The most expensive losses on any desk are never the trades you flagged as risky — they’re the positions you didn’t know you were holding.
Why Endogenous Agent Risk Matters Now
Every security organization is built around an implicit model of where the danger comes from: outside. Firewalls face out. EDR hunts the intruder. The threat-intel team tracks adversaries. That model has been roughly correct for thirty years. With agentic AI, it is about to be roughly wrong.
Gartner’s Market Guide for Guardian Agents puts a number on it: through 2028, at least 80% of unauthorized AI agent transactions will be caused by internal policy violations — information oversharing, unacceptable use, misguided agent behavior — not by malicious attacks. Read that as a trader would. The dominant term in your loss distribution just moved from the tail (rare, external, adversarial) to the body (frequent, internal, accidental). You are no longer primarily hedging against an attacker. You are hedging against your own authorized agents doing authorized-looking things in unauthorized ways.
| Metric | Figure | Source |
|---|---|---|
| Unauthorized agent transactions from internal violations (through 2028) | ≥ 80% | Gartner, Market Guide for Guardian Agents |
| Enterprises where ungoverned agent activity is invisible to security tooling | 88% | Ospiri research |
| Typical detection-to-containment lag for misuse vs. intrusion | 12–18 months | Ospiri research |
The frequency × severity math is unforgiving. External breaches are low-frequency, high-severity — the classic tail event you buy insurance and EDR against. Internal agent violations are high-frequency, variable-severity, and — critically — they often clear no alarm at all, because every action was taken by a credentialed agent inside an approved application.
Exogenous vs. Endogenous Risk: A Repricing
Markets distinguish between exogenous shocks (an external event hits the book) and endogenous risk (the system generates its own instability through its own positions). Agent governance forces the same distinction onto security.
| Dimension | Exogenous (the old model) | Endogenous (the agent era) |
|---|---|---|
| Origin | External attacker | Authorized internal agent |
| Trigger | Breach, phishing, exploit | Oversharing, misuse, drift |
| Visibility | Often alarms fire | Frequently silent — looks legitimate |
| Frequency | Low | High |
| Primary control today | EDR, SIEM, perimeter | Largely absent |
| Insurance coverage | Usually covered | Often excluded as misuse |
The last row is where CFOs should lean in. Cyber policies are written to cover attacks. An agent that overshares a customer NPI file to a third-party SaaS connector because a user phrased a prompt loosely is not an attack — it is a misuse event. A material fraction of these incidents land as uninsured, direct P&L hits rather than claims. You are self-insuring the 80% and buying coverage for the 20%.
Anatomy of an Endogenous Incident
These don’t look like breaches. They look like Tuesday. The recurring pattern across active deployments:
- The credential is legitimate. A Microsoft 365 Copilot or Salesforce Einstein agent inherits the user’s full OAuth scope. Nothing it touches is technically out of bounds.
- The intent is benign. A user asks for a summary, a draft, a reconciliation. No one is trying to exfiltrate anything.
- The action overshoots. The agent pulls a broader file set than the task required, or writes output to a directory — or an external connector — that the policy never contemplated.
- The trail is clean. Every step is logged as an authorized action by an authorized identity. UEBA sees a known user. The SIEM sees approved API calls. Nothing trips.
- Discovery is accidental. The violation surfaces in an audit, a customer complaint, or a regulator’s question — long after containment was possible.
There is no malware to find, no C2 beacon, no anomalous login from Belarus. The control stack built for exogenous threats is structurally blind to this, because every individual transaction is, in isolation, permitted.
The Endogenous Agent Risk Score
If 80% of your exposure is internal, you should measure it the way a risk desk measures position risk — continuously, and as a function of what could go wrong, not just what did. A workable frame:
Endogenous Risk = (Permission Scope × Reversibility) + (Action Frequency × Behavioral Drift)
| Factor | What it measures | High-risk signal |
|---|---|---|
| Permission Scope | Breadth of OAuth / filesystem / kernel access | Full user scope inherited by default |
| Reversibility | Can the action be undone? | Writes to external connectors, deletes, sends |
| Action Frequency | How often the agent acts unattended | High-volume autonomous operation |
| Behavioral Drift | Deviation from baseline (new dirs, new syscalls, new destinations) | Agent touching surfaces it never touched before |
The product matters more than any single term. A read-only agent with narrow scope acting often is low risk. A broadly-scoped agent that can write externally and is starting to drift is the position you cut first. This is the same logic as marking a book to market: you don’t wait for the loss to print before you size the exposure.
What the Architecture Actually Requires
The reason the existing stack misses the 80% is a control-point problem, not an effort problem. Detection tools observe; they don’t intervene at the moment of action. By the time a passive monitor or LLM gateway has reasoned about a prompt, the agent’s plan has already resolved into kernel-level operations — file reads, writes, network calls — that no longer carry the prompt’s intent with them.
| Control point | Sees | Can stop an internal violation? |
|---|---|---|
| Prompt guardrails (Lakera, Protect AI) | The prompt | No — intent is gone by execution |
| API / DSPM monitoring | Metadata, after the fact | No — observability, not mitigation |
| EDR (CrowdStrike, SentinelOne, Defender) | Process behavior | Partially — wrong granularity for agent scope |
| Kernel-scope enforcement (agent firewall) | The action itself | Yes — block or copy-on-write at execution |
This is why agent governance for the endogenous era has to sit where the action actually happens — at kernel scope, alongside EDR, not above it. The distinction that matters operationally is block-on-deny vs. copy-on-write: the former halts the agent and gets ripped out by engineering within two quarters; the latter lets the agent proceed against a controlled copy, preserving productivity while neutralizing the irreversible action. Endogenous risk is a policy-gap problem, and policy gaps close at the enforcement layer, not the dashboard. (For the threat-model adjacent to this — the agents you didn’t sanction at all — see agent security.)
What CISOs Should Do This Quarter
| Step | Action | Output | Effort |
|---|---|---|---|
| 1 | Inventory agents across the fleet — sanctioned and shadow | Baseline count + scope map | Low (days) |
| 2 | Score each agent on the endogenous frame above | Ranked exposure list | Low |
| 3 | Move top-decile agents to copy-on-write at kernel scope | Irreversible actions neutralized | Medium |
| 4 | Re-read your cyber policy for the misuse exclusion | Known uninsured P&L exposure | Low |
Notice what is not on this list: a 12-month identity-and-classification program. Those matter, but they don’t address an 80%-of-exposure problem this quarter. Enforcement and observability ship in weeks; identity matures in parallel.
The Bottom Line
If four out of five of your agent incidents will come from inside the building, a security program that faces outward is mispriced. The endogenous shift doesn’t make external defense wrong — it makes it insufficient, the same way owning puts doesn’t help when the risk is in a position you forgot you held. Measure agent exposure as frequency × severity across permission scope, reversibility, and drift. Enforce at the kernel, where the action resolves, not at the gateway, where only the prompt lives. And price the misuse exclusion in your cyber policy honestly, because the 80% is very likely uninsured.
If your team is sizing this for the next budget cycle, request a working session. We will walk through your environment, build your first endogenous agent-risk inventory, and scope a kernel-scope enforcement deployment. Ninety minutes.