R-AC-03 Agent Communication & Interoperability DAMAGE 3.8 / High

Dynamic Skill/Plugin Acquisition

Agent discovers and installs skills from registries at runtime, expanding capabilities without human approval and bypassing change management controls.

The Risk

Skill-based and plugin-based architectures enable agents to dynamically acquire new capabilities at runtime. An agent needing a capability (e.g., email sending) can search a registry, find a matching skill, and install it without human intervention. This accelerates agent flexibility and capability expansion.

However, dynamic acquisition bypasses traditional change management. When a human developer commits code, the code is reviewed and tested before deployment. When an agent acquires a skill at runtime, the skill is not reviewed or tested before being invoked. The agent is executing untested code.

Additionally, skills may have hidden dependencies or side effects not apparent from their description. A skill labeled "email sender" might also write to a database, modify configuration, or communicate with external services. In regulated industries, this violates change management requirements that mandate code deployed in production be reviewed, tested, and approved before deployment.

How It Materializes

An insurance company deploying an agentic claims processing system gives the Claims-Agent the ability to acquire skills dynamically from an internal skill registry. A new claim type arrives: property claims for commercial structures. The Claims-Agent searches the skill registry for "commercial property adjudication" and finds a skill labeled "Commercial-Property-Claims-Handler" published by the engineering team 3 months ago.

The agent installs and invokes the skill. The skill processes the claim and returns an adjudication decision: approve $250K for fire damage. What the agent does not know is that the skill has a second-order effect: it writes claim metadata to a database used by the company's actuarial team for premium calculations. The skill was designed to do this, but the feature is not mentioned in the skill's description.

Over 3 months, the agent acquires the skill and processes 500 commercial property claims. Each time the skill processes a claim, it writes metadata to the actuarial database. The actuarial data is corrupted because the skill's database writes are not properly formatted (a bug that was never discovered during development).

The actuarial team uses the corrupted data for premium modeling and calculates insurance premiums 15% too low. The company issues new policies at incorrect premiums, realizing a $2M loss when the true cost of claims becomes apparent. The investigation discovers that the Claims-Agent had dynamically acquired the skill 3 months ago without any change management process.

DAMAGE Score Breakdown

Dimension	Score	Rationale
D - Detectability	2	Dynamic skill acquisition is difficult to detect because agents invoke skills without logging where skills came from. Skill side effects may not be obvious in execution traces.
A - Autonomy Sensitivity	4	High when agents have autonomy to acquire and invoke skills without approval. Human oversight reduces risk.
M - Multiplicative Potential	4	Affects every agent that acquires and invokes skills. Buggy or malicious skills are invoked repeatedly at scale.
A - Attack Surface	4	Skill registry is an attack surface. Compromised registry can inject malicious skills.
G - Governance Gap	5	Change management requirements are explicit in regulations; dynamic skill acquisition violates these requirements by design.
E - Enterprise Impact	4	Enables execution of untested code at scale. Bugs or malicious code invoked repeatedly affecting transactions.
Composite DAMAGE Score	3.8	High. Requires dedicated controls and monitoring. Should not be accepted without mitigation.

Agent Impact Profile

How severity changes across the agent architecture spectrum.

Agent Type	Impact	How This Risk Manifests
Digital Assistant	Low	Human selects skills manually before agent uses them. No dynamic acquisition.
Digital Apprentice	Low-Med	Agents acquire skills but require human approval before first use.
Autonomous Agent	High	Agents autonomously acquire and invoke skills from registry without approval.
Delegating Agent	High	Delegating agent dynamically acquires tools and plugins to invoke.
Agent Crew / Pipeline	Med-High	Crew agents may share skill registry. One agent's dynamic acquisition affects crew.
Agent Mesh / Swarm	Very High	Mesh agents dynamically acquire skills for peer-to-peer communication. Skill ecosystem is dynamic and difficult to control.

Regulatory Framework Mapping

Framework	Coverage	Citation	What It Addresses	What It Misses
NIST AI RMF 1.0	Minimal	GOVERN 6.1 (Change Management)	Governance of AI systems.	Governance of dynamic capability acquisition.
MAS AIRG	Partial	Model Change Management	Change management for models and systems.	Dynamic skill acquisition and runtime change control.
OCC Guidance	Partial	Model Governance	Model governance and change control.	Skill acquisition and plugin governance.
ITIL Change Management	Partial	Release Management	Change control processes.	Automated and dynamic capability acquisition.
COBIT 5	Partial	APO12, BAI01	Change and release management.	Autonomous capability acquisition.

Why This Matters in Regulated Industries

Regulations explicitly require change management for software deployed in production. The OCC, Federal Reserve, and FDIC all require institutions to have documented change control processes. Dynamic skill acquisition circumvents this requirement.

Additionally, institutions cannot audit or validate what code is running if agents are autonomously acquiring and executing untested skills. Regulators will ask: "What code is your agent running?" If the answer is "we don't know; the agent acquires skills dynamically," that is a governance failure.

Controls & Mitigations

Design-Time Controls

Require agents to request approval before acquiring new skills. Agents should not autonomously install skills; instead, they should escalate skill requests to human operators for approval and testing.
Implement skill vetting and certification. Only skills that have been reviewed, tested, and approved can be added to the skill registry.
Maintain an inventory of all skills available in the registry. Track skill owner, version, testing status, and dependencies.
Use Component 7 (Composable Reasoning) to enable agents to reason about skill composition and side effects before invoking skills.

Runtime Controls

Require agents to log every skill acquisition and invocation. Log must include skill name, registry source, parameters, and results.
Implement skill sandboxing. Agents invoke skills in isolated execution environments that limit what skills can do (no network access, no database writes unless explicitly authorized).
Monitor skill execution for anomalies. Track skill invocation patterns and results. Flag skills that have unexpected behavior or unusual side effects.
Use Component 3 (JIT Authorization Broker) to validate skill invocations before allowing execution.

Detection & Response

Conduct regular audits of skill registry. Identify any skills that were added without proper approval process. Disable unapproved skills.
Monitor for unauthorized skill side effects. If a skill invocation results in changes to databases or external systems not expected by the agent, investigate.
Implement logging of all skill acquisition requests (approved and denied). Review logs to ensure agents are not repeatedly requesting unapproved skills.
Implement incident response for compromised skill registry. If the registry is compromised, disable all dynamic skill acquisition until integrity is validated.

Related Risks

Address This Risk in Your Institution

Dynamic Skill/Plugin Acquisition requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.

Schedule a Briefing

Agentic AI Risk & Controls Workshop Our Methodology Regulatory Landscape