LangChain Splits AI Agents Into Two Security Classes With Fleet Update

LangChain has formalized two distinct authorization models for AI agents in its LangSmith Fleet platform, addressing what’s become a thorny problem as enterprises deploy autonomous systems that need to access sensitive company data.

The framework, detailed in a March 23 blog post, splits agents into “Assistants” that inherit end-user permissions and “Claws” that operate with fixed organizational credentials—a distinction that emerged partly from how OpenClaw changed developer expectations around agent identity.

Why This Matters for Enterprise Adoption

The authorization question sounds technical but has real consequences. When an AI agent pulls data from Slack or searches your company’s Notion workspace, whose permissions should it use? The wrong answer creates either security holes or useless agents.

Consider an onboarding bot with access to HR systems. If it uses Alice’s credentials when Alice asks questions, that’s appropriate. But if Bob can query the same bot and accidentally access Alice’s private salary information, you’ve got a compliance nightmare.

LangChain’s solution:

Assistants authenticate through per-user OAuth. The agent inherits whatever access the invoking user already has—nothing more. Each user’s interactions remain siloed in their own Agent Inbox.

Claws use a shared service account. Everyone interacting with the agent gets the same fixed permissions, regardless of who they are. This works for team-wide automations where individual identity doesn’t matter.

The OpenClaw Factor

The two-model approach reflects how agent usage patterns have evolved. Traditional thinking assumed agents always act “on-behalf-of” a specific user. Then OpenClaw popularized a different model—agents that creators expose to others through channels like email or social media.

When someone creates an agent and shares it publicly, using the creator’s personal credentials becomes problematic. The agent could access private documents the creator never intended to expose. This pushed developers toward creating dedicated service accounts for their agents, effectively inventing the Claw pattern organically.

Channel Limitations

There’s a practical constraint: Assistants currently work only in channels where LangSmith can map external user IDs (like Slack) to LangSmith accounts. Claws face fewer restrictions but require more careful human-in-the-loop guardrails since they’re effectively opening fixed credentials to variable inputs.

LangChain provided concrete examples from their own deployments. Their onboarding agent runs as an Assistant—it needs to respect individual Notion permissions. Their email agent operates as a Claw with human approval gates for sending messages, since it manages one person’s calendar regardless of who’s emailing.

What’s Next

The company flagged user-specific memory as an upcoming feature. Current memory permissions are binary—you either can edit an agent’s memory or you can’t. Future versions will prevent Assistants from leaking information learned from one user’s session into another’s.

For enterprises evaluating agent platforms, the authorization model matters as much as the underlying AI capabilities. LangSmith Fleet launched March 19 with these identity controls baked in from the start.

Image source: Shutterstock