Research

The entity that acts cannot attest to its own behavior.

Twenty years in the CISO seat, on the independent attestation layer we forgot to build when we gave AI agents credentials, permissions, and production access. Essays from The Unattested Agent.

THE THESIS The Unattested Agent · the founding essay

We introduced an actor that writes its own record — and called it progress.

Your badge system logs your entry. The hallway camera records your movements. You don't write your own audit trail — something independent does. AI agents broke that assumption: the entity performing the action is the same entity producing the record of it.

In a courtroom that's uncorroborated testimony. In a financial audit, a material weakness. In enterprise AI, we call it progress. The fix isn't more logging — it's structural: an independent record the actor cannot alter.

Read the essay →
RESEARCH · THE UNATTESTED AGENT

What we're writing about.

Long-form essays from The Unattested Agent — twenty years in the CISO seat on the independent attestation layer we forgot to build when we gave AI agents credentials, permissions, and production access.

Subscribe on Substack →
01 · START HERE

The Unattested Agent

What happens when software acts but can't be held accountable. The founding essay — we gave agents credentials and production access, then skipped the independent attestation layer every prior actor required.

Read on Substack →
02 · ARCHITECTURE

The Control Point Is in the Wrong Place

Fifty-plus enterprise AI security vendors, one structural flaw: they answer “who,” not “what the agent is about to do.” Authorization is not governance.

Read on Substack →
03 · THE CATEGORY

Governance Is Not a Security Product

Why governing autonomous agents is a system-of-record problem, not another tool in the security stack — and what that changes about how you buy.

Read on Substack →
04 · INLINE ENFORCEMENT

You Have to Be in the Execution Path

Adjacent and downstream don't count. The tool call cannot complete without passing through a system that is not the agent.

Read on Substack →
05 · THE RECORD

A Decision Trace Is Not a Log

A log records an event. A Decision Trace records a judgment — signed, deterministic, hash-chained, and producible only inline.

Read on Substack →
06 · ATTESTATION SEPARATION

The Entity That Acts Cannot Attest

The Attestation Separation Principle in full — why an agent, its vendor, and the SIEM all sit inside the same trust boundary as the thing they're meant to attest to.

Read on Substack →
DOCUMENTED THREAT CLASSES

Built for what's already happening.

Every capability maps to a documented threat class — from OWASP, NIST, Cloud Security Alliance, and Palo Alto Unit 42, plus the real incidents that already shipped. Not theoretical risk.

OWASP · TOP 10 FOR AGENTIC APPS 2026ASI01 / ASI03

Goal hijacking & privilege abuse

The first peer-reviewed agentic framework — 100+ experts, endorsed by NIST, Microsoft and NVIDIA — names goal hijack, tool misuse and identity abuse as top risks, urging agents be treated as first-class identities with scoped privilege.

Behavry binds every agent's identity and records the authority it actually exercised.
NIST CAISI · AGENT HIJACKING EVALS11% → 81%

Agent-specific attacks beat every baseline

NIST's red team found novel agent-tailored attacks lifted task-hijacking success from 11% to 81% across RCE-via-tool-use, database exfiltration and automated phishing — a qualitative shift, not a marginal one.

Behavry reconstructs the hijacked sequence detection scoring can't.
PALO ALTO UNIT 42 · NOV 2025A2A

Agent session smuggling across trust

Unit 42 demonstrated malicious agents exploiting built-in trust in the agent-to-agent protocol to smuggle instructions between sessions — a cross-agent chain no single product observes.

Behavry captures the cross-agent chain end to end.
REAL INCIDENTS · 2025IN THE WILD

EchoLeak & the Amazon Q compromise

A zero-click Microsoft 365 Copilot exfiltration and a poisoned Amazon Q extension that reached ~1M developers — neither theoretical, both lacking a defensible cross-system account afterward.

Behavry produces the signed record these incidents never had.
NIST AI 100-2e2025 · ADVERSARIAL MLTAXONOMY

Memory poisoning & tool supply chain

NIST's adversarial-ML taxonomy now formally covers autonomous agents — indirect prompt injection, agent memory poisoning, and supply-chain attacks on agent tools as named attack classes.

Behavry records the provenance of every input that shaped a decision.
CSA AI SAFETY INITIATIVE · 2026PROMPTWARE

Promptware turns agents into C2

Multi-agent command-and-control via prompt injection — agents from different vendors enrolled into one attacker-controlled network through the trust between them.

Behavry sees the multi-vendor channel form before it propagates.

Sources: OWASP Top 10 for Agentic Applications (2026) · NIST CAISI, Strengthening AI Agent Hijacking Evaluations (2025) & AI 100-2e2025 · Palo Alto Networks Unit 42 · Cloud Security Alliance AI Safety Initiative.

ONE CATEGORY, MANY NAMES

The terms buyers search for all point to the same thing.

Guardian Agents AI TRiSM MCP security Runtime AI governance Agent incident reconstruction AI chain of custody

The chain-of-intent record. The independent Guardian Agent.

Read the full vendor taxonomy — 50 vendors, 9 structural blind spots →
INDEPENDENT VALIDATION

“Guard the guardians.”

Gartner names this category Guardian Agents within AI TRiSM. Its requirement — immutable, timestamped records that oversee the other agents — is attestation separation by another name. Behavry is the independent Guardian Agent.

SPEAKING & APPEARANCES

Making the case in the open.

The thesis is argued where the category is being defined — analyst forums, security conferences, and the podcasts shaping how the field thinks about agent risk.

CSA AGENTIC AI SECURITY SUMMIT 2026

Governing the Agentic Stack with IAM, Security Controls & Trust

A panel on the identity and trust fabric beneath production agents — the sprawling web of non-human identities most organizations have no strategy to govern. With Dr. Elizabeth Di Bene (Loudoun County) and Illena Armstrong (CSA President).

Virtual · Jun 24, 2026
BIO-IT WORLD 2026 · LIFE SCIENCES

Authorizing AI Agents in Regulated Life-Sciences Environments

Agents are moving into R&D, regulatory, and clinical workflows — Behavry enforces data-use agreements, protects IP, and produces audit-ready decision traces for environments where unauthorized action is not an acceptable outcome.

May 2026 · session not recorded
CSA AGENTIC AI SECURITY SUMMIT 2026

Observe Everything. Control Nothing.

Ward's solo session: why observability is structurally incapable of governance — it operates after execution, governance must operate before — and the architectural case for pre-execution enforcement and independent attestation.

Virtual · Apr 29, 2026
VCPEIT ANNUAL CONFERENCE · AI ERA

Shadow AI: The New Shadow IT, Hiding in Plain Sight

Code, IP, and internal data flowing into AI tools as workflow, not breach — “you don't have a detection problem, you have a perspective problem.” Introduced ShadowCheck, an open-source shadow-AI recon tool.

April 2026 · github.com/wardspan/shadowcheck
PODCAST · COMING SOON The Cybersecurity Ecosystem Show — on why autonomous agents need an independent record COVER FEATURE CIO Views — "Building Cyber Confidence with Integrity, Curiosity, and Applied Practice" · Oct 2025

Compare notes with the author.

Twenty years in the CISO seat, now building the record that lets you say yes to agents.

Talk to Us →