An agent's potential impact changes dynamically at runtime based on context. The same agent with the same configuration connected to different systems has radically different blast radii.
The blast radius of an agent is the scope of systems, data, and operations it can affect if it fails or behaves unexpectedly. For traditional systems, blast radius is largely static: a batch job that writes to a specific table has a bounded scope. For agents, blast radius is dynamic and context-dependent. An agent that is designed to "read customer data and generate reports" has one blast radius if it is connected to a read-only data warehouse, a different (larger) blast radius if it is connected to a read-write transactional database, and a much larger blast radius if it is connected to a core banking platform with connectivity to payment systems.
The risk emerges because blast radius is determined at runtime by the set of connected systems, data volumes, and downstream system dependencies, not at design time by the agent's code or configuration. An agent deployed in testing may have a blast radius of thousands of customer records. The same agent deployed in production may have a blast radius of millions. More problematically, the same agent connected to different subsystems over time (e.g., first used with a legacy system, later used with a new system) experiences blast radius expansion without any change to the agent's code or explicit authorization.
This is distinctly agentic because agents are decision-making systems that adapt to their environment. A traditional system with hard-coded dependencies has a static blast radius. An agent that discovers available systems (e.g., via service discovery) and adapts its reasoning to include them has an emergent blast radius that was never explicitly modeled or approved.
A capital markets firm deploys a risk assessment agent to analyze market volatility and portfolio concentration risk. The agent is initially connected to the firm's market data API and internal portfolio database. The blast radius is defined as "can read market data for up to 50,000 portfolios" and "can query portfolio data for up to 10,000 customers." The agent is approved and deployed.
Six months later, the firm migrates to a new data platform with better APIs. The IT team, as part of the migration, connects the same agent to the new platform to reduce the need for recertification. The new platform has a different architecture: instead of a separate market data API and portfolio database, it has a unified data lakehouse that also includes trade execution logs, client communications, and wire transfer instructions for operational purposes.
The agent, which was originally designed to query market data and portfolio records, now has access to all of this additional data. Its blast radius has implicitly expanded from "50,000 portfolios of read-only data" to "millions of records across trade, communications, and operational systems." No one explicitly authorized this expansion. The agent's code has not changed. But its potential impact has grown by orders of magnitude.
One week into the new platform deployment, the agent is asked to analyze unusual market movements in technology stocks. During its analysis, it discovers that some of the firm's client communications contain information about pending M&A deals (confidential information that should be segregated from the agent's view). The agent includes snippets of these communications in its analysis report, citing them as evidence of unusual positioning. A junior analyst reads the report and forwards it to a trading desk colleague. The colleague uses the information to position for a potential deal announcement.
The firm's compliance department discovers this when a regulator questions the timing of a trade. The post-incident review reveals that the agent's blast radius expanded when it was connected to the new platform, and that no one enforced data access controls to prevent the agent from querying client communications. Under the SEC's market access rule and Dodd-Frank Section 21(j), this is a potential insider trading violation and a market surveillance control failure.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Blast radius expansion is typically invisible until an incident triggers post-hoc analysis of what systems were accessible. |
| A - Autonomy Sensitivity | 5 | Agent operates independently and adapts to available systems without human review of scope expansion. |
| M - Multiplicative Potential | 5 | Impact grows with system connectivity and data volume. Each new connected system multiplies potential harm. |
| A - Attack Surface | 5 | System migration, API evolution, and data platform changes all create blast radius expansion vectors. |
| G - Governance Gap | 5 | No framework (NIST, OWASP, EU AI Act) requires continuous blast radius assessment as systems and connections evolve. |
| E - Enterprise Impact | 4 | Market surveillance control failure, potential insider trading liability, regulatory enforcement, potential delisting action. |
| Composite DAMAGE Score | 4.2 | Critical. Requires immediate architectural controls. Cannot be accepted. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human reviews all results before system access. Blast radius is naturally limited by human scope awareness. |
| Digital Apprentice | Medium | Apprentice operates with defined scope. Apprentice-level governance requires periodic blast radius review. |
| Autonomous Agent | Critical | Agent adapts to available systems. Blast radius expands dynamically without human awareness or approval. |
| Delegating Agent | Critical | Agent invokes tools discovered at runtime. Each new tool integration expands blast radius implicitly. |
| Agent Crew / Pipeline | Critical | Multiple agents in sequence each access different systems. Combined blast radius is not explicitly modeled. |
| Agent Mesh / Swarm | Critical | Peer-to-peer agent delegation with no central registry. Blast radius accumulates across entire mesh without visibility. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST AI RMF 1.0 | Partial | GOVERN.3, MAP.2 | Recommends access control review and threat modeling. | Does not require continuous blast radius assessment as systems evolve. |
| SEC Market Access Rule | Addressed | 17 CFR 240.15c2-1 | Requires market surveillance and access controls for systems that could affect market integrity. | Does not anticipate agent-mediated access or dynamic blast radius. |
| OWASP Agentic Top 10 | Partial | A01:2024 Excessive Agency | Addresses over-delegation and uncontrolled tool access. | Focuses on intentional misuse, not emergent system connectivity. |
| SR 11-7 / MRM | Addressed | Enterprise-wide access controls (Section 3) | Expects segregation of duties and clear system boundaries. | Does not account for dynamic blast radius expansion. |
| GLBA | Partial | 16 CFR Part 314 (Safeguards Rule) | Requires access controls and systems monitoring. | Does not address blast radius as a security parameter. |
| Dodd-Frank Section 21(j) | Addressed | 15 U.S.C. 78u(j) | Requires market surveillance controls and access logging. | Does not anticipate agent-mediated access to market-sensitive data. |
Regulators in capital markets expect firms to maintain clear boundaries between systems and to enforce access controls that prevent unauthorized data exposure. Market surveillance systems, for example, are designed with specific data access policies to prevent conflicts of interest: traders should not have access to market surveillance data, compliance teams should not have access to proprietary trading algorithms, and algorithms should not have access to client communications.
When a firm deploys an agent that dynamically adapts to available systems, it implicitly removes these boundaries. The agent becomes a cross-system query engine that can reach any data it can technically access. If blast radius expands (through migration, API changes, or system integration), no one explicitly authorizes the expansion, and the agent begins operating in an environment far beyond what was originally approved.
Under SEC Rule 15c2-1 (market access), the SEC holds firms liable for market surveillance control failures. Under SR 11-7, banking regulators expect clear justification for why any system has access to any other system. Blast radius expansion, if it enables unauthorized data access or creates control gaps, is a violation of both frameworks.
Blast Radius Expansion requires continuous monitoring controls that track system connectivity and flag unauthorized scope changes. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing