Microsoft's New AI Agent Runs on OpenClaw. The Form You're Required to Sign Says Nothing About Liability.

Microsoft calls it an always-on enterprise agent. Their own security team, three months ago, called it something else.

On February 19, Microsoft's Security Blog published a post titled "Running OpenClaw Safely: Identity, Isolation, and Runtime Risk." Its assessment of the open-source framework Scout is built on was blunt: OpenClaw "should be treated as untrusted code execution with persistent credentials" and "is not appropriate to run on a standard personal or enterprise workstation" [\[1\]](https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/). The post documented why: authenticated credentials executing unintended actions, the agent forgetting its own safety rules as its memory fills up — a failure mode called context window compaction — and plugin mechanisms distributing malware.

Today, Microsoft is shipping Scout — an autonomous agent built on that same OpenClaw framework, connecting to Teams, Outlook, OneDrive, SharePoint, email, calendar, and contacts inside Microsoft 365 [\[2\]](https://www.microsoft.com/en-us/microsoft-365/blog/2026/06/02/introducing-microsoft-scout-your-always-on-personal-agent/). Each instance runs under a governed Entra identity assigned to a specific enterprise user rather than a shared anonymous service account. The company says credentials are scoped to individual tasks, redacted from logs after use, and that it is contributing policy conformance tooling upstream to OpenClaw so organizations can validate whether their deployment meets their own security and compliance requirements.

Scout is available as an experimental release through Microsoft's Frontier program, requiring Intune policy configuration, an opt-in attestation, and a GitHub Copilot license before deployment. Pricing has not been set [\[3\]](https://www.computerworld.com/article/4180103/microsoft-unveils-scout-an-autonomous-ai-agent-built-on-openclaw.html).

What Microsoft has not published is the text of that opt-in attestation — or what it says about accountability when an autonomous agent takes an unintended action inside a Microsoft 365 tenant.

Standard enterprise software contracts allocate risk between vendor and customer based on documented, predictable behavior. An always-on autonomous agent with persistent memory does not fit that framework cleanly. The Entra identity governance and the policy conformance work upstream are architectural controls that address categories of risk Microsoft documented in February. Whether they close the specific gap between what the Security Blog described and what Scout actually does inside a live Microsoft 365 environment is a question the company has not yet answered in a public contract.

Independent researchers from Northeastern University, Harvard, MIT, and Stanford published a study in March documenting what happened when six autonomous agents were deployed with access to email accounts and file systems in a live environment [\[4\]](https://news.northeastern.edu/2026/03/09/autonomous-ai-agents-of-chaos/). The agents leaked private information, shared documents with unauthorized parties, and in one case erased an entire email server. The researchers called the pattern "Agents of Chaos." The study did not involve Scout or Microsoft systems. The failure modes it documented — persistent context causing instruction divergence, authenticated credentials executing unintended actions — are architectural properties of autonomous agents with long memory, not bugs specific to one vendor's implementation.

OpenClaw's skill installation mechanism lets agents acquire capabilities from external sources without built-in verification. Researchers have documented OpenClaw instances being conscripted into a 135,000-node cryptojacking botnet, with roughly 12 percent of marketplace plugins distributing malware [\[5\]](https://www.computerweekly.com/blog/CW-Developer-Network/Zencoder-CEO-to-developers-OpenClaw-is-the-canary-not-the-destination). The specific incidents — the botnet recruitment, the email deletion in a documented case where an agent compressed away its own safety instruction and deleted 200 emails — are documented outcomes that Microsoft's current controls aim to prevent, without a published contract that defines who absorbs the cost if prevention fails [\[6\]](https://medium.com/@dingzhanjun/analyzing-the-incident-of-openclaw-deleting-emails-a-technical-deep-dive-56e50028637b).

Microsoft 365 Copilot, Microsoft's existing AI assistant, costs $30 per user per month for large businesses. Roughly 3.3 percent of Microsoft 365 customers currently pay for it, with 20 million paid seats, up from 15 million in January [\[3\]](https://www.computerworld.com/article/4180103/microsoft-unveils-scout-an-autonomous-ai-agent-built-on-openclaw.html). Whether Scout will be bundled into that subscription or priced separately is unannounced; Microsoft declined to provide details.

[\[1\]](https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/): Running OpenClaw safely: identity, isolation, and runtime risk (Microsoft Security Blog, February 19, 2026)

[\[2\]](https://www.microsoft.com/en-us/microsoft-365/blog/2026/06/02/introducing-microsoft-scout-your-always-on-personal-agent/): Introducing Microsoft Scout: Your always-on personal agent (Microsoft 365 Blog, June 2, 2026)

[\[3\]](https://www.computerworld.com/article/4180103/microsoft-unveils-scout-an-autonomous-ai-agent-built-on-openclaw.html): Microsoft unveils Scout, an autonomous AI agent built on OpenClaw (Computerworld, June 2, 2026)

[\[4\]](https://news.northeastern.edu/2026/03/09/autonomous-ai-agents-of-chaos/): These Autonomous AI Agents Quickly Became Agents of Chaos (Northeastern University, March 9, 2026)

[\[5\]](https://www.computerweekly.com/blog/CW-Developer-Network/Zencoder-CEO-to-developers-OpenClaw-is-the-canary-not-the-destination): Zencoder CEO to developers: OpenClaw is the canary, not the destination (Computerweekly)

[\[6\]](https://medium.com/@dingzhanjun/analyzing-the-incident-of-openclaw-deleting-emails-a-technical-deep-dive-56e50028637b): Analyzing the Incident of OpenClaw Deleting Emails: A Technical Deep Dive (Medium, March 2026)