What this section is for. Case-style narratives and research-motivated scenarios: public incidents and reporting, third-party programmes, and threat models we study internally. It is not a product catalogue. AGIACC is new, so we use this section to show how we think, where the market pain is emerging, and why infrastructure-level AI security deserves serious attention from partners and investors.
For general technology explainers (memory safety primers, distributed training background), use Technology → Memory safety or Technology → Distributed training in the site menu.
Case study 1: OpenClaw and AI agent security (public reporting)#
Illustrative narrative based on public reporting and security disclosures.
The Rise of Embodied AI Agents#
OpenClaw represents a new class of AI — agents that don’t just generate text but actively control hardware, execute shell commands, read and write files, and integrate with messaging platforms like Slack, WhatsApp, and email. By giving AI “hands,” OpenClaw demonstrated the future of accessible, embodied robotics and automation.
Its adoption was explosive: millions of developers, enterprises, and research labs deployed OpenClaw instances within months.
The Security Reckoning#
In early 2026, the security community revealed the true cost of building powerful capabilities on fundamentally insecure foundations:
- CVE-2026-25253 — A high-severity one-click Remote Code Execution vulnerability that could give attackers full access to any OpenClaw instance and every system it controlled.
- 800+ malicious plugins discovered in ClawHub (the official skill marketplace), approximately 20% of all listed extensions. Many were designed to steal API keys, credentials, and browser sessions, with a particular focus on macOS targets.
- 135,000+ instances found publicly exposed online due to unsafe default configurations, leaking chat histories, API keys, gateway tokens, and user credentials.
- Prompt injection attacks — malicious instructions embedded in emails, documents, and web content could trick OpenClaw into performing unauthorized actions, data exfiltration, and lateral movement across corporate systems.
Major organizations took action: Meta banned OpenClaw on internal work machines. Chinese regulators (NIFA, MIIT) issued formal risk warnings. Financial institutions restricted its use in customer-facing services.
How CHERI-style enforcement changes the risk picture#
On stacks that adopt CHERI-class capability hardware, each AI agent plugin can be placed in its own hardware-compartmentalised sandbox — this is the class of design AGIACC works toward with partners:
- Plugin isolation — Even if a malicious ClawHub skill attempts to read memory outside its allocation, CHERI capability bounds enforcement traps the violation instantly at the CPU level, before any data is exposed.
- No privilege escalation — Unforgeable capability pointers mean a compromised plugin cannot forge credentials, fabricate pointers, or access system resources outside its explicit grant.
- Deterministic containment — Unlike software sandboxes that can be bypassed through RCE or kernel exploits, CHERI’s hardware enforcement provides architectural guarantees that cannot be circumvented by software alone.
“When AI has hands, legs, and wheels, ‘good enough’ security is not enough. Only deterministic, hardware-enforced isolation can make embodied AI trustworthy.”
Case study 2: Automotive — the RESAuto pilot (industry demonstrator)#
Summarises a public UK DSbD / industry demonstrator that shows the kind of adoption pathway the market needs.
The Attack Surface of Connected Mobility#
Modern autonomous vehicles carry dozens of connected Electronic Control Units (ECUs), each managing critical functions: braking, steering, perception, V2X communication, and infotainment. That connectivity brings convenience — and a massive, interconnected attack surface.
A vulnerability in one ECU (e.g., the infotainment system) can potentially cascade into safety-critical domains, turning a cyberattack into a physical safety incident.
CHERI on Morello Silicon: RESAuto Results#
The UK’s RESAuto (Resilient and Safe Automotive) project — led by Thales and partners under the Digital Security by Design (DSbD) programme — ported a safety-critical braking system to Arm Morello silicon with CHERI capabilities:
- Simulated attacks were detected and contained instantly. Faults injected into braking and steering stacks were caught by hardware capability checks before they could affect vehicle behavior.
- Lateral movement blocked — CHERI compartmentalization prevented exploits from propagating between perception, control, and infotainment domains.
- Minimal code changes — Only 1–2 modifications were required across 2.5 million lines of Thales’s existing safety and security codebase. This remarkably low friction validates CHERI’s industrial adoptability.
- Safe failure modes — When an exploit was detected, the system entered a known-safe state, protecting passengers while containing and logging the attack.
Standards Alignment#
CHERI-enabled automotive systems align with ISO 26262 (functional safety), UN R155/R156 (cybersecurity), and the UK’s DSbD framework — providing a pathway to regulatory compliance for next-generation connected and autonomous vehicles.
Case study 3: Industrial IoT and critical infrastructure (ecosystem)#
The Embedded Attack Surface#
Factory robots, SCADA controllers, power grid sensors, and logistics networks form the backbone of modern industry. These systems are typically:
- Resource-constrained — limited CPU, memory, and power budgets
- Long-lived — deployed for 10–20+ years with minimal updates
- Safety-critical — a single software defect can halt production, damage equipment, or endanger workers
The convergence of AI with industrial control (Industry 4.0) is expanding this attack surface dramatically, as connected devices gain AI capabilities but retain legacy software stacks written in memory-unsafe C/C++.
CHERIoT: CHERI for the Smallest Devices#
Microsoft’s CHERIoT (Capability Hardware Extension to RISC-V for IoT) brings CHERI’s deterministic memory safety to the embedded tier:
- Custom RTOS with a lightweight compartment model specifically designed for low-cost, low-power microcontrollers.
- Deterministic use-after-free protection and spatial memory safety — critical for long-lived devices that cannot be easily patched.
- LowRisc Sunburst boards — funded under UK DSbD, these development platforms make CHERI-secured embedded design accessible to the wider engineering community.
DEFGRID: Securing the Energy Grid#
The DEFGRID project (University of Strathclyde, funded by DSbD) is the first demonstrator of CHERI-secured utility infrastructure:
- Protection of Operational Technology (OT) networks from cyber-physical attacks
- Hardware-enforced isolation between monitoring, control, and communication subsystems
- Alignment with IEC 62443 (industrial automation security) and NERC CIP (critical infrastructure protection)
Impact for Manufacturers#
Early adopters in IoT and manufacturing are already exploring CHERI-secured controllers to:
- Sandbox control modules — hardware-backed compartments ensure a fault in one component does not cascade across the production line.
- Block malware propagation — CHERI prevents the most common exploit vectors (buffer overflows, ROP chains) used to hijack motion systems and safety interlocks.
- Enable graceful degradation — equipment continues operating safely or shuts down predictably, rather than exhibiting undefined behavior.
Case study 4: Medical and safety-critical systems (research and trials)#
Non-Negotiable Safety Requirements#
From robotic surgery systems to infusion pumps, medical devices demand the highest levels of software integrity. A memory corruption bug in these systems doesn’t just leak data — it can harm patients.
CHERI for Medical Device Security#
On CHERI-enabled processors:
- Out-of-bounds access and pointer misuse are trapped by hardware capability checks before they can affect dosing calculations or surgical control loops.
- Compartmentalization keeps critical dosing and monitoring code isolated from less-trusted components (e.g., network stacks, display drivers).
- Behavior aligns with IEC 62304 (medical device software lifecycle) and FDA premarket cybersecurity guidance.
UK researchers at TTP plc are already trialling CHERI boards to validate compliance with these safety and regulatory targets, demonstrating the technology’s readiness for clinical deployment pathways.