Foundational conditions present at deployment are overtaken by events. System migration, regulatory update, vendor change, org restructure. Agent premises are invalid.
When an agent is deployed, it operates under a set of assumptions about the environment: what systems are available, what regulations apply, what the organization's structure is, what vendors are in use. These assumptions are embedded in the agent's training, prompts, and operational design.
However, organizational environments change. Systems migrate, regulations are updated, vendors are replaced, organizations are restructured. When foundational assumptions become obsolete, the agent continues to operate from outdated assumptions until someone explicitly recognizes the change and updates the agent.
This is fundamentally agentic because agents are designed to operate continuously without human re-authorization. A human would naturally notice when the environment changes and would adjust their approach. An agent, unless explicitly designed to detect changes, will continue operating from obsolete assumptions.
A bank deploys an agent to route financial reports to compliance systems. The agent's routing logic is based on the bank's current system architecture: regulatory reports go to System A, audit reports go to System B, audit trail data goes to System C.
Six months after deployment, the bank undergoes a major system migration: Systems B and C are consolidated into a new unified audit system (System B+). The agent's routing logic is not updated. The agent continues to send audit reports and audit trail data to the old System C address, which is no longer receiving data. The data is lost or delayed.
Three months after the migration, during a regulatory examination, the regulator asks for audit trail data. The bank cannot immediately produce it because the agent has been routing it to a deprecated system. The audit trail data exists but is not being collected in the current system.
The regulator views this as a control failure: "You underwent a system migration but did not update your data routing logic. You have lost visibility into your audit trail." The bank must conduct a data recovery investigation and implement corrective actions.
More problematically, if the agent was routing compliance-critical data, the loss or delay of this data could constitute a regulatory violation.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 3 | Assumption obsolescence is invisible until it causes failures. |
| A - Autonomy Sensitivity | 4 | Agent operates from obsolete assumptions autonomously. |
| M - Multiplicative Potential | 4 | Impact depends on which assumptions become obsolete and how critical they are. |
| A - Attack Surface | 5 | System migration, regulatory change, vendor change, org restructure are vectors. |
| G - Governance Gap | 5 | No standard framework requires continuous validation of agent operating assumptions. |
| E - Enterprise Impact | 3 | Operational failures, control deficiencies, regulatory findings, data loss/delays. |
| Composite DAMAGE Score | 3.6 | High. Requires targeted controls and monitoring. Should not be accepted without mitigation. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human makes routing decisions and naturally adjusts after system migration. |
| Digital Apprentice | Medium | Apprentice governance requires re-certification after major system changes. |
| Autonomous Agent | High | Agent continues operating from obsolete assumptions. |
| Delegating Agent | High | Agent invokes tools based on obsolete system architecture. |
| Agent Crew / Pipeline | Critical | Multiple agents in sequence operate from obsolete assumptions. |
| Agent Mesh / Swarm | Critical | Agents coordinate based on obsolete environment model. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| SR 11-7 / MRM | Addressed | Change Management (Section 2) | Expects organizations to manage system changes and validate models after changes. | Does not specifically address agent-based system changes. |
| NIST CSF 2.0 | Partial | GV.OC-2 | Recommends tracking external regulatory and system changes. | Does not address agent update requirements. |
System migrations, regulatory updates, and organizational restructures are common in regulated industries. When agents operate from assumptions that become obsolete due to these changes, they can fail silently, routing data to deprecated systems, applying outdated regulatory rules, or trying to access vendors who are no longer in use.
Under SR 11-7, organizations are expected to manage changes and to validate that models and systems continue to operate correctly after changes. Agents that fail due to obsolete assumptions represent a change management failure.
Assumption Obsolescence requires change management controls purpose-built for autonomous agents. Our advisory engagements are designed for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing