Today, as AI Agents accelerate the reshaping of enterprise digital transformation, we are ushering in an unprecedented productivity revolution. However, as AI Agents move towards mass production, security governance has become the core variable determining the success or failure of enterprise intelligent transformation. This article delves into the security risks of the AI era and details how Alibaba Cloud builds a full-stack protection system to establish a solid security foundation for enterprise agent adoption.
The rise of AI Agents is redefining the boundaries of cybersecurity. Current data indicates that AI agents outnumber humans by a ratio of 82:1 (CyberARK). Their driven decision-making systems accelerate delivery by 400% (IDC), and their automated data mining efficiency is 60–100 times that of humans (Carnegie Mellon & Stanford).
However, this exponential boost in efficiency also brings massive hidden dangers. Over 70% of AI Agents lack self-reflection and error recovery capabilities (MIT, Harvard & Stanford). This means that once the security defense is breached, security flaws and reliability issues will be exponentially amplified. In the AI era, security is infrastructure; any oversight at the infrastructure level can trigger severe risks such as model theft, data leakage, or service abuse.
Recently, the "Lobster Rush" phenomenon triggered by the open-source framework OpenClaw has vividly revealed the risks of operating "exposed" within the AI ecosystem. As OpenClaw garners over 285,000 stars on GitHub, security vulnerabilities within its ecosystem are becoming increasingly prominent:
Supply Chain Poisoning Incident: Over 800 malicious Skills on ClawHub hid backdoors, successfully bypassing traditional antivirus detection.
Prompt Injection Attack: Malicious inputs triggered unauthorized operations, leading to sensitive data leakage.
Permission Escalation Incident: Due to a lack of effective validation mechanisms, Agents could even execute high-risk operations such as deleting user emails.
According to Bitdefender, 22% of enterprises have unauthorized OpenClaw activity internally; meanwhile, data from Censys and Hunt.io shows that over 40,000 OpenClaw instances globally are directly exposed to the public internet. Facing the reality that 92% of enterprises lack complete visibility into external assets, the risk is imminent.
Based on practical attack and defense analysis of OpenClaw, we have identified four core attack chains:
Supply Chain Poisoning: Attackers publish Skills or plugins containing malicious code. When users install them, trojans (such as Atomic Stealer variants) are downloaded and executed via the HTTP protocol, stealing browser passwords and wallet keys.
Full-chain, Multi-point Evasion: Exploiting weak points in defenses across model inference, RAG retrieval, and tool invocation, attackers bypass single-node security detection through semantic obfuscation or context-splitting attacks.
Autonomous Execution Hijacking: Leveraging CVE vulnerabilities (such as path traversal or command injection), attackers hijack the Agent's autonomous execution flow, causing it to execute malicious commands without the user's awareness.
Stealthy Office Infiltration: Attackers use the Agent's identity credentials to move laterally within the corporate network. Due to the lack of control over Non-Human Identities (NHI), this type of infiltration is often extremely difficult to detect.
Enterprises adopting Agent frameworks like OpenClaw face full-lifecycle security challenges. From configuration risks in the development phase to dynamic threats during runtime, there is an urgent need to establish a full-lifecycle security workflow. This not only requires resolving CVE vulnerabilities in basic components (such as media file reading vulnerabilities) but also demands addressing thought deviations and permission loss of control during dynamic inference.
Alibaba Cloud proposes a full-stack protection system covering "Infrastructure, Models, and Applications":
Infrastructure Layer: Establishes cloud-based AI asset management and posture management through AI-BOM and AI-SPM to eliminate asset blind spots.
Model Layer: Provides AI Guardrails to ensure input/output compliance and defend against prompt attacks and malicious files.
Application Layer: Enables one-click integration of security protection through WAAP and LLM-WAF capabilities to control API and BOT risks.
As a core product, Alibaba Cloud's Agent Security Center achieved full marks in four categories in IDC's "2026 China Agent Threat Detection Technology Assessment." Its architectural panorama covers closed-loop capabilities ranging from asset identification and risk detection to response and handling.
Alibaba Cloud's Agent SPM builds a cross-cloud "Agent Asset Map" capable of identifying over 190 types of AI components and automatically generating an "Agent Relationship Graph." It deeply correlates models, Skills, RAG, Tools, and identity credentials, helping enterprises comprehensively inventory assets and expose supply chain risks, achieving a transformation from "black box" to "transparency."
Through an end-to-end asset graph, enterprises can visually see the full-chain lineage of Agents. Whether self-developed Agents or third-party OpenClaw instances, the system can conduct batch inspections and risk visualization, thoroughly resolving the management blind spot of "not knowing how many agents are in operation."
AI Guardrails enhance the protection capabilities of native Agents, providing core functions such as content compliance, sensitive data detection, and prompt attack defense. It can intercept and audit inputs and outputs in real-time during runtime, ensuring Agent behavior always remains within a controllable scope.
AI Guardrails 2.0 further upgrades end-to-end risk detection capabilities. It not only supports zero-code integration but also provides custom detection Agents for specific industries like healthcare and finance, achieving a leap from general defense to exclusive business risk identification.
Agent ID Guard implements fine-grained access control by unifying the management of machine and human identities. By adopting temporary credentials and short-cycle permission mechanisms, it effectively blocks credential abuse and unauthorized access, preventing data theft caused by API Key leaks.
Based on deep security fine-tuning of the Qwen large model, Alibaba Cloud has created an automated AI Red Teaming system. By embedding "Attack Agents" to simulate real attack strategies, it continuously conducts reverse validation and attack-defense drills, driving the security paradigm from "passive interception" to "active immunity."
SASE 2.0 provides full-process control including pre-incident asset discovery, real-time data risk control during incidents, and post-incident audit and traceability. It can effectively identify and control various Agent traffic within the office environment, ensuring core enterprise data does not cross boundaries.
The Agent Firewall provides real-time observability and control over communication traffic. It can accurately identify and block communication between Agents and malicious infrastructure, preventing remote command execution following supply chain poisoning.
Alibaba Cloud has built an Agentic SOC with autonomous decision-making capabilities. It can correlate threat intelligence, conduct cross-analysis of dispersed alerts, automatically reconstruct attack chains, and achieve minute-level automated blocking and isolation, significantly improving threat detection and response efficiency.
In summary, Alibaba Cloud has built a security framework centered on the core philosophies of "Agent Native Security" and "Defending AI with AI." From underlying network communication control to upper-level identity governance and automated operations, it forms a three-dimensional, full-link protection network.
Currently, Alibaba Cloud has launched a series of mature security products to fully empower the secure adoption of enterprise AI Agents:
Facing the industrial trend of accelerated AI Agent adoption, Alibaba Cloud will continue to deepen its full-stack threat detection capabilities, helping enterprises enjoy the dividends of intelligence while holding the security bottom line and achieving steady, long-term growth.
24 posts | 1 followers
FollowOpenAnolis - January 4, 2023
Amuthan Nallathambi - July 12, 2024
CloudSecurity - March 16, 2026
Justin See - March 19, 2026
CloudSecurity - March 18, 2026
Justin See - March 20, 2026
24 posts | 1 followers
Follow
AgentBay
Multimodal cloud-based operating environment and expert agent platform, supporting automation and remote control across browsers, desktops, mobile devices, and code.
Learn More
Qwen
Full-range, open-source, multimodal, and multi-functional
Learn More
Alibaba Cloud Model Studio
A one-stop generative AI platform to build intelligent applications that understand your business, based on Qwen model series such as Qwen-Max and other popular models
Learn More
Alibaba Cloud for Generative AI
Accelerate innovation with generative AI to create new business success
Learn MoreMore Posts by CloudSecurity
