, and 88% report having already experienced one. The OWASP GenAI Exploit Round-up for Q1 2026 identified a structural gap that makes these incidents harder to track: most AI security events don’t receive CVE identifiers because they stem from misconfigured permissions and architectural weaknesses rather than discrete software flaws. Security teams relying on CVE scanners and patch management workflows will miss most of what goes wrong with AI agents.
Claws can be hijacked. If a Claw reads a malicious document or webpage, hidden instructions in that content can redirect what it does next. Desktop control makes this more consequential — a hijacked Claw that can operate your computer is a different category of risk than one that can only generate text. In March 2026, China’s national cybersecurity authority issued a formal warning about OpenClaw’s default configurations enabling exactly this, including a technique where a hijacked agent silently transmits sensitive data through a messaging app link preview with no user click required.
The connector ecosystem is already compromised. Over 1,100 malicious add-ons have been confirmed in the leading Claw marketplace by security researchers, including tools that stole credentials. Third-party extensions need to be treated like untrusted software, not plug-and-play features. Eight new security vulnerabilities in MCP server infrastructure — including remote code execution flaws — were disclosed in a six-week span in early 2026, and OWASP published its first MCP Top 10 vulnerability list, confirming this is now an actively exploited attack surface. Security researchers have also identified a new class of attacks targeting the MCP connection layer itself: compromised servers can proactively request AI model responses to drain API quotas, inject persistent instructions across sessions, or trigger tool operations without user awareness — attack vectors for which most current deployments have no defenses.
Shared Claws create shared risk. One Claw serving an entire team with broad permissions is effectively a shared set of keys to your systems. OpenClaw’s own security documentation warns explicitly against using a single agent as a shared security boundary.
No audit trail means no recovery story. When something goes wrong, organizations without full logs of what their Claw did face a painful investigation. Regulators and boards will ask — and the answer needs to exist. Anthropic’s new Compliance API, released in March 2026, begins to address this gap: compliance teams get real-time access to agent activity logs and can centrally configure what tools and connectors agents are permitted to use. It is early-stage, but a meaningful first step from the leading enterprise AI vendor toward the audit infrastructure organizations will eventually be required to demonstrate.
WHAT’S READY VS. WHAT ISN’T
HOW QUANTUM RISE ENGAGES
The entry point is almost always education and a use-case assessment: what are the potential applications, which if any Claws are already in the organization’s environment, how systems are being evaluated, and whether the access and oversight model matches the risk. From there, Quantum Rise can help build foundations that make Claw deployment sustainable:
Identity and Access Scoping — each Claw gets defined permissions
Sandboxed Execution — Claws operate in containerized environments so mistakes don’t cascade
Approval Gates — high-stakes actions require a human sign-off before execution
Audit Logging — a record of every action every Claw takes
Connector Governance — third-party extensions reviewed and approved before use
Organizations that build these foundations during early pilots move faster and more safely when they scale.
BOTTOM LINE
Claw adoption is real but still early. Scaled enterprise deployments are sparse, governance tooling is largely in preview, and most production use is experimental. Rather than waiting, this is a reason to move thoughtfully. The organizations that get the foundations right now — education, scoped use cases, proper controls, human-in-the-loop, governance and oversight — will be the ones who can move confidently when deployment pressure arrives. Quantum Rise’s position is to help organizations do that, rather than retrofitting after the fact.
.svg)
