Every security professional understands "unauthenticated." It means no verified identity. The next threat class is unattested: an AI agent operating in production with no independent witness to what it does, why it did it, or whether it was supposed to.
The entity that acts cannot attest to its own behavior.
This isn't about better logs. It's about where the witness sits in the architecture.
Any entity that can act cannot independently attest to its own behavior. An agent cannot audit itself. An observability tool downstream of the agent can only see what the agent already decided to emit. A governance layer that runs inside the agent process can be subverted by the same compromise that subverts the agent.
An independent inline authorizer that intercepts before execution is the only architecturally sound attestation point. That is not a product decision. It is a logical requirement.Logs are generated by the agent. Telemetry is emitted by the agent. If the agent is compromised, confused, or hallucinating — the record is unreliable. There is no independent corroboration of what happened, when, or why. The audit trail is only as trustworthy as the entity it's supposed to be auditing.
An inline authorizer evaluates every tool call before execution. Policy is checked. Inputs are scanned. The action is allowed, denied, or intercepted. A Decision Trace — a causal chain-of-custody artifact — is produced by an entity the agent cannot influence. The audit trail is structurally independent.
Every deployed AI agent without an inline authorization layer is an unattested agent. These are the most common patterns in enterprise environments today.
Developers running --dangerously-skip-permissions for autonomous operation. Full filesystem and shell access. No audit trail. No policy enforcement. The agent decides what to do and does it — the only record is what it tells you happened.
An AI agent connected to WhatsApp, Telegram, Slack with filesystem, shell, and email access. No agent identity. No distinction between message senders. No audit trail tied to who instructed what. 135,000+ instances exposed, with 33.8% correlated to threat actor infrastructure.
Three agents in a workflow: one plans, one executes, one validates. Each agent is individually well-behaved. The pipeline collectively executes something catastrophic — and no single entity has a spanning audit trail of the full causal chain. The pipeline is unattested as a unit.
An agent monitored by a runtime telemetry tool. The tool sees API calls, latency, token usage. It cannot tell you whether the DELETE was authorized, anomalous, or evidence of compromise. It cannot block before execution. It is a camera in the lobby — not a guard at the door.
AI tools adopted by individuals or teams without IT visibility. No enrollment, no policy, no monitoring. The organization doesn't know the agent exists, let alone what it's doing. Every shadow AI deployment is, by definition, an unattested agent.
Security tools that install inside the agent process or run as an agent plugin. The security layer and the agent share a trust boundary. If the agent is compromised by prompt injection, the security layer running in the same process is compromised too. Self-attestation is not attestation.
This is the question a CISO asks in a board meeting. Not "do we have AI security?" but "can we independently prove what our AI agents did and why?"
If the answer relies on the agent's own logs, the agent's own telemetry, or a security tool running inside the agent's process — you can't prove it.
Behavry operates as an inline authorization layer — the architecturally independent witness that sits on the execution path, not downstream of it.
Every agent receives a unique, cryptographically verifiable identity with short-lived JWT RS256 credentials. No shared API keys. Every action attributed to a specific agent instance and the human who delegated it. Identity is issued by Behavry — not self-claimed by the agent.
Every tool call passes through input scanning and OPA policy evaluation before execution. The decision happens before the action — not after. If an agent is compromised, the compromised action is denied at the authorizer. The agent never reaches the target.
A causal chain-of-custody artifact: every action linked by parent event ID, causal depth, workflow session, and delegation chain. SHA-256 hash-chained. Immutable. Produced by Behavry from its inline position — the agent cannot modify, omit, or fabricate entries. This is the proof your auditor holds.
Rolling per-agent baselines detect when behavior diverges from established patterns. Cross-session memory catches trust reset attacks. The behavioral record is maintained by the authorization layer, not the agent — so behavioral drift is detected even if the agent tries to mask it.
The Behavry Risk Framework scores every agent across six dimensions at registration and continuously at runtime. The composite score drives policy tier, token lifetime, and escalation behavior.
What systems and data can this agent reach? Read-only non-sensitive vs. read-write access to PII, financial records, or privileged systems.
What operations can it perform? Information retrieval vs. ability to create, delete, modify IAM, or trigger deployments.
How independently does it operate? Human-in-the-loop per action vs. fully autonomous with no human supervision.
How much review is applied? Every action reviewed by a human vs. minimal or no review of agent decisions.
How consistent are its objectives? Constrained, well-defined goals vs. broad goal scope with potential for behavioral drift.
How well can we see what it's doing? 1,000+ behavioral samples with full logging vs. new agent with fewer than 10 samples — behavior unknown.
The BRF Observability dimension is directly tied to attestation: a well-observed agent with deep behavioral baselines and inline authorization has high observability. An unattested agent — by definition — has low observability, regardless of how many downstream monitoring tools are watching.
No. Better logging from the agent is still the agent reporting on itself. The Attestation Separation Principle says the witness must be architecturally independent of the entity being witnessed. Agent-generated logs can be incomplete (the agent doesn't log what it doesn't decide to log), compromised (if the agent is compromised, its logs are too), or misleading (the agent may hallucinate its own reasoning chain). Attestation requires an independent observer on the execution path.
Observability platforms are invaluable for infrastructure monitoring. But they sit downstream of the agent — they see what the agent emits. They cannot enforce policy before execution. They cannot produce a causal chain of custody for multi-agent workflows. They cannot block a compromised agent from acting. Observation is not attestation.
No, and they shouldn't. If Anthropic governed Claude Code's enterprise behavior, or if OpenAI governed ChatGPT's tool calls, the agent vendor would be both actor and auditor. That violates the attestation principle directly. Authorization of agent behavior must be independent of the agent vendor — the same way financial audits are independent of the company being audited.
Unauthenticated means no verified identity. Unattested means no independent witness to behavior. An agent can be fully authenticated — it has a valid API key, it's authorized through Okta, it passes every identity check — and still be unattested, because no independent entity authorizes what it does with that authenticated access. Authentication is necessary but not sufficient. Attestation is the next layer.
Every Decision Trace record is SHA-256 hash-chained. Paste a hash below to confirm it exists in the immutable evidence chain.
Your auditor can verify any record without logging into Behavry.
Every agent action authorized. Every decision traced. Every audit trail produced by an independent witness on the execution path — not by the agent itself.