When an AI Agent Causes the Loss: Shadow AI and the Underwriting Questions It Raises

by

Estimated reading time: 8 minutes

An AI agent can now write code, call tools, move files, and run commands. In most setups, it does all of that with the permissions of the person who launched it. So when an agent causes damage, the first underwriting question is deceptively hard. Who acted?

Remy Guercio, Product Lead for Aperture at Tailscale, does not reach for a tidy answer. “It should typically be treated as an action delegated by the user,” Guercio said. “The agent didn’t magically get access. It inherited or was granted access from a person, workload, token, or system.”

That framing matters because the loss could land in several coverage buckets at once. Guercio is candid that the category depends on the facts. If the agent had explicit permission, calling it unauthorized access is wrong. If the user launched it without grasping the blast radius, it looks like user error. And if the system over-provisioned the agent, it looks like a control failure. “I do think insurers will eventually need clearer language for agent-driven loss,” he said, “because agents blur the line between user action, software behavior, and security failure.”

That uncertainty is the live debate across the market. Carriers have begun adding AI exclusions and pushing ambiguous AI losses toward errors and omissions policies, a boundary fight we have tracked in our coverage of agentic AI and cyber insurance and the BakerHostetler 2026 data security report. Guercio’s answers map the same fault line from the inside.

Shadow AI and agentic AI cyber insurance underwriting graphic: a central user-agent node branching to file, terminal, and cloud icons, with a red link reaching a sandboxed key, illustrating agent blast radius and the question of who acted in an AI-driven loss.

The peg for all this is a product launch. Tailscale today expanded Aperture, its AI access and control platform, with a browser-based chat interface, universal data connectors for both MCP and APIs, and sandbox support now in private alpha. The pitch is a stable control layer for an AI stack that will not stop changing.

Shadow AI Is Shadow IT With Worse Visibility

Before agents, there is the simpler problem of tools nobody approved. Employees use personal AI accounts for work, and most companies cannot see that usage.

Guercio’s framing is blunt. “They should treat shadow AI like shadow IT, but with worse default visibility,” he said. The wrong question is whether employees use AI, because they do. The right questions are which tools, what data goes in, which identities are attached, and whether the sanctioned path is easier than the unofficial one. “If the sanctioned option is painful, employees will route around it,” he said.

The scale, as the launch frames it, is large. Tailscale cites research that 64.5% of activity on personal and free AI accounts is work-related. It points to figures reported by Axios that companies run roughly 67 generative AI tools on average, with 90% lacking proper licensing or approval. Treat these as vendor-cited numbers rather than settled fact, since the release names no primary source. The direction, though, matches what we found in retail and hospitality CISO AI risk.

See also  How AI is Changing Insurance: Risks, Coverage Challenges, and Industry Adaptation

What Visibility Looks Like to an Underwriter

If shadow AI is the exposure, the underwriting response is evidence of control. Guercio lists what a company should be able to show.

“An inventory of approved AI tools. Logs that tie usage back to user or workload identity. Policies for what data can be sent to which tools,” he said. He adds controls that limit access to sensitive data, a way to detect or block unmanaged AI traffic, and one item he stresses above the rest: “proof that employees have a usable approved option.”

That last point is the one most security programs miss. A policy banning personal tools means little if the approved alternative is slower. The control that works is the one people actually use.

The Agent’s Blast Radius

The risk sharpens when an agent runs directly on a laptop or in production. Guercio is precise about why location matters.

“An agent running directly on a laptop may inherit local files, browser sessions, SSH keys, source code, and network access,” he said. “An agent running directly in production may be worse.” The distinction underwriters should probe is the type of access: read versus write, internal versus external, approval-based versus autonomous write access to important systems.

This is the same exposure we examined in non-human identities and cyber resilience, and in the case of LLM agents and inadvertent data disclosure. An agent with the user’s full credential store is a much larger claim than one boxed into a defined task.

Sandboxing as a Baseline Control

That blast-radius logic leads to a control that insurers may soon expect by default. Guercio frames sandboxing as the clean fix.

“A sandbox is a clean way to reduce blast radius,” he said. “It gives the agent somewhere to do useful work without handing it the user’s whole laptop, credential store, and network access by default.” Aperture’s sandbox support, launching in private alpha, is built around exactly this idea: agents work in a controlled environment instead of on the user’s machine.

If an agent can read files, write code, call tools, or touch production, Guercio expects insurers to reasonably ask where that work happens. The answer “directly on the employee’s laptop” will not age well.

One Control Layer: Risk Reduced or Risk Concentrated?

Routing all AI access through a single gateway is the heart of Aperture’s pitch, so the obvious challenge is concentration risk. Guercio does not dodge it.

“A control layer reduces risk because it gives you one place to enforce policy, manage credentials, preserve identity, and collect logs,” he said. “The tradeoff is that the control layer becomes important, so you have to treat it like important infrastructure. It needs strong authentication, least privilege, good logging, and reliability.”

See also  Agent Identity Becomes an Underwriting Question: Can You Account for Your AI Agents?

That is a fair concession. A gateway that fails or is breached becomes a single point of compromise. The underwriting view should weigh the visibility a control layer provides against the dependency it creates.

Auditing the Gateway Itself

If a company does route AI through one layer, that layer has to be auditable. Guercio sets a clear bar for what its logs should capture.

“Logs should show which model was used, what tool was called, what data was accessed, and which identity initiated the action,” he said. Every request should tie to a real user or workload identity, provider keys should not be scattered across laptops and scripts, and access should be least privilege. Those logs should flow into the tools security teams already run, not a separate console nobody checks.

“We Didn’t Know” Is a Weak Defense

The governance gap becomes a liability question after a breach. Guercio is measured but firm about where the line is moving.

“Once a risk is widely understood, ‘we didn’t know employees were using it’ becomes a weaker answer,” he said. He is careful not to call every AI incident negligence. But a company with no inventory, no approved path, no access controls, and no logs “will be hard to argue that AI usage was being managed.”

The standard of care is shifting in real time, the same pattern we documented in the 2026 identity security report. What counted as reasonable last year does not automatically count this year.

When You Cannot Reconstruct What Happened

The final question is the one that decides claims. After an incident, investigators must rebuild events. Missing logs make it slow, costly, and uncertain.

“If you cannot tell which identity used which model, what data moved, or what actions an agent took, then the investigation gets slower, more expensive, and less certain,” Guercio said. That uncertainty cuts two ways. It can affect claims handling because insurers need facts to assess cause and scope. It can also widen legal exposure, because the company may not be able to show what data was touched or whether its controls worked.

Avery Pennarun, Tailscale’s co-founder and CEO, frames the underlying bet as one about permanence, not any single tool. “The AI stack is not going to settle down any time soon,” Pennarun said. The market agrees on the instability, at least: one CIO survey cited in the launch found 81% of enterprises now run three or more model families, up from 68% less than a year earlier.

For underwriters, the through-line across all ten of Guercio’s answers is identity and logs. Who acted, what they touched, and whether anyone can prove it. Agents have not changed that question. They have only made it harder to answer.

See also  Most CISOs Are Fighting The Last War. AI-Powered Cyber Attacks Just Changed The Rules - PODCAST

FAQ – AI Cyber Insurance and Agent Liability

What is shadow AI?

Shadow AI is the use of unapproved AI tools for work, often through personal or free accounts. Like shadow IT, it sits outside company visibility, but with worse default insight into what data is being shared and which identities are attached.

If an AI agent causes damage using a user’s permissions, whose fault is it?

It is typically treated as an action delegated by the user, since the agent inherited its access. Depending on the facts it may look like unauthorized access, user error, or a control failure. Insurers will likely develop clearer language for agent-driven loss.

How should companies prove they control AI use?

With an inventory of approved tools, logs tying usage to user or workload identity, data-handling policies, access controls, a way to detect unmanaged AI traffic, and proof that employees have a usable approved option.

Could agent sandboxing become a baseline cyber insurance control?

Likely. A sandbox reduces an agent’s blast radius by giving it a controlled place to work instead of the user’s full laptop, credential store, and network. If an agent can run commands or touch production, insurers will ask where that work happens.

Does routing AI through one control layer reduce or concentrate risk?

Both. A single layer centralizes policy, credentials, identity, and logs, which reduces risk. But the layer itself becomes critical infrastructure that needs strong authentication, least privilege, logging, and reliability.

Can poor AI logging affect a cyber claim?

Yes. If a company cannot show which identity used which model, what data moved, or what an agent did, the investigation slows and costs rise. That can affect claims handling and widen post-incident legal exposure.

Related Cyber Insurance Posts

Martin Hinton
Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment