Agent Identity Becomes an Underwriting Question: Can You Account for Your AI Agents?

by

Estimated reading time: 7 minutes

A new launch puts agent identity at the center of a simple underwriting premise. Carriers cannot insure what they cannot measure.

Ceros launched today as what its maker calls the first trust layer purpose-built for autonomous AI agents. Beyond Identity, the company behind it, pitches Ceros as a single layer for agent identity, observability, and governance. It ties each agent action to a hardware-bound identity, a verified device, and continuous policy checks.

The product does three things. It discovers and inventories the AI agents, tools, and model services running across an environment. It governs what agents may launch and which tools they may call, with the ability to alert, degrade, or terminate a risky session. And it logs every session for later reconstruction.

That feature set maps directly onto a set of questions cyber underwriters are starting to ask. Jasson Casey, CEO of Beyond Identity, answered six of them for us.

Could Agent Identity Become an Underwriting Requirement?

Casey’s first argument is the foundation for the rest. An agent operating with real credentials and tool access is a risk the carrier must be able to price.

“Underwriters can’t insure what they can’t measure,” Casey said. The moment a non-human actor operates inside your systems, the carrier needs to know who launched it, on what device, with what permissions, and what it did. If the answer is “‘we can’t say,'” he argues, the account is not high-risk. It is unpriceable.

Carriers resolve unpriceable risk two ways. They make the missing control a requirement, or they write the exposure out with an exclusion. “Either way,” Casey said, “‘can you account for your agents’ becomes a question on the renewal questionnaire.” This is the same trajectory we tracked in cyber underwriting moving beyond questionnaires.

Agent identity and agentic AI cyber insurance underwriting graphic: a split comparison showing an attributed AI agent with green cryptographic fingerprint threads to user, device, tools, and actions, beside an unaccountable agent with frayed red threads labeled "we don't know, lost attribution."

How Should Insurers View Losses From “Authorized” Agents?

The thorniest question is coverage classification. An agent acting inside approved systems with valid credentials does not look like a breach, because no access was unauthorized.

Casey is direct about where that leads. The carrier’s incentive is to reclassify the loss as operational error or the insured’s own negligence, both routinely excluded or limited. “It’s the same fault as the business-email-compromise coverage disputes,” he said. “Your credentials, your authorization, your loss, that’s not a covered third-party attack.”

The only counter, in his view, is attribution: proving the agent was manipulated or compromised, which is a covered attack, rather than authorized but harmful, which may not be. “Without identity, you can’t even make the argument,” Casey said. “You’re arguing in the dark against a carrier that’s motivated to deny.” It echoes the BEC and wire-fraud coverage gaps we have documented before.

See also  Cyber Liability Insurance: Key Takeaways From PLUS Cyber Symposium

Does Agent Observability Change Post-Breach Liability?

If a company cannot reconstruct what an agent did, the consequences compound. Casey describes two mechanisms.

First, missing records invite the worst assumption. “Courts have long penalized parties who can’t produce the records,” he said, and regulators and plaintiffs fill the gap against you. Second, scope balloons. If you cannot prove which records an agent touched, you may have to notify everyone rather than the actual affected set.

“‘We don’t know what it touched’ is the most expensive sentence in incident response,” Casey said. Attribution turns unbounded exposure into provable, bounded scope. That reconstruction problem is the same one at the center of CISO incident response readiness.

Could Over-Permissioned Agents Become the Next Red Flag?

Underwriters already scrutinize standing privilege for humans and service accounts. Casey argues agents are the harder version of that problem.

“Agents are the worst version of the problem,” he said: a service account with no human in the loop, an LLM that can be socially engineered through prompt injection, operating at machine speed. He calls it a confused deputy that can be talked into misusing its own legitimate access.

So agent permissions will be assessed like privileged accounts, and probably more harshly, because the blast radius is bigger and faster. In Casey’s words, least privilege, scoped and just-in-time, “stops being best practice and becomes a checkbox.” The same logic drove the non-human identity scrutiny we covered in NHI and cyber resilience.

Does Runtime Enforcement Reduce Risk, or Raise the Standard of Care?

Casey’s answer is both, and the second half is the part underwriters should sit with. Once a control exists and is known to work, not using it starts to look like negligence.

“The existence of the capability raises the floor for everyone,” he said, including those who would rather not adopt it. Once a company can alert, restrict, degrade, or terminate a risky agent session, “‘we didn’t have a way to stop it'” expires as a defense. “Carriers reward the capable and penalize the willfully blind,” Casey said.

See also  What? Cyber Insurance Premiums Dropped For First Time in 2023: Fitch

This is the double edge of every new security capability. It cuts risk first, then quietly redefines what counts as reasonable care, a shift in expectations we have watched reshape the CISO’s role and boardroom exposure.

Does Cryptographic Attribution Make “We Don’t Know” Indefensible?

Casey closes on the through-line. Today “we don’t know” is tolerated because the tooling did not exist. He argues that grace period is ending.

“Once an agent can be cryptographically bound to a user, a device, the tools it called, and the actions it took, ‘we don’t know’ stops being a technology gap and becomes a decision not to deploy available controls,” Casey said. But he frames attribution as protection, not just a trigger for blame. It lets a company prove the agent never touched the crown jewels, prove which user and device drove it, and prove the blast radius was contained.

“The companies that can reconstruct agent behavior will win claims,” Casey said. “Attribution is a shield at least as much as it’s a liability trigger.” For CISOs weighing the spend, that reframing matters, the same cost-versus-defensibility calculus that technology leaders faced in the NASCIO-Deloitte 2026 government cyber risk study.

The Agent Identity Takeaway

A second voice in the launch frames the shift as operational, not box-ticking. Agent security is “an operational problem, not just a compliance checkbox,” said Neal Mueller, Product at Apple.

The pattern across all six of Casey’s answers is one idea. Identity and observability convert an unpriceable, unbounded agent into a measurable, bounded one. Underwriters price what they can measure. The companies that can answer “who ran this agent, on what device, with what permissions, and what did it do” will find better terms, and a stronger hand at claim time, than those who cannot.

FAQ -Agent Identity and Cyber Underwriting

What is agent identity?

Agent identity is the ability to tie an autonomous AI agent’s actions to a specific user, device, set of tools, and permissions. Cryptographic agent identity lets a company prove who launched an agent and what it did, which matters for both security and cyber claims.

Why would insurers ask companies to account for their AI agents?

Because carriers cannot price what they cannot measure. If a company cannot say who launched an agent, on what device, with what permissions, and what it did, the risk becomes hard to price. Insurers respond by requiring the control or excluding the exposure.

See also  Cyber Supply Chain Risks Gain Prominence: Report

Is a loss caused by an authorized AI agent a covered cyber event?

It is contested. An agent acting with valid credentials does not look like unauthorized access, so carriers may classify the loss as operational error or negligence, which are often excluded. Attribution showing the agent was compromised, rather than authorized but harmful, helps the insured argue for coverage.

How does missing agent observability hurt a claim?

If a company cannot reconstruct which data an agent touched, it may have to notify everyone rather than the actual affected set, raising statutory liability. Regulators and plaintiffs also tend to assume the worst when records cannot be produced.

Will agent permissions be scrutinized like privileged accounts?

Likely yes, and possibly more harshly. An agent is a service account with no human in the loop that can be manipulated through prompt injection at machine speed. Scoped, just-in-time least privilege is moving from best practice toward an underwriting checkbox.

Could failing to use available agent controls count as negligence?

Once tools exist to alert, restrict, degrade, or terminate risky agent sessions, not using them weakens the “we had no way to stop it” defense. The existence of a known-good control tends to raise the standard of care for everyone.

Martin Hinton
Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment