OpenClaw, Rogue Agents, and Application Hygiene

This report analyzes how OpenClaw and similar AI assistants frequently appear as cloud applications or service principals with excessive permissions (e.g., Directory.ReadWrite.All, Application.ReadWrite.All, Sites.FullControl.All), creating an identity-based attack surface that can enable account takeover, consent bypass, and tenant-wide data access; it provides hunting steps using Huntress Rogue Applications and SIEM, detection queries, observed findings across customers, and practical mitigation guidance for policy, permissions hygiene, and remediation.