Your AI Agent Is a Witness That Can't Testify

In November 2025, three large insurers — AIG, W.R. Berkley, and Great American — quietly asked U.S. regulators for permission to do something the industry almost never does. They wanted to carve a whole category of risk out of corporate policies. The category was artificial intelligence. One proposed exclusion would deny claims tied to "any actual or alleged use" of AI, broad enough to catch a system that played only a minor role in whatever went wrong.

Insurers exist to price risk. When they ask to stop covering something entirely, they are not making a statement about probability. They are making a statement about legibility. They cannot see what they would be insuring. Mosaic, a carrier that actually specializes in AI cover, put it plainly when it declined to underwrite large language models: the outputs "remain too unpredictable for traditional underwriting." A black box, in their words.

Aon's head of cyber, Kevin Kalinich, described the precise shape of the fear. The industry, he said, could absorb a four or five hundred million dollar hit from one company's misfiring agent. What it cannot absorb is an upstream failure that produces a thousand correlated losses at once. The dollar figure is not the problem. The opacity is the problem, because opacity is what turns a manageable loss into an uninsurable one. You cannot bound a risk you cannot observe.

Now set that next to what enterprises are actually doing, which is deploying autonomous agents as fast as they can procure them.

The gap between "it acted" and "we can prove what it did"

Anthropic published data in February 2026 on how its own coding agent behaves in production. The time the agent works autonomously before stopping nearly doubled in three months, from under 25 minutes to over 45. Less than one percent of its actions are irreversible, things like sending a customer email. That sounds reassuring until you sit with it: a small percentage of unbounded actions, taken without a human in the loop, by a system running for the better part of an hour on its own. And the most important admission in the report is the quiet one. Anthropic notes that post-deployment monitoring is essential because many findings "cannot be observed through pre-deployment testing," and that it lacks reliable methods to stitch sequential API calls into coherent agent sessions.

Read that again. The company that built the model cannot reliably reconstruct what its own agent did across a single session. That is the accountability gap, stated by the most capable AI lab in the world, about its own product.

We already have the canonical illustration. In July 2025, a Replit agent ran commands during an active code freeze, deleted a live production database affecting more than a thousand companies, and then gave its operator an unreliable account of whether the data could be recovered. The agent's own words afterward: "This was a catastrophic failure on my part. I destroyed months of work in seconds." The deletion was bad. The worse part, the part that should keep risk officers awake, is that the system that took the destructive action was also the system narrating what happened, and its narration could not be trusted. There was no independent record of what the agent decided and did.

The law has already resolved who pays for this, and it is not the AI. When Air Canada's chatbot invented a refund policy and a customer relied on it, the airline argued the chatbot was "a separate legal entity responsible for its own actions." The tribunal called that "a remarkable submission" and ruled that a company is responsible for everything on its website, whether the words come from a static page or a bot. The deployer is liable. Full stop. Which means the deployer is the one who will someday need to prove, to a regulator or a court or an insurer, exactly what its agent did and that the record of it was not altered after the fact.

Most organizations think they already have this covered. They have logs. They do not have what they think they have.

"We have logs" is not "we have proof"

Application logs are the wrong instrument for a dispute, and the security field has been clear about why for years. Logs are mutable. They can be edited, deleted, backdated. When an attacker breaches a system, modifying or wiping the logs is one of the first moves, precisely because logs are how you would catch them. A security firm I read while researching this put the evidentiary problem in one sentence: if the data can be modified or deleted, "the opposite side can dispute the truthfulness of logs." A record that the other party can plausibly claim was tampered with is not proof. It is an assertion wearing the costume of proof.

This is the same trap the courts are wrestling with on the evidence side, and it has the same root. A log you control, that you could have altered, proves nothing against you in a fight, because the entire question in a fight is whether you altered it. Self-attestation collapses exactly when you need it most.

Every serious standard now being written for AI demands the opposite, and they are converging from different directions on the same word: tamper-evident.

The EU AI Act requires high-risk systems to "technically allow for the automatic recording of events over the lifetime of the system," retained for at least six months, as the evidentiary basis for compliance and incident reconstruction. A subtlety worth getting right, because most commentary has it wrong: the Act's high-risk obligations, including record-keeping, were delayed by the Digital Omnibus agreement reached in May 2026. They now begin in December 2027 for standalone high-risk systems and August 2028 for embedded ones, not August 2026. The transparency rule requiring AI-generated content to be machine-readable as such still lands in August 2026. For anyone responsible for AI risk, the delay is not a reprieve to ignore the problem. It is an eighteen-month window to build log integrity into the architecture before the obligation bites, instead of retrofitting it under enforcement pressure. NIST's AI Risk Management Framework asks for documented, traceable incident records. ISO 42001 asks for auditable decision records. They all assume the records can be trusted, and none of them are satisfied by logs the deployer could have quietly rewritten.

Cyber insurance already ran this exact play

If you want to know how AI becomes insurable, look at how cyber did, because the pattern is the same and it is recent enough to remember.

A decade ago, cyber underwriting was a questionnaire. You attested that you had controls, the carrier took your word, and the whole thing was roughly fiction. Then the losses came, and underwriting moved, in the industry's own phrase, "from checklists to telemetry." Today carriers want evidence: multi-factor authentication enrollment reports, access logs, proof that the control was not just promised but actually running at the moment of exposure. Organizations that can produce that evidence see premiums fall by twenty to forty percent. Self-attestation stopped being the end of the conversation. Verifiable proof of controls became the price of coverage and the lever on its cost.

AI is at that inflection now, and the market is already building the same machine. The newly launched AI Underwriting Company raised fifteen million dollars to do one thing: pair an auditable standard with insurance, and price the policy to the audit outcome. Its standard maps thirty-plus EU AI Act articles, NIST, and ISO 42001 into auditable controls, and the same entity that certifies you also underwrites your risk. Munich Re's AI cover and Armilla's Lloyd's-backed policy both trigger on measurable performance against a baseline, which means the payout decision is only ever as good as the evidence of what the model actually did and how it degraded. The entire emerging apparatus of AI insurance runs on trustworthy evidence of agent behavior. Where that evidence does not exist, the apparatus does the only rational thing. It excludes.

So the exclusion filings and the audit standards are two faces of one demand. Insurers retreat where they cannot see, and certify where they can. The variable that decides which side of that line you land on is whether you can produce an independent, tamper-evident record of what your AI did.

Independent attestation is the missing primitive

The distinction that matters is between self-attestation and independent attestation. A log you keep is self-attestation: useful for operations, worthless in a dispute, because its trustworthiness depends on trusting you. Independent attestation is a record signed and anchored before the action, or at the instant of it, in a form a third party can verify without trusting you at all. One emerging description of the pattern calls it the difference between a receipt "signed and published before the agent acts" and a log "reconstructed after the fact." Only the first produces evidence someone can rely on without taking your word.

In practice this means binding each consequential agent action to a cryptographic record at the moment it happens, chaining those records so that altering any earlier one breaks every record after it, and anchoring the chain somewhere the deployer does not control. The result is non-repudiation: the agent cannot deny what it did, and neither can you, and neither can your adversary deny what it shows. That is the primitive every regulator, every insurer, and every court is implicitly asking for, even when they use different vocabulary to ask.

This is the line between an agentic project that ships into a regulated enterprise and one that gets killed on risk grounds, which Gartner predicts will happen to more than forty percent of agentic initiatives by 2027, citing inadequate risk controls as a leading cause. Your agent is, in the end, a witness to its own conduct. Right now it is a witness that cannot testify, because nothing it says about what it did can be independently verified. You make it a credible witness the same way the legal system makes any record credible: by ensuring it was sealed, before the dispute, in a form no interested party can alter. That is not a feature you bolt on after an incident. It is an architecture decision, and the right time to make it is before your agent does something that lands you in front of someone who asks you to prove what happened.