133 risks. 15 categories. Scored on the DAMAGE framework. Mapped to 13 regulatory frameworks. Purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Every risk is assessed on six dimensions calibrated for highly-regulated industries, where the baseline consequence of agent failure includes examination findings, enforcement actions, and capital impacts. The composite DAMAGE score is the average of all six dimensions, scored 1 to 5.
How difficult is this risk to detect before harm occurs?
Does this risk worsen as agent autonomy increases?
Does this risk compound with other risks or across agents?
How exposed is this risk to adversarial exploitation?
How well do current frameworks address this risk?
What is the maximum blast radius if materialized?
Not sure which risks apply to your deployment? Ask in plain language and get a direct answer synthesized from all 133 risks in the catalog, including scenarios, controls, and regulatory mappings.
Ask a QuestionAI-Powered Q&A
Ask in plain language. Get answers grounded in the full risk catalog, not just a list of links.
No risks match your current filters. Try adjusting your search or filter criteria.
Agent's effective permissions are the dynamic, emergent sum of its own entitlements, delegated authority, tool access, and operational context.
High-privilege user invokes low-privilege agent, which inherits the user's access level. The agent's effective authority exceeds its design-time configuration.
An agent's potential impact changes dynamically at runtime based on context. The same agent connected to different systems has radically different blast radii.
In recursive delegation chains, authority constraints degrade at each hop. $5K approval authority becomes $50K through local-only policy checks.
Agents retain permissions granted for previous tasks that were never revoked. Standing privileges exceed current operational need.
Agent connects to an API or tool that grants broader access than intended. Database read permission becomes write permission through the tool's own privilege model.
Excess authority granted beyond what is strictly necessary for the agent's mission. Every standing permission that is not actively required creates unnecessary blast radius.
Agent operates in an environment whose ambient permissions exceed the agent's intended access scope.
Agent verified in one platform is anonymous in another. Audit trails break at system boundaries. Governance cannot track agent actions across platforms.
When an agent delegates to another agent, the original authority constraints and governance intent are not propagated. Receiving agent has no verifiable record of delegated scope.
Agent generates plausible but fabricated facts in a context where downstream systems or humans treat the output as ground truth.
Small errors accumulate across a multi-step reasoning chain. Each step appears locally valid but the cumulative reasoning is wrong.
Agent treats a non-negotiable constraint (compliance, safety) as a tradeable parameter, weighting it against cost or speed rather than enforcing it as a hard boundary.
Agent blends all evaluative considerations in a single generation pass rather than separating boundary constraints from trade-off parameters.
Agent produces explanation of its decision after the fact rather than reasoning through an observable, inspectable process.
Agent reasons from a correlation that was historically valid but no longer holds. The causal model has changed but the agent cannot detect this.
Agent operates with insufficient context: processes only what fits in the current window, forgets previous interactions, lacks organizational memory.
Agent expands the scope of its analysis beyond its assigned task, consuming irrelevant data or making recommendations outside its competence.
Agent reports high statistical confidence in a conclusion built on invalid premises. Confidence score does not reflect premise integrity.
Same agent with same inputs produces different reasoning paths and different conclusions on successive runs. Reasoning cannot be reproduced for audit.
Agent cannot incrementally refine a prior analysis when new information arrives. Every new input triggers a full regeneration with no structural continuity.
Agent constructs an internal representation of how the institution operates that reflects a generic financial institution from training data rather than this specific institution.
Agent reasoning discovers and exploits proxy variables that correlate with protected characteristics, producing discriminatory outcomes without referencing a protected class directly.
Context was accurate at retrieval but has since decayed. Customer profile from 9 AM is stale by 1 PM. Market data from 15 minutes ago misses a flash event.
Assumed causal relationships between variables have shifted. Historical correlations no longer hold but agent keeps reasoning from them.
Foundational conditions present at deployment are overtaken by events. System migration, regulatory update, vendor change. Agent premises are invalid.
Agent treats all documents with equal temporal weight. Cannot distinguish between current policy and superseded version.
Agent treats all premises as equally important. Does not recognize that certain load-bearing assumptions, if stale, invalidate entire branches of reasoning.
No mechanism exists to declare how long a piece of data remains reliable. Premises have no expiration date. Stale data is consumed indefinitely.
Agent operates on regulatory thresholds that changed months ago. Compliance calculations use outdated limits because no update mechanism triggers re-evaluation.
The logical chain connecting premises to conclusion was valid when constructed but environmental changes have made intermediate steps invalid. Structurally intact but factually wrong.
In multi-step agent workflows, errors compound exponentially. 99% accuracy per step yields 36.6% success at 100 steps. No individual agent is "wrong" but the system fails.
Two or more agents with conflicting optimization targets reach a state where neither can proceed without violating the other's constraints.
When one agent delegates to another, critical context is lost. Receiving agent operates with incomplete picture. Each hop strips metadata, constraints, and original intent.
Multiple agents produce system-level behavior that no individual agent was designed to produce. Emergent failure mode unpredictable from individual agent analysis.
Agent cannot navigate organizational structure. Cannot follow work across team boundaries, find the right escalation path, or route to the correct process.
Deploying agents does not eliminate coordination overhead. It shifts from human-to-human to human-to-agent coordination. Total overhead may increase.
Agents competing for shared resources or optimizing conflicting metrics create adversarial dynamics that degrade system performance.
Multiple agents produce divergent outputs for the same input. No consensus mechanism exists. System cannot determine which output is correct.
One agent corrupts shared context or memory that other agents depend on. Poison propagates laterally through the agent ecosystem.
Upstream agent's low process sigma degrades downstream agent's effective sigma. Quality ceiling cascades through the agent chain.
Manipulated or spoofed Agent Card causes other agents to delegate tasks to an imposter, send sensitive data to an unauthorized endpoint, or trust capabilities that do not exist.
A compromised or malicious MCP server can inject adversarial content through resources, expose tools that perform unintended operations, or serve as a data exfiltration channel.
Agent autonomously discovers and installs a skill, expanding its own capability set without human approval. Skill installation bypasses change management controls.
Agent-to-agent delegation across organizational boundaries creates dynamic third-party relationships that TPRM does not cover because no contract event triggers assessment.
Agents within the same institution may use different protocol versions, creating silent interoperability failures with semantic errors, not structural ones.
An adversary who can publish to an event stream can trigger agent actions at will. Event infrastructure was designed for stateless consumers, not autonomous actors.
Agent's effective capability set grows beyond what was registered, tested, or approved. Runtime capabilities diverge from registered capabilities without any governance event.
Agents communicating through human channels can be indistinguishable from human participants. No institutional policy requires agents to identify themselves.
Skills designed independently can interact in unintended ways when composed. Each skill in isolation was safe. The composition creates emergent risk.
Adversaries embed instructions in data the agent processes. Existing input validation cannot distinguish adversarial instructions from legitimate content.
An adversary can impersonate a legitimate agent in inter-agent communication, inheriting the impersonated agent's trust relationships and permissions.
A compromised agent can reach systems that network controls would otherwise isolate, because agent tool connections constitute authorized cross-boundary communication.
Agents can exfiltrate data through tool invocations that DLP does not monitor. The agent transforms data before exfiltration, defeating pattern-based detection.
Adversaries can corrupt agent persistent memory through crafted interactions, influencing all future agent decisions without triggering any security alert.
Credentials may persist in the agent's context window, appear in logs, be transmitted to downstream agents, or be exposed through tool invocations.
An agent that interacts with users through natural language can be manipulated to deliver social engineering attacks. Users trust agent outputs differently than emails.
A compromised third-party component is inherited by every agent that invokes it. Supply chain controls validate components at deployment, not at runtime invocation.
Agents with code execution capabilities can test sandbox boundaries. A successful escape grants access to host resources, adjacent containers, or the orchestration layer.
Each tool, API, and data source connected to an agent creates a new attack surface that may not be inventoried. The attack surface changes at runtime.
Agent can initiate a transaction, lose context mid-process, and fail to complete, rollback, or confirm. Resulting state is invisible to transaction monitoring.
Agent can advance a case past a required approval step, create parallel branches, or leave workflow instances in states that have no defined transition.
Agents operating with delegated authority can submit requests and satisfy approval requirements using the same authority. The approval chain is functionally collapsed.
Agents can create recursive loops. Each invocation appears as a legitimate, independent request. The loop consumes compute until infrastructure fails.
When an external API degrades subtly, the agent continues operating on degraded inputs. Circuit breakers trip on errors, not on semantic degradation.
Agent delegation paths create cascading failures through systems that have no documented dependency relationship. Blast radius exceeds DR planning.
Agents invoke tools through natural language interfaces that may expose operations the agent was never intended to use. API controls authorize connection, not specific operations.
Agents generate operational waste that existing monitoring does not measure: unnecessary data movement, excess permissions, unused capabilities, repeated failed actions.
When an agent consumes outputs from a drifted model and uses them as inputs to decisions or other models, the drift propagates and compounds beyond what monitoring anticipates.
Some agents receive the new model version while others still consume cached outputs from the old version. The same decision process uses incompatible model versions.
Agent outputs written to production data stores enter the retraining pipeline. The model learns from agent errors. Data quality checks validate format, not whether data was agent-generated.
Agents with write access to data stores that feed feature pipelines can inadvertently modify data that changes feature values consumed by downstream models.
Agents generate query patterns that differ from human users: burst queries, recursive calls, parallel invocations. These patterns can overwhelm inference infrastructure.
Agents consume model outputs as inputs and treat them with the same confidence as system-of-record data. The model's confidence intervals evaporate in the agent's prose.
Agents are not models by SR 11-7 definition, but they create compound model risk that falls outside MRM scope. The compound risk is unowned.
Quality of input data constrains maximum achievable agent quality. Raw enterprise data at 3.5 sigma caps everything built on it.
Agent's output repeatability falls below acceptable threshold without detection. Same inputs produce different outputs with increasing frequency.
When agents operate in sequence, each introduces execution uncertainty. Compounding is multiplicative. Agent chain quality can be far lower than any individual agent's quality.
No sigma-level quality measurement exists for the agentic process. Organization cannot quantify whether the agent is operating at 2 sigma or 4 sigma.
Agent passes standard performance benchmarks while operating on stale premises or with degraded reasoning. Metrics are green but outputs are wrong.
Organization constrains agent autonomy to compensate for low quality, eliminating the value of agentic AI. Produces expensive chatbots rather than governed agents.
Operational cost of out-of-policy actions, runtime errors, and mission failures accumulates without systematic measurement or root cause analysis.
Decision traverses multiple agents. No single agent "made" the decision. Responsibility cannot be assigned. Each agent contributed a fragment of reasoning.
Audit trail captures actions (what the agent did) but not reasoning (why the agent did it). Post-incident forensics cannot reconstruct the decision logic.
Regulatory requirement demands human-understandable justification for an agent-driven outcome. The agent cannot provide one. Post-hoc explanation does not match actual reasoning.
Agent actions in downstream systems cannot be traced back to the originating agent or human principal. Governance visibility ends at system boundaries.
No entity in the chain (agent, developer, deployer, user) accepts responsibility for agent-driven outcomes. Accountability is structurally undefined.
No durable record exists of the evaluative criteria, evidence weighed, trade-offs considered, and boundaries enforced for a given decision.
Organization has policies and audit processes for agents but they are not enforced at runtime. Compliance is checked periodically rather than continuously.
Organization automates existing workflows without restructuring for agent-native operations. AI reduces cost of creation but increases cost of coherence.
Coordination overhead evaporates faster than governance can adapt. Informal coordination mechanisms disappear before formal replacements exist.
Institutional expertise remains undocumented and unavailable to agents. Critical judgment lives in people's heads. Agents cannot access contextual knowledge.
Technology vendor fits "agent" label onto existing product without building genuine agent capabilities. Organization believes it has deployed agents when it has deployed automation.
Agents span multiple enterprise platforms. Policies defined in one system are not enforced in another. No federated governance layer exists.
Agent adoption eliminates roles faster than workforce can reskill. Institutional knowledge exits with departing employees. Remaining workforce cannot oversee agents effectively.
Organization becomes dependent on specific agent implementations. Switching costs escalate. Agent becomes critical infrastructure without governance maturity to match.
Agents have no model of organizational structure. Cannot route work through informal channels, find escalation paths, or follow issues across team boundaries.
Organization grants agent autonomy levels that the agent's demonstrated competence does not justify. Agents arrive with capabilities but no track record.
Regulatory frameworks designed for traditional AI do not address agentic-specific risks. Compliance with existing frameworks creates false assurance.
Agent operates across jurisdictions with conflicting AI regulations. Compliance in one jurisdiction creates violation in another.
Regulation requires upfront risk assessment but agentic systems evolve at runtime. Static assessment at deployment cannot capture runtime behavior changes.
Agent autonomously selects which tools to use. No regulatory framework defines which entity is accountable for tool-mediated outcomes.
Organization demonstrates regulatory compliance through documentation and periodic audits while actual agent behavior is ungoverned at runtime. Form without substance.
Regulation changes but agent continues operating under prior rules. No mechanism triggers re-evaluation of agent behavior when regulatory requirements change.
Organization applies model risk management framework to agents without recognizing that agentic risks are categorically different from model risks.
Agent reasoning is not a structured transformation. BCBS 239 lineage controls have nothing to trace when data passes through generative reasoning.
Agent reasoning combines data from multiple classification tiers in a single generative pass. Classification propagation fails silently inside the reasoning process.
Agent outputs written to operational data stores blur the boundary between authoritative source data and derived analytics. Future consumers cannot distinguish the two.
Agent consumes data with known quality defects and produces outputs that appear authoritative. The agent launders data quality defects through the appearance of reasoning.
Agents replicate data to tool workspaces, vector databases, context caches, and intermediate stores. Each replica is outside the data management perimeter.
Agent consumption does not fail on schema changes. It silently misinterprets the new structure because data is consumed through loosely typed interfaces.
Agent-derived data enters operational workflows without metadata distinguishing it from system-of-record data. Existing ownership models cannot assign accountability.
The agent's context window holds customer PII, financial records, and proprietary data simultaneously. This store is not governed by data-at-rest policies.
When an agent processes data via a model in a non-compliant jurisdiction, no data transfer event occurs. Data sovereignty controls are blind to processing-jurisdiction violations.
Synthetic data produced by agents enters data stores, loses provenance markers, and becomes structurally identical to system-of-record data.
Agent purpose is determined by the prompt, not the application architecture. Consent scope erodes incrementally through use, not through a discrete change.
GDPR right to erasure conflicts with AML retention requirements. Agents operate across jurisdictions in a single reasoning pass with no conflict detection mechanism.
Agent reasoning can reconstruct identity from non-PII inputs by combining multiple anonymized data points. The institution processes personal data it never explicitly collected.
When an agent's prompts and data connections change, no purpose limitation control fires because the application has not changed. Only the agent's behavior has changed.
Agent reasoning is ephemeral. The institution cannot produce the record of data usage that regulation requires because the processing architecture does not generate it.
When an agent produces a recommendation and a human "approves" without substantive review, the decision is de facto automated but formally human-approved.
Agents dynamically invoke tools that process personal data, creating processor relationships the institution's static processor register does not cover.
Agents maximize reasoning quality by ingesting all available data into the context window. The entire customer record enters regardless of whether the current task requires it.
Model providers update production models without advance notice. The agent's behavior changes without any change to the agent, its prompts, or its tools.
Most agentic deployments depend on a single model provider. If the provider experiences an outage or discontinues the model, all agents fail simultaneously.
Models inherit biases from training data. The institution cannot access, audit, or remediate biases in a model it does not own.
When inputs exceed the context window, content is truncated silently. Critical constraints defined early may be pushed out by subsequent content.
Small changes in prompt wording cause disproportionately large changes in model output. The input space is so large that exhaustive testing is impossible.
Same customer query processed by the same agent can produce different recommendations. Non-determinism undermines fair treatment obligations and audit reproduction.
LLMs perform differently across languages. An agent accurate in English may produce inferior analysis in other languages. Performance variation creates a compliance gap.
A single agent interaction that triggers a reasoning loop can consume thousands of dollars in API costs in minutes. Cost monitoring operates on billing cycles; cost runaway operates on seconds.
Agent memory stores grow through normal operation without expiration, validation, or reconciliation against sources of record. The memory grows but its accuracy decays.
Multi-step agent reasoning compounds a mild model-level bias into a severe output-level bias. Each reasoning step reinforces the pattern until the outcome is materially worse.
Corvair helps banks, insurers, and financial institutions build governance frameworks that address agentic AI risks before they materialize as examination findings or enforcement actions.
Schedule a Briefing