// the threat pattern nobody named
Every security professional understands "unauthenticated." It means no verified identity. The next threat class is unattested: an AI agent operating in production with no independent witness to what it does, why it did it, or whether it was supposed to.
// the attestation separation principle
This isn't about building better logs. It's about where the witness sits in the architecture.
Any entity that can act cannot independently attest to its own behavior. An agent cannot audit itself. An observability tool downstream of the agent can only see what the agent already decided to emit. A governance layer that runs inside the agent process can be subverted by the same compromise that subverts the agent.
An independent inline proxy that intercepts before execution is the only architecturally sound attestation point. That is not a product decision. It is a logical requirement.Logs are generated by the agent. Telemetry is emitted by the agent. If the agent is compromised, confused, or hallucinating — the record is unreliable. There is no independent corroboration of what happened, when, or why. The audit trail is only as trustworthy as the entity it's supposed to be auditing.
An inline proxy intercepts every tool call before execution. Policy is evaluated. DLP is scanned. The action is allowed, modified, or blocked. A Decision Trace — a causal chain-of-custody artifact — is produced by an entity the agent cannot influence. The audit trail is structurally independent.
// where unattested agents hide
Every deployed AI agent without an inline governance layer is an unattested agent. These are the most common patterns in enterprise environments today.
Developers running --dangerously-skip-permissions for autonomous operation. Full filesystem and shell access. No audit trail. No policy enforcement. The agent decides what to do and does it — the only record is what it tells you happened.
An AI agent connected to WhatsApp, Telegram, Slack with filesystem, shell, and email access. No agent identity. No distinction between message senders. No audit trail tied to who instructed what. 135,000+ instances exposed, with 33.8% correlated to threat actor infrastructure.
Three agents in a workflow: one plans, one executes, one validates. Each agent is individually well-behaved. But the pipeline collectively executes something catastrophic — and no single entity has a spanning audit trail of the full causal chain. The pipeline is unattested as a unit.
An agent monitored by a runtime telemetry tool. The tool sees API calls, latency, token usage. It cannot tell you whether the DELETE was authorized, anomalous, or evidence of compromise. It cannot block before execution. It is a camera in the lobby — not a guard at the door.
AI tools adopted by individuals or teams without IT visibility. No enrollment, no policy, no monitoring. The organization doesn't know the agent exists, let alone what it's doing. Every shadow AI deployment is, by definition, an unattested agent.
Security tools that install inside the agent process or run as an agent plugin. The security layer and the agent share a trust boundary. If the agent is compromised by prompt injection, the security layer running in the same process is compromised too. Self-attestation is not attestation.
// the board-level question
How many unattested agentsThis is the question a CISO asks in a board meeting. Not "do we have AI security?" but "can we independently prove what our AI agents did and why?"
If the answer relies on the agent's own logs, the agent's own telemetry, or a security tool running inside the agent's process — the answer is: you can't prove it.
// behavry is the attestation layer
Behavry operates as an inline MCP proxy — the architecturally independent witness that sits on the execution path, not downstream of it.
Every agent receives a unique, cryptographically verifiable identity with short-lived JWT RS256 credentials. No shared API keys. Every action attributed to a specific agent instance and the human who initiated it. The identity is issued by Behavry — not self-claimed by the agent.
Every tool call passes through DLP scanning and OPA policy evaluation before execution. The governance decision happens before the action — not after. If an agent is compromised, the compromised action is blocked at the proxy. The agent never reaches the target.
A causal chain-of-custody artifact: every action linked by parent event ID, causal depth, workflow session, and delegation chain. SHA-256 hash-chained. Immutable. Produced by Behavry from its inline position — the agent cannot modify, omit, or fabricate entries. This is the proof your auditor holds.
Rolling per-agent baselines detect when behavior diverges from established patterns. Cross-session memory catches trust reset attacks. The behavioral record is maintained by the governance layer, not the agent — so behavioral drift is detected even if the agent tries to mask it.
// the framework underneath · behavry risk framework
The Behavry Risk Framework scores every agent across six dimensions at registration and continuously at runtime. The composite score drives policy tier, token lifetime, and escalation behavior.
What systems and data can this agent reach? Read-only non-sensitive vs. read-write access to PII, financial records, or privileged systems.
What operations can it perform? Information retrieval vs. ability to create, delete, modify IAM, or trigger deployments.
How independently does it operate? Human-in-the-loop per action vs. fully autonomous with no human supervision.
How much review is applied? Every action reviewed by a human vs. minimal or no review of agent decisions.
How consistent are its objectives? Constrained, well-defined goals vs. broad goal scope with potential for behavioral drift.
How well can we see what it's doing? 1,000+ behavioral samples with full logging vs. new agent with fewer than 10 samples — behavior unknown.
The BRF Observability dimension is directly tied to attestation: a well-observed agent with deep behavioral baselines and inline governance has high observability. An unattested agent — by definition — has low observability, regardless of how many downstream monitoring tools are watching.
// frequently asked questions
No. Better logging from the agent is still the agent reporting on itself. The Attestation Separation Principle says the witness must be architecturally independent of the entity being witnessed. Agent-generated logs can be incomplete (the agent doesn't log what it doesn't decide to log), compromised (if the agent is compromised, its logs are too), or misleading (the agent may hallucinate its own reasoning chain). Attestation requires an independent observer on the execution path.
Observability platforms are invaluable for infrastructure monitoring. But they sit downstream of the agent — they see what the agent emits. They cannot enforce policy before execution. They cannot produce a causal chain of custody for multi-agent workflows. They cannot block a compromised agent from acting. Observation is not attestation. Your SIEM is the camera in the lobby. Behavry is the guard at the door.
No, and they shouldn't. If Anthropic governed Claude Code's enterprise behavior, or if OpenAI governed ChatGPT's tool calls, the agent vendor would be both actor and auditor. That violates the attestation principle directly. Governance of agent behavior must be independent of the agent vendor — the same way financial audits are independent of the company being audited. This is an enterprise function, not a vendor feature.
Unauthenticated means no verified identity. Unattested means no independent witness to behavior. An agent can be fully authenticated — it has a valid API key, it's authorized through Okta, it passes every identity check — and still be unattested, because no independent entity governs what it does with that authenticated access. Authentication is necessary but not sufficient. Attestation is the next layer.
// independently verifiable
Every Decision Trace record is SHA-256 hash-chained. Paste a hash below to confirm it exists in the immutable evidence chain.
Your auditor can verify any Decision Trace record without logging into Behavry.
This is what attestation separation looks like in practice.