The Unattested Agent
What happens when software acts but can't be held accountable.
A director of AI safety at Meta asked an AI assistant to help manage her inbox, but it deleted the entire thing. The story was reported by 404 Media, confirmed by the employee herself on social media, and widely shared not because it was unusual, but because she was willing to share it openly.
At Amazon, an internal agent independently decided to dismantle and rebuild a deployment environment. An AWS service went offline for thirteen hours. The Financial Times reported the incident as part of a larger trend of autonomous systems making destructive decisions without human approval.
These aren’t just conference legends. They’re documented facts. And in both cases, the same question arose: What exactly did the agent do, and can anyone prove it?
The answer, in most enterprise environments today, is no.
I’ve spent more than twenty years as a CISO. During that time, I’ve seen the security industry develop more advanced systems to answer one key question: What happened, and who’s responsible?
We created identity management to know who was inside the building. We developed access controls to understand which doors they could open. We implemented behavioral analytics to detect when someone started acting oddly. And we established audit trails so that when something went wrong, we could precisely reconstruct what happened and hold someone responsible.
Every one of those systems was designed for human actors, assuming something so fundamental that nobody needed to state it explicitly: the entity being governed and the entity providing evidence of governance are not the same thing.
Your badge system logs your entry. The hallway camera records your movements. The DLP system tracks your file transfers. You don’t create your own audit trail. Someone else or something else does that for you.
Enter AI agents.
An AI agent operating within your enterprise today can read files, write code, send emails, query databases, call APIs, and chain these actions together in sequences that no human explicitly authorizes. Some of these agents run on platforms that generate detailed logs. Many do not. And the ones that do are often limited to the platform, not the action. In architectures where session state can be replayed or overwritten, that record can be modified or erased completely.
The entity performing the action is the same entity producing the record of the action.
Read that again.
There is no alternative source. No independent witness exists. There is no clear division between the actor and the record-keeper. The agent acts, reports, and you trust what it says.
In a courtroom, we would call that uncorroborated testimony. In financial auditing, we would refer to it as a material weakness. In security, we should call it what it truly is: an unverifiable record from an untrusted source.
This isn’t a logging issue. It’s not a tooling shortcoming. It’s not something you resolve by asking your agent platform vendor to enable more verbose output.
This is a structural problem, and it has a name.
This is the unattested agent.
We have introduced actors into our environments that can take action, generate their own evidence, and in architectures where session state can be replayed or overwritten, erase it completely. In any other domain, we would call that an untrusted witness. In enterprise AI, we call it progress.
In every domain where accountability matters — such as financial auditing, legal chain of custody, pharmaceutical manufacturing, and aviation safety — there is a foundational principle: the entity that performs an action cannot be the sole authority for what it did.
A company cannot audit its own books. That’s why we have external auditors. A police officer cannot be the sole witness to their own evidence collection. That’s why we have a chain of custody. A pilot cannot be the sole recorder of a flight’s events. That’s why we have black boxes.
These aren’t arbitrary rules. They exist because we've learned — again and often painfully — that self-reported records from the entity being evaluated are not evidence. They are claims, and claims need independent verification.
AI agents in the enterprise today operate without independent verification. They act, and the only record of their actions comes from the platform they used or the agent itself. There is no independent observer in the execution process. There is no external attestation.
They are, by definition, unattested.
The implications of this are more serious than most organizations realize and more personal than most security leaders are willing to admit out loud.
You can’t answer the board’s question. When a board member asks “What AI is operating in our environment, what is it doing, and can you prove it?” — you cannot produce a verified answer. You can produce platform logs, which are self-reported records from the systems you’re trying to evaluate. That’s not the same thing.
You can’t satisfy a regulator. The EU AI Act, SOC 2, and emerging NIST AI standards all emphasize one requirement: demonstrable governance of autonomous systems. “We have logs” is not demonstrable governance. True demonstrable governance requires an independent record created by something other than the system being examined.
You can’t conduct incident response. When an agent misbehaves and they will, because they already do—your investigation starts with records produced by the thing you’re investigating. If those records are incomplete, overwritten, or simply never created, your investigation is doomed before it even begins.
You can’t tell the difference between a compromise and a malfunction. If an agent starts acting strangely, is it a bug, a prompt injection, or a real compromise? Without an independent record of their behavior, you lack the baseline to answer that question. You’re depending on the agent’s own output to judge whether it’s trustworthy. That’s circular reasoning, not security.
And here’s what nobody openly admits: You are endorsing systems you can't verify have functioned correctly. You are taking on liability without proof. You are declaring compliance based on records that might not be independently accurate. Every risk acceptance, audit attestation, and board assurance you give about your AI deployments relies on unverifiable trust. That’s not governance. That’s exposure — professional, legal, and financial.
There’s one more dimension to this that security leaders should consider, but most aren’t.
We discuss prompt injection and agent compromise as emerging threats. However, we frame them as attack techniques — actions an adversary takes against an agent. That framing undersells the true shift.
An attacker targeting a traditional system must evade detection. They need to move carefully, avoid triggering alerts, and cover their tracks. That’s difficult. Your security tools are specifically designed to catch that behavior.
An attacker operating through an AI agent doesn’t need to evade detection. They simply operate through an entity that creates its own narrative. If the agent is the only source of truth about its actions, then a compromised agent doesn’t look compromised. It looks normal. Its logs confirm it.
That’s not a detection issue. That’s an attestation problem. And no amount of log analysis fixes it, because the logs themselves are unreliable.
I want to be clear about what I’m not saying.
I’m not saying AI agents are too dangerous to deploy. I’m not saying enterprises should slow down their AI initiatives. I’m not saying the agent platforms themselves are negligent.
I’m saying that we’ve introduced a new category of autonomous actor within enterprise environments, and we haven’t established the independent attestation layer that every prior category of actor required. We simply skipped it. We provided these entities with credentials, permissions, and access to production systems, and we forgot — or never realized — that we need an observer that isn’t the same as the thing being observed.
We have developed governance models around identity, access, and behavior — all based on the idea that actions can be observed and verified separately. AI agents challenge that assumption fundamentally. They merge the actor and the observer into one entity. When that happens, every control built on top becomes a derivative of something you cannot trust independently.
The unattested agent isn’t a future risk; it’s a present condition. It’s active within your environment right now, performing actions, recording those actions (or not), and there’s no independent third party in the process that can verify what actually happened.
Every enterprise security architecture developed over the past twenty years was based on a simple idea: trust, but verify. The verify part demands independence. Without it, you are not governing agents; you are merely accepting the testimony of an untrusted witness and calling it control.
That’s not a security posture; it’s a gamble. And right now, most enterprises don’t even realize they’re making the bet.
This is the first in a series on the structural governance gap in enterprise AI agent deployments. Next: why the entity that acts can never be the entity that attests — and what that means for how we architect agent governance.
Author’s note: AI helped with grammar and readability. It did not help with the opinions.
