This week the buzz in tech was about Moltbot, an open-source AI agent that runs across messaging platforms like WhatsApp and Telegram, installs on multiple devices, and routes tasks through providers such as OpenAI and Google. It automates calendars, form filling, and other workflows via a local execution environment — and requires admin-level access to function fully.
Experts warn that the tool requires access to sensitive user accounts, making it vulnerable to potential breaches. Security researcher Jamieson O’Reilly reported finding hundreds of exposed Moltbot instances that could allow unauthorized access to personal and financial data, largely due to misconfiguration. Researchers at Hudson Rock further warned that user secrets may be stored in plaintext files, increasing the risk of compromise if the host system is infected.
Cisco has labeled Moltbot as an “absolute nightmare” from a security perspective, warning that improper configuration can directly compromise user data.
Why do we care?
The behavior that’s going to cause harm is MSPs shrugging and saying, “Users will do this anyway,” and then trying to clean up the mess later. This isn’t users installing random apps — it’s users delegating authority without consideration. An AI agent with admin rights isn’t shadow IT. It’s an unassigned employee: one that schedules meetings, submits forms, touches financial systems, and moves data across boundaries without judgment or accountability.
The real business consequence isn’t just breach response. It’s margin erosion from unbillable cleanup, client trust loss when “automation mistakes” affect real operations, and liability exposure when regulators ask who approved the system that acted.
This matters now because agents are being sold as personal productivity tools, not operational infrastructure. That framing is wrong and dangerous — because once these tools are normalized, rolling them back becomes a political fight with clients who only see the upside.
The real decision is simple and unavoidable: do AI agents require explicit approval, the same way admin access does? Because once an agent can act, schedule, submit, or move data, it’s no longer a user tool — it’s an operator. And operators without owners are always a liability.
MSPs need to draw the line early. Not because AI is bad—but because authority without governance always lands on the service provider’s balance sheet. If you don’t treat agentic AI as a first-class control-plane risk today, you’ll be explaining tomorrow why a system you didn’t deploy made a decision you’re still responsible for.