So, let’s talk about what’s actually happening right now with agentic AI.
Everyone’s excited - and they should be. OpenClaw, LangChain, AutoGPT, CrewAI - these tools are genuinely incredible. They’re writing code, browsing the web, querying databases, and orchestrating workflows autonomously. The promise of agents that actually do things instead of just talking about things is real, and it’s here today.
But look at how we’re actually deploying them.
We’re handing agents raw database credentials. We’re pointing them at files on disk. We’re giving them API keys and saying “go figure it out.” And sure, it works - the agent reads your data, does something useful, and you feel like you’re living in the future. The problem is that you’ve just given an incredibly naive piece of software the keys to the kingdom, and you have zero visibility into what it’s actually doing with them.
This isn’t theoretical hand-wringing. Millions of API keys are already being leaked through agent interactions. And the question isn’t whether your agents will access sensitive data - it’s whether you’re watching when they do, and whether they’re actually getting the information they need in a form that’s useful.
The Naive Agent Problem
Here’s what makes this so challenging: agents don’t know what they don’t know.
You point an agent at a directory full of personnel files because you want it to build a birthday calendar. Reasonable ask. But those same files contain social security numbers, home addresses, and salary information. The agent doesn’t distinguish between “birthday” and “SSN” - it just ingests everything, burns tokens processing all of it, and now that sensitive data is sitting in a context window somewhere, possibly getting logged, possibly getting leaked.
And that’s the simple case. In a real enterprise environment, you’ve got agents pulling from Postgres databases that require credentials, pinging internal APIs, reading from file systems with mixed permission levels - and all of it running under whatever user account happened to be convenient at deployment time.
The security nightmare is obvious. But the operational nightmare might be worse: you genuinely cannot tell what your agent did, what data it touched, or what it sent where. There’s no audit trail, no governance, and no way to restrict access after the fact because the agent was never going through a layer you control.
Put an Infrastructure Layer in the Middle
This is why we built Expanso. Instead of letting the agent talk directly to raw data through whatever interfaces it can find, you put Expanso in the middle as a secure infrastructure layer. The agent talks to Expanso, and Expanso governs the connection - what data gets accessed, how it gets transformed, and what actually makes it back to the agent.
Think of it like this: you wouldn’t give a new hire on their first day the root password to your production database and say “just grab what you need.” You’d set up appropriate access controls, give them a read-only view of the tables they actually need, and log what they query. Agents deserve the same treatment, because they’re at least as naive as that new hire and considerably faster at making mistakes.
From Birthday Calendars to Mission Reports
Let me walk you through how this actually works, starting simple and then scaling up.
The birthday calendar. You’ve got a directory of personnel files - agent rosters with names, birthdays, addresses, social security numbers, the works. Your agent needs to build a birthday calendar. Without Expanso, you’d have to give the agent read access to that entire directory, and it would happily ingest every field in every file, SSNs and all.
With Expanso, you build a simple pipeline - a birthday extractor. It runs under its own isolated user account on the machine. It’s the only thing with credentials to read that directory. It reads the files, extracts just the birthday fields, strips everything else, and outputs a clean JSON file that the agent can pick up. The agent never sees the raw data. It never has credentials. It gets exactly what it needs in the form it needs, and nothing more.
And by that I mean nothing more. The pipeline filters, transforms, and outputs to a local directory that the agent knows how to read from. The agent doesn’t even know what the underlying data architecture looks like - it just knows “call this endpoint, get birthdays.”
The multi-source intel aggregator. Now scale that up. You’ve got a Postgres database requiring passwords, a local API requiring credentials, and file system data with mixed permissions. You need a report that pulls from all three, but you want the agent to have access to exactly none of those credentials.
So you build a pipeline in Expanso that reads from all three sources using locally stored credentials. It queries the database for mission codes, status, and classification. It pings the API for agent status. It reads from the file roster. It filters out anything classified, joins the results, and produces a single clean report. The agent calls one Expanso endpoint, gets a formatted result, and builds you a beautiful mission report - without ever touching a password, a credential, or a piece of data it shouldn’t see.
Three Things You Get (and a Bonus)
Secure data access. Credentials live in environment variables on the machine, resolved at runtime by the pipeline. The agent never sees them. Your API keys, database passwords, and file permissions stay exactly where they belong.
Complete visibility. Every pipeline execution is logged. You can see what ran, when it ran, what data flowed through it, and what the output looked like. If something goes wrong, you have an actual audit trail instead of trying to reconstruct what an autonomous agent decided to do at 3 AM.
Framework agnostic. This works with OpenClaw, LangChain, AutoGPT, CrewAI - anything that can call an API or read from a local endpoint. You’re not locked into a particular agent framework, and you’re not rewriting your security model every time you try a new one.
And the bonus that people don’t expect: your agents actually perform better. When you stop flooding an agent’s context window with raw, unfiltered data - complete with irrelevant fields, redundant information, and sensitive data it has to work around - it gets sharper. You’re giving it exactly the information it needs in a clean, structured form, and you’re not burning tokens on noise. Better security and better performance isn’t a tradeoff. It’s the same design decision.
Getting Started
We’ve built an entire integration with OpenClaw that you can get running in three commands. 172 ready-to-use pipelines covering everything from email triage to Stripe reporting to DevOps monitoring. 200+ connectors for databases, APIs, queues, warehouses, and everything in between. And every one of them follows the same principle: your credentials never leave your machine, and the AI only sees the workflow, not your secrets.
Check out Expanso and OpenClaw to get started, browse the skills catalog, and see the enterprise recipes we’ve built for PII removal, GDPR compliance, legacy migration, and so on.
And if you’re looking at this from an enterprise perspective - SSO, audit logging, VPC deployment, the works - let’s talk. This is exactly the kind of infrastructure decision that gets more expensive the longer you wait, because every day your agents are running without governance is another day of accumulated risk you can’t see.
The agentic AI revolution is real, and it’s moving fast. The question isn’t whether to adopt it - it’s whether you’re going to do it in a way that you can actually trust. And that starts with putting the right infrastructure between your agents and your data.