I've spent the better part of three decades building go-to-market organizations and partnership ecosystems. The pattern I trust most isn't a forecast model or a market-sizing chart. It's the shape of a technology's adoption curve against the shape of the controls being built around it. When the first line is steep and the second line is flat, something is accumulating that eventually has to be paid back.
That's where I think we are with autonomous AI agents right now. Not with any single product — OpenClaw is the one everyone is talking about, but it's already being joined by Claude Code Channels, OpenFang, IronClaw, Hermes, and others. The category is moving faster than the category's control plane, and the specific thing that's accumulating is cryptographic risk. Not the kind you hear about in breach headlines. The quieter kind that sits underneath every credential, every token, every API call an agent makes on someone's behalf.
What the adoption curve actually looks like
It's worth anchoring on the numbers, because the speed is the whole story. OpenClaw hit 60,000 GitHub stars in its first 72 hours on the platform. It surpassed React's ten-year star count in under six months. By April 2026 it had reportedly crossed 3.2 million monthly active users and over 500,000 running instances worldwide. NVIDIA launched an enterprise security stack on top of it. OpenAI acquired the founder. The five largest Chinese technology companies integrated it into internal workflows inside a single quarter.
Gartner now projects that 40% of large enterprises will deploy autonomous AI agents by the end of 2026. That forecast felt aggressive when I first read it. I no longer think it is. What I think is that most organizations adopting these tools are doing so faster than they are updating their assumptions about what an agent actually does to their security posture.
Every agent is a key holder
Here's the part that I think is under-appreciated. A traditional SaaS application has one credential surface: the user logs in, the application calls APIs on the user's behalf within a scoped permission model, and the credential lifecycle is managed by the vendor. The attack surface is concentrated, and it's designed to be defended.
An autonomous agent is architecturally different. It is, by design, a credential holder. It stores API keys for the LLM provider. It holds OAuth tokens for email, calendar, file storage, and messaging platforms. It maintains active sessions into CRMs, ticketing systems, and internal tools via MCP servers. It writes files locally. It initiates outbound connections continuously, not just when a human asks. And it does all of this from whatever machine it happens to be running on — which, for the developer-led early adopters driving this curve, is often a personal laptop or a hastily-configured VPS.
Multiply one agent's credential surface by 40% of enterprises. That's not an incremental change in the threat model. It's a different threat model.
The most widely cited OpenClaw security incident so far, the ClawHavoc supply-chain attack, compromised thousands of installations through malicious community-contributed skills. Industry analysts flagged the category as unacceptable for enterprise use. Adoption did not slow. That's not a criticism of the users — it's a description of what always happens when capability outpaces controls. People don't stop using something valuable because it's risky. They use it anyway and hope the controls show up in time.
Why this is a cryptographic problem, not just a security one
The reason I keep coming back to the word cryptographic — rather than just security or governance — is that the specific thing being put under stress is the trust fabric that sits beneath all of it. TLS. OAuth token signing. API key storage. Session encryption. The machinery that lets one service believe another service is who it claims to be.
That machinery was designed for a world where authenticated sessions are scarce, initiated by humans, and short-lived. Agent traffic violates all three assumptions. Sessions are abundant, initiated autonomously, and long-running. Every credential an agent holds is a key that could be exfiltrated. Every autonomous API call is a signature that could be forged. Every stored token is a record that could be harvested today and decrypted later.
That last point is the one I think about most. There's a well-established threat model in cryptographic circles called harvest-now-decrypt-later — adversaries collecting encrypted traffic today against the assumption that future computational capability will render that traffic readable. It's typically discussed in the context of nation-state adversaries and long-horizon secrets. The agent explosion changes the economics of that threat materially, because it dramatically increases the volume and value of the traffic being harvested. Agent-mediated traffic carries credentials, financial data, intellectual property, customer records, and internal communications — all flowing autonomously, at machine scale, often over infrastructure that was never hardened for this traffic profile.
When I say cryptographic debt, that's the ledger I'm pointing at. It's the gap between the cryptographic assumptions baked into today's infrastructure and the assumptions that will be required to defend an agent-mediated enterprise. That gap is being widened by every new deployment.
We've seen this movie before
The historical pattern is remarkably consistent. Cloud computing arrived in 2006. The controls — IAM maturity, well-understood shared-responsibility models, credible compliance frameworks — took until roughly 2010 before enterprises could deploy cloud infrastructure with reasonable confidence. The iPhone shipped in 2007. Mobile device management and enterprise mobility standards didn't stabilize until around 2012. In both cases, the capability arrived first, a major incident or class of incidents forced the industry's attention, and the control plane was built out of necessity over the following three to five years.
Agents are following the same shape. The capability landed in 2025 and 2026. We've already had the first supply-chain incident. The control plane is visibly under construction — NVIDIA's NemoClaw is one early attempt, the emergence of security-first forks like OpenFang is another, and I'd expect identity providers, cloud security vendors, and the hyperscalers to ship agent-specific governance products over the next twelve to eighteen months.
What's different this time, and what I think is under-priced in most enterprise conversations I've had about this, is that the underlying cryptographic infrastructure is itself undergoing a once-in-a-generation transition. NIST finalized its post-quantum cryptography standards in 2024. Federal procurement is already moving toward PQC-compliant systems. The commercial rollout is beginning. Those two timelines — agent proliferation and PQC migration — were planned as separate, sequential industry priorities. They are now colliding.
What I'm watching
A few signals I think are worth tracking over the next two to three quarters.
The first is whether agent governance products emerge as a distinct category or get absorbed into existing identity and secrets-management platforms. My instinct is the former. Agent credentials have a different lifecycle, a different permission model, and a different audit requirement than human credentials, and treating them as an extension of existing IAM tooling will miss the actual risk surface. But I'd love to be proven wrong.
The second is whether a major enterprise breach is traced specifically to agent credential exfiltration within the next twelve months. I don't want this to happen, but pattern-matching against prior platform shifts, I'd assign it a high probability. The shape of the first such breach will likely determine how fast the control plane gets built.
The third is whether the organizations deploying agents most aggressively — which, right now, skews toward developer-led teams inside otherwise security-mature enterprises — start demanding cryptographic controls that are forward-compatible with post-quantum standards. If the answer is yes, I'd take it as a signal that the market is internalizing the convergence I described above. If the answer is no, the debt continues to accumulate.
None of this is a prediction that autonomous agents are a bad idea. I think they're one of the most genuinely transformative capabilities I've seen land in enterprise software in a long time, and I expect to spend a meaningful portion of the next several years helping companies deploy them thoughtfully. But the adoption curve is outpacing the controls curve, and the specific place where the gap is widest is the cryptographic layer. That's the ledger I'd be watching.