Twenty years in the CISO seat, on the independent attestation layer we forgot to build when we gave AI agents credentials, permissions, and production access. Essays from The Unattested Agent.
Your badge system logs your entry. The hallway camera records your movements. You don't write your own audit trail — something independent does. AI agents broke that assumption: the entity performing the action is the same entity producing the record of it.
In a courtroom that's uncorroborated testimony. In a financial audit, a material weakness. In enterprise AI, we call it progress. The fix isn't more logging — it's structural: an independent record the actor cannot alter.
Read the essay →Long-form essays from The Unattested Agent — twenty years in the CISO seat on the independent attestation layer we forgot to build when we gave AI agents credentials, permissions, and production access.
What happens when software acts but can't be held accountable. The founding essay — we gave agents credentials and production access, then skipped the independent attestation layer every prior actor required.
Read on Substack →Fifty-plus enterprise AI security vendors, one structural flaw: they answer “who,” not “what the agent is about to do.” Authorization is not governance.
Read on Substack →Why governing autonomous agents is a system-of-record problem, not another tool in the security stack — and what that changes about how you buy.
Read on Substack →Adjacent and downstream don't count. The tool call cannot complete without passing through a system that is not the agent.
Read on Substack →A log records an event. A Decision Trace records a judgment — signed, deterministic, hash-chained, and producible only inline.
Read on Substack →The Attestation Separation Principle in full — why an agent, its vendor, and the SIEM all sit inside the same trust boundary as the thing they're meant to attest to.
Read on Substack →Every capability maps to a documented threat class — from OWASP, NIST, Cloud Security Alliance, and Palo Alto Unit 42, plus the real incidents that already shipped. Not theoretical risk.
The first peer-reviewed agentic framework — 100+ experts, endorsed by NIST, Microsoft and NVIDIA — names goal hijack, tool misuse and identity abuse as top risks, urging agents be treated as first-class identities with scoped privilege.
NIST's red team found novel agent-tailored attacks lifted task-hijacking success from 11% to 81% across RCE-via-tool-use, database exfiltration and automated phishing — a qualitative shift, not a marginal one.
Unit 42 demonstrated malicious agents exploiting built-in trust in the agent-to-agent protocol to smuggle instructions between sessions — a cross-agent chain no single product observes.
A zero-click Microsoft 365 Copilot exfiltration and a poisoned Amazon Q extension that reached ~1M developers — neither theoretical, both lacking a defensible cross-system account afterward.
NIST's adversarial-ML taxonomy now formally covers autonomous agents — indirect prompt injection, agent memory poisoning, and supply-chain attacks on agent tools as named attack classes.
Multi-agent command-and-control via prompt injection — agents from different vendors enrolled into one attacker-controlled network through the trust between them.
Sources: OWASP Top 10 for Agentic Applications (2026) · NIST CAISI, Strengthening AI Agent Hijacking Evaluations (2025) & AI 100-2e2025 · Palo Alto Networks Unit 42 · Cloud Security Alliance AI Safety Initiative.
The chain-of-intent record. The independent Guardian Agent.
Read the full vendor taxonomy — 50 vendors, 9 structural blind spots →“Guard the guardians.”
Gartner names this category Guardian Agents within AI TRiSM. Its requirement — immutable, timestamped records that oversee the other agents — is attestation separation by another name. Behavry is the independent Guardian Agent.
The thesis is argued where the category is being defined — analyst forums, security conferences, and the podcasts shaping how the field thinks about agent risk.
A panel on the identity and trust fabric beneath production agents — the sprawling web of non-human identities most organizations have no strategy to govern. With Dr. Elizabeth Di Bene (Loudoun County) and Illena Armstrong (CSA President).
Virtual · Jun 24, 2026Agents are moving into R&D, regulatory, and clinical workflows — Behavry enforces data-use agreements, protects IP, and produces audit-ready decision traces for environments where unauthorized action is not an acceptable outcome.
May 2026 · session not recordedWard's solo session: why observability is structurally incapable of governance — it operates after execution, governance must operate before — and the architectural case for pre-execution enforcement and independent attestation.
Virtual · Apr 29, 2026Code, IP, and internal data flowing into AI tools as workflow, not breach — “you don't have a detection problem, you have a perspective problem.” Introduced ShadowCheck, an open-source shadow-AI recon tool.
April 2026 · github.com/wardspan/shadowcheckTwenty years in the CISO seat, now building the record that lets you say yes to agents.
Talk to Us →