Citrini Research’s viral analysis of personal agents and the economic havoc they may well create might be correct. These personal agents — illustrated by OpenClaw — might rip through business models. The agents could connect customers directly with sellers, bypassing major retailers like Amazon.
Personal agents could create an environment where people, seeking DoorDash or Uber Eats-type gig economy services, gain access to delivery competitors coded in weeks on generative AI platforms.
White-Collar Meltdown
Citrini’s apocalyptic scenario imagines white-collar workers losing high-paying jobs to AI, then taking low-paying jobs at delivery services, only to lose those jobs to personal agents. But trust may be harder to automate.
Citrini’s paper set off a stock market panic, sparking a selloff of tech, software and payments stocks when it was published on Feb. 22. It sketches a scenario. What isn’t hypothetical is what OpenClaw, another viral phenomenon, has already triggered. The open source AI agent framework, now under the OpenAI brand, is forcing people to think about personal agents, not just as a security threat, but as a business disruptor – — something that can transform commercial landscapes. It can also change how employees work.
An employee can now instruct a personal agent to pull customer churn data from Salesforce and place it into a spreadsheet. The agent will handle the details. That removes a long-standing usage barrier for some employees, said Gregor Stewart, chief AI officer at cybersecurity firm SentinelOne.
Exporting and analyzing data requires a series of steps that some employees never learned. As a result, many employees didn’t use those capabilities. Improving productivity might encourage IT managers to allow personal usage within limits, Stewart said.
Making AI Easier
For IT, one key productivity gain is that agents lower the skill threshold required to use AI tools.
“OpenClaw can do anything that a dedicated developer could do at this point. It just lets you do it faster and without necessarily all the development experience,” said Kasimir Schulz, director of security research at HiddenLayer.
What OpenClaw accomplished, by bringing this technology into the mainstream, was more revolutionary. It enabled everyday people to “see what AI was capable of and see what AI isn’t as capable of as well,” Schulz said.
But the technology also brings a problem IT may have difficulty controlling: inference.
Stewart said that even if IT limits data access and restricts misuse, agents may still be able to infer missing information and draw sensitive conclusions. The agents can take all the documents they do have access to, “infer the last few bits,” and then, suddenly, “you have the entire pricing strategy of the company,” he said.
Autonomous agents are widely used. But corporate versions of agentic AI tools aim to tightly control them, unlike free-roaming personal agents.
Virally Popular but Security Risk
OpenClaw, created by Austrian software engineer Peter Steinberger, was released late last year and went viral in January and February. Users have already built more than 1.5 million AI agents with it. It has a number of capabilities that scare IT managers. It can grant root permissions, risk data exfiltration and malware exposure, and undermine compliance rules.
But on the plus side, “This is as bad as they will ever be,” said Alastair Paterson, CEO and co‑founder of Harmonic Security.
For now, Paterson said OpenClaw is full of security holes and too risky for corporate environments.
But that doesn’t stop Paterson from imagining a future in which personal agents can accomplish a lot.
He said he expects a quick shift and development of personal agents that will have security, compliance, and governance built in. That opens the doors to some interesting scenarios.
“Your agents will know your shoe size, your preferences, your health issues, where you live, the types of activities you like doing,” he said. But this gets to the trust issue. As agents take care of critical needs — such as travel, shopping, and even health — they will need to trust the agent.
Paterson argued that companies such as Google start with a trust advantage because so many people already use their services, but he questioned whether they can move fast enough.
Businesses will need to design systems, APIs, websites, and commerce platforms that let personal agents interact with them, he said.
“Companies that become agent-friendly the fastest,” he said, “are probably going to do better.”
A Hinge Moment
OpenClaw represents a tipping point for agents, argued Simon Ninan, senior vice president and global head of strategy at Hitachi Vantara, the data infrastructure arm of the Japanese multinational tech conglomerate Hitachi.
What OpenClaw demonstrated, Ninan said, is that agents act as orchestrators. They may have broad objectives and can assemble a wide range of resources to meet them. They are a threat to middlemen.
A speculative possibility is the big retailer or entities that sit between buyers and sellers now being bypassed by agents, Ninan said.
Another possible outcome is what happens when agents start interacting with other agents, he said. The agent may have been set up with a specific purpose, but the interaction with third-party agents modifies its behavior.
“You don’t even realize it’s happening until it’s happened,” Ninan said. For IT security teams, “if an agent is being used for a different purpose than what it was originally designed for, flag it.”
HiddenLayer’s Schulz characterized the overall risk as a “lethal trifecta.” That means the answer is “yes” to these three questions: Is untrusted content being fed into the agentic system? Does the agentic system have access to private data? And can the system communicate externally?
“OpenClaw and a lot of these other personal coding assistants have access to all three,” he said.
Disruption Could be Exaggerated
Schulz argued that the disruptive potential of personal agents may not be as profound as some imagine.
When someone connects to a service like a rideshare app, they aren’t just getting a ride. They are also getting the trust and liability protections the providers built into it, Schulz said.
“How do you make sure that you and the actual passenger feel secure? So, there’s still a lot more that those big enterprises actually have that can’t just be replicated with one OpenClaw instance.”
Puneet Bhatnagar, an independent AI and identity security expert, described the main driver behind personal agent adoption as “the consumerization of delegation.” In his view, personal AI agents now let people outsource cognitive and operational tasks across multiple applications, rather than being confined to a single app, enabling work patterns that previously weren’t possible.
The agent sits on your computer and can handle a browser, log into applications and perform other sophisticated tasks, Bhatnagar said. “That’s very powerful.”
OpenClaw has some Napster-like qualities. When the legally murky music downloading service emerged in 1999, it disrupted the music business before the industry could adapt. OpenClaw may prove similar. This time, the disruption is not confined to one sector. It may test the foundations of enterprise strategy itself.
