The Exposure No One Deployed, and No One Can Delegate
There’s a workforce operating your business right now. Nobody hired it.
Third-party AI agents are acting inside your business logic. The risk isn’t that they exist—it’s that nobody can prove how they behaved, and that’s no longer a problem you can delegate.
Every new risk has a moment when it changes hands. It starts out treated as a technical problem, contained inside an operational team, until someone realizes its consequences—loss, liability, capital—aren’t technical. That’s when it migrates to risk. The behavior of third-party automated agents is crossing that line right now.
It’s worth understanding why, because the migration isn’t an organizational preference. It’s structural.
The exposure that came in through the wrong door
Automated agents now reach the surface of any organization that didn’t deploy them, doesn’t control them, and can’t reliably tell them apart from a legitimate user. They aren’t always trying to breach anything: they operate inside business logic, consume the same flows a real customer would, and optimize at a speed no human matches. They distort a capacity, move a price, saturate a process, contaminate a predictive model—all without a single event a classic security system would flag as an attack.
The damage is real, but it doesn’t have the shape of an intrusion. It has the shape of an exposure: diffuse, cumulative, hard to attribute. And exposures, not intrusions, are risk’s trade.
Why security can’t close it, and it isn’t security’s fault
It’s tempting to hand this to the CISO and move on. But there are two limits no security team can overcome—not for lack of capability, but because of where security sits in the problem.
The first: security can decide, in the moment, whether to let an agent through. That live decision—milliseconds, allow or deny—is and will remain security’s job, and rightly so. But that decision leaves no record of what the agent did afterward, of what it was, or of the intent behind it. It resolves the instant, not the exposure.
The second, more uncomfortable for whoever has to answer for the risk: when you have to prove what happened, security’s evidence is the organization’s own logs. The party that may have failed is the same one producing the proof that it didn’t. Judge and jury. For an internal operational decision, that’s enough. To hold a position in front of a regulator, a counterparty, or an insurer, it isn’t—it’s not neutral evidence, and everyone at the table knows it.
This is not a reproach to the CISO. The opposite. The position of trust a good security leader holds never depended on seeing everything or controlling everything—it depended on fighting honestly within real limits. Asking them to also certify, on their word alone, the behavior of agents they never deployed is asking for a superpower the role doesn’t have. Acknowledging that limit doesn’t weaken the CISO; it puts the problem where it belongs. And it removes an unfair burden, because an external neutral record frees the CISO from having to be the proof. Security doesn’t lose in this handoff. It’s relieved of a job it was never able to do alone.
Why it’s risk’s to own, and what it demands
If the live decision is security’s, the other half—the evidence of what the agent did, the attribution of liability, the pricing of the exposure, the traceability before third parties—belongs to risk, audit, and compliance. Not by org chart, but because these are questions of risk governance, not operations. This is the part that gets owned, measured, and reported. It is risk’s, and it is risk’s now.
And here is the requirement that defines everything: an exposure you cannot measure, you cannot manage. To measure the behavior of third-party agents you need evidence that meets three conditions the organization, on its own, cannot satisfy:
Observed from the receiving side, not self-attested by whoever operated the agent—because the agent’s operator cannot be the neutral source of how its own agent behaved.
Neutral with respect to the interested party—neither the insured, nor the operator, nor the team that may have failed can be the one certifying the record.
Verifiable and tamper-evident—so it holds in front of a third party and survives the incident, rather than depending on the good faith of whoever stores it.
None of the three can be produced by the agent’s operator. None can be produced by security from the inside. All three require an observer that isn’t a party to the event.
What’s no longer optional
Frameworks like the EU AI Act and DORA don’t invent this requirement: they formalize it. They force exposure to automated systems to have an identifiable owner, traceable evidence, and actionable accountability. What structure already imposed, regulation turns into an obligation with a penalty. The window in which this could be left “on security’s side” is closing under two forces at once: operational reality and the law.
The risk you can’t delegate
Security decides in the moment. Risk answers for the exposure. But the line doesn’t stop at risk.
Under the EU AI Act’s deployer obligations and DORA’s rules on the management body, accountability for how autonomous systems behave climbs to the CEO and the board—and it can no longer be pushed downward. You cannot delegate what you cannot demonstrate. A director who can’t point to neutral, independent evidence of how third-party agents acted on the organization’s surface is personally exposed to a risk that, on paper, they already own.
That is what changed. The workforce nobody hired is operating inside your business, and the question is no longer whether you can stop it in the moment—security can. The question is whether you can prove what it did when a regulator, a counterparty, or an insurer asks. Without a behavioral record observed from the receiving side, one that none of the interested parties controls, the exposure is detected but never demonstrated. And a risk you cannot demonstrate is one you cannot delegate, cannot price, and cannot defend.
The problem stopped having the shape of something you block, and took the shape of something you measure, attribute, and insure. That is the whole migration in one line—and the reason it now lands on the desk of the person who can no longer hand it down.
BotConduct — behavioral exposure intelligence, from the receiving side.
