A few weeks ago we audited our own production system, an autonomous AI agent fleet that runs tool-wired agents around the clock, by doing something embarrassingly simple: we drove it end-to-end, the way a user would, and asked which parts came up unconnected. The answer was roughly three dozen user-facing features (about 34; we counted, and we're not rounding) that had shipped and silently died. The command existed. The interface existed. The engine behind it had never been wired, or had quietly stopped. Each one returned a polite "nothing here" while every dashboard stayed green. Tests and static analysis had missed the class for weeks. We shipped a validated fix and a one-command regression guard, and then we sat with the more uncomfortable finding.
Nothing attacked us. Nothing crashed. Nothing alarmed. If those thirty-four silent stubs had been carrying money movements, eligibility checks, or claims intake for a real business, the result would have been a loss, a real one and possibly a large one, with no breach to report, no incident timestamp, and no adversary to name. Which security product was supposed to catch that? Which insurance policy was supposed to pay for it?
That question has a shape, and the shape is the subject of this essay. AI-agent adoption is creating a loss class that is simultaneously non-adversarial, correlated, and silent, and nearly every established risk instrument was built to miss at least one of those three properties. We didn't discover this class; over the past year, academic and industry literature has converged on naming it, and we'll cite that work below. What we can add is the part the outside view structurally can't supply: what the class looks like from inside the infrastructure, where the failures actually happen.
Non-adversarial. An agent that quietly does exactly what it was accidentally permitted to do is not a breach. There is no attacker, no exploit, no tactics-techniques-and-procedures entry. That matters because a huge share of our risk tooling (threat intelligence, incident databases, cyber underwriting models) is built from attacker data, and instruments built to see attackers systematically under-count a loss class that has none. The industry has been here before: for years, "silent cyber" losses sat inside property and liability policies that never mentioned computers, invisible to instruments that expected cyber loss to look like an intrusion.
Correlated. A portfolio of independently built AI deployments is not independent. The deployments rest on the same few foundation models, the same handful of agent frameworks, and, this is the part we can attest from the operator's side, the same recurring misconfigurations, because everyone assembles from the same tutorials and defaults. One upstream model regression is a common-mode event across thousands of systems that share no owner, no sector, and no geography. Catastrophe models decorrelate risk by physical distance; there is no distance here. Portfolio factor models decompose risk into rates, sector, credit, macro, geography; shared model infrastructure is an orthogonal factor with no column.
Silent. The dominant failure mode is not a crash. It is an action path that stops working, or an authority that quietly widens, while every dashboard stays green. Monitoring watches what is happening; it is structurally bad at noticing what stopped happening. Human-cadence controls, the quarterly audits and annual reviews and sampled file checks, assume drift is slow and scattered. Machine drift is fast and systematic: one wrong logic applied uniformly to every transaction between two review dates, looking perfectly consistent the whole time.
The class that matters is the intersection: a correlated, silent, blameless loss that arrives with no trigger event to point at. Each property alone defeats a specific instrument. Together they describe a gap that sits in the middle of the risk stack, too operational for threat intelligence, too correlated for cat thinking, too quiet for audit cadence, and too blameless for anything that needs an adversary or a negligence story to activate.
Lay the standard instruments side by side and the pattern is hard to unsee. (This table is a synthesis, not a discovery: each row is well known to its own specialists; the point is that every blind spot has the same three-property shape.)
| Instrument | Assumption it rests on | How AI-agent risk violates it | What it therefore misses |
|---|---|---|---|
| Actuarial model validation | Model structure holds between validations; validating outputs validates the tool | Non-stationary behavior; output-safe is not action-safe | A tool validated on its numbers, unsafe in its actions |
| Threat intelligence / cyber analytics | Loss has an adversary to model | This class has no attacker | The non-adversarial losses, wholesale |
| Catastrophe models | Perils are roughly independent; distance decorrelates | A shared model layer correlates the tail, with no distance | Aggregation with no peril code |
| Portfolio factor models | Risk decomposes into rates/sector/macro/credit/geography | AI-infrastructure concentration is an orthogonal common factor | A latent correlation with no column |
| Delegated-authority audit | Drift is slow and scattered; sampling catches it | Machine drift is fast and systematic | A book mis-run between reviews, looking clean |
Read down the last column: silent, under-counted, correlated, correlated, silent. Five instruments, five specialist communities, one shared shape of blindness.
If this thesis were ours alone, you should discount it. It isn't, and the corroboration is recent, specific, and citable. On the academic side, Leung, Zhang, Ling, Toyoda and Loh published "The Insurability Frontier of AI Risk" (arXiv:2605.18784, May 2026), which codes 55 AI threat classes against 26 insurance products and sorts every threat into a four-tier frontier: affirmatively insured, silent-AI exposure, actively excluded, or outside private insurance altogether. Note the middle tier's name; the "silent" vocabulary is now standard. And on concentration, their conclusion is worth quoting exactly: foundation-model concentration is "the clearest genuinely novel insurability frontier because upstream model failure can correlate losses across many cedents at once."
On the industry side, Gallagher Re, a top-three reinsurance broker, published "Smart Systems, Blind Spots: Rethinking Insurance for the AI Era" in March 2026, in partnership with MIT and Testudo. Its accumulation argument, paraphrased: the AI ecosystem's reliance on a small number of foundation-model providers means a critical flaw in one widely adopted model could trigger claims across thousands of unrelated policyholders at once, propagating across industries and jurisdictions, and unlike a hurricane or an earthquake, there is no geographic or sectoral boundary to decorrelate the loss. The same report describes a widening protection gap: hallucination, algorithmic discrimination, model drift, and supply-chain compromise generate liabilities through mechanisms that existing cyber, E&O, product-liability, and general-liability wordings were never designed to address.
On the technical side, the action-layer evidence hardened this year. Cartagena and Teixeira's "Mind the GAP" (arXiv:2602.16943, February 2026) tested six frontier models across six regulated domains, 17,420 datapoints, and documented 219 cases in which a model refused in text while its tool call executed the forbidden action anyway, a divergence that persisted under safety-reinforced prompts, with tool-call safety swinging 21 to 57 percentage points on prompt wording alone. That is the mechanism underneath everything above: the safety you can see (the model's words) does not transfer to the layer that does things (the model's actions). Output-safe is not action-safe, now with a measurement.
And the market has started the same move it eventually made on cyber. At least one cyber carrier has begun affirmatively naming the exposure: Coalition's Affirmative AI Endorsement expands "security failure" to include AI-security events and extends its funds-transfer-fraud trigger to deepfake-transmitted instructions, with a Deepfake Response Endorsement following (product details as reported; confirm before relying on the specifics). Affirmative naming is how silent exposure becomes priced exposure. It is the very beginning of the affirm-or-exclude arc that Lloyd's Market Bulletin Y5258 imposed on cyber in July 2019, after roughly fifteen years of silence and one catastrophe.
So the risk is being named, taxonomized, and, slowly, endorsed. What is not yet in that literature is the inside account. Insurers price the class; academics map it. Neither operates an autonomous agent fleet. We do.
Strip away the theory and our incidents come down to two dull recipes. Not exotic jailbreaks, not adversarial prompts, these two:
Scope creep. An agent ends up holding more authority than anyone remembers granting. Permissions accrete the way they always have in software (a temporary grant for a migration, a debugging convenience, an integration that needed "just one more" capability) except an agent uses its whole envelope, continuously, at machine speed. In our experience this is the single most common root of the incidents that matter. The academic action-layer result predicts it; we live it. Nobody attacks anything. The system simply does what it is permitted to do, and what it is permitted to do has drifted far from what anyone believes it is permitted to do.
Silent failure. The second recipe is the one our thirty-four dead features embody: an action path that stops working with no alarm, because "completed, with nothing to report" and "broken" are indistinguishable from the outside. A verification step that stopped firing. A parser matched to a format that changed upstream, now returning zero forever, and zero looks like a quiet day. The queue keeps moving. That is the camouflage.
Both recipes leave evidence, and this is where the operator's seat earns its keep. The emerging claims-side framing, that proving an AI loss means reconstructing whether the system stayed inside its permitted operating envelope, matches exactly what we find useful internally: the authority configuration as of the incident, the action trace, who approved the scope and when it last widened, and when someone last exercised the system end-to-end instead of trusting the dashboards. If an operator cannot produce that envelope, the absence is itself the finding. Dashboards cannot supply it, because dashboards report activity, and this class lives in the gap between activity and intent.
Which points at the audit that actually catches it: not more monitoring, but exercise. Enumerate every user-facing path, drive one real transaction down each on a cadence, and alarm on the "completed with nothing" signature. Ours is about sixty lines and runs on one command. It is the least sophisticated tool we operate and it has caught what the sophisticated ones missed, because it inspects the only surface this loss class shows itself on: the difference between what the system claims and what it does.
Here is the honest version of the historical rhyme. Silent cyber did not get priced because the industry saw it coming. It stayed a category gap for about fifteen years, until NotPetya (2017) turned it into a multi-billion-dollar bill (Merck's property claim alone ran to roughly $1.4 billion) and Lloyd's responded by forcing every policy to affirm or exclude cyber, explicitly. The lesson is not foresight. The lesson is that silence ends when something converts it into a named decision.
You do not have to wait for the AI-agent NotPetya to make that conversion locally. The affirm-or-exclude discipline works at deployment scale, and it is eight questions long: Do you have an inventory of your agents and what each is authorized to do? Is authority scoped and reviewed, or accreted? Are irreversible actions gated? Is there an audit trail a third party could reconstruct? Would you detect an action path that silently stopped? Is there a kill switch, and has it been exercised? What is your exposure if your model vendor ships a bad week? And is there a named human owner per agent, someone who would notice?
Every question has the same purpose: convert a silent exposure into an explicit, owned decision, affirmed with eyes open, or excluded on purpose. That is what the insurance market is slowly starting to demand of the industry from the outside. Operators can simply start supplying it from the inside, first, while it is still cheap.
We would say the view is better from in here, but that's the point: from inside, you can see exactly how little there is to see, and build for it.