Vol I 27 — June 2026

Is Receiver-Side Conduct a New Instrument?

When, Not If — II. If failure is structural rather than incidental, the consequential question is what independent record exists of what the agent actually did.


1. The open question

The NIST proof settled one question and opened another. Vassilev et al. established that no finite set of guardrails is universally robust against adaptive adversaries — the wall will be breached, the only question is when. The industry has largely absorbed the first half of that finding: monitor continuously, assume failure, build resilience. It has not yet confronted the second half.

If failure is structural rather than incidental, then the consequential question is no longer how do we prevent the agent from misbehaving — it is what independent record exists of what the agent actually did. And that question splits the field. One view holds that this is something existing frameworks — vendor mapping, model inventory, governance assessment — can already absorb, provided the boundary is named clearly. The other holds that receiver-side conduct evidence is a genuinely new instrument: one that no existing framework captures, and that regulation and underwriting will need to recognize on its own terms.

This note takes a position on that question. It argues that the second view is correct — that conduct, observed from the receiving side, is not a feature of existing risk instruments but a missing one — and it sets out why.


2. Why existing frameworks don't absorb it

The objection to a new instrument is reasonable: insurers already inventory their AI exposure. They map vendors, they catalogue models, they assess governance maturity. Why is conduct not simply another field in that inventory?

Because all three of those instruments describe what is installed or declared — never what was done. Vendor mapping tells you which providers a firm depends on. Model inventory tells you which models are in production. Governance assessment tells you what controls the firm says it has in place. Each is a snapshot of declared posture, taken before anything happens.

None of them records the agent's actual conduct on the surface where it acted. A model can be inventoried, governed, and vendor-mapped, and still behave — on a given system, on a given day — in a way none of those records would predict or capture. The gap is not in the thoroughness of the inventory. It is in the kind of thing being inventoried. You cannot inventory your way to a record of behavior, because behavior is not a property of the system at rest; it is something the system produces in contact with a surface.

This is the same distinction the insurance market has already learned once, in a different form: a firm's stated security controls and its actual breach history are not the same instrument, and underwriters price them differently. Declared posture and observed conduct diverge — and where they diverge is exactly where the loss lives.


3. Correlated exposure lives in shared conduct, not shared infrastructure

There is a second reason conduct cannot be inventoried away, and it matters most to anyone pricing a portfolio rather than a single risk.

A book of business can look diversified at the infrastructure layer and remain concentrated at the conduct layer. One insured runs Vendor A, another runs Vendor B, a third runs an internal model, a fourth embeds a third-party platform inside a workflow. By every inventory measure, the exposure is spread. But if those systems converge on the same decision behaviour — the same escalation shortcuts, the same triage patterns, the same risk classifications — the underlying exposure is still correlated. The diversification is nominal; the conduct is shared.

This is the accumulation problem that vendor mapping cannot see. Mapping answers whose technology is in the stack. It does not answer whether consequential decisions across the portfolio are being shaped the same way. Two insureds with entirely different vendors can fail in the same direction, on the same day, for the same reason — not because they share a supplier, but because they share a behaviour.

And shared behaviour is only observable where behaviour itself is observable: from the receiving side, across surfaces, in comparable terms. A single insured's own logs cannot reveal a portfolio-level correlation — by definition, no operator can see what is shared across operators. Only an independent record of observed conduct, captured the same way across many surfaces, makes the correlation visible at all. Infrastructure concentration can be mapped from the outside. Conduct concentration cannot — it has to be observed.


4. Why the receiving side is structurally necessary

The first two arguments are empirical: existing instruments happen not to capture conduct, and correlated exposure happens to hide in shared behaviour. A skeptic could still ask whether better internal tooling would close the gap. It would not — and the reason is structural, not a matter of engineering effort.

Start from the NIST result. Vassilev et al. established that no finite set of guardrails is universally robust against an adaptive adversary: for any defense the operator builds into the system, there exists conduct that defeats it. The practical consequence is usually read as "assume breach." But it carries a second, sharper implication. If the operator's own controls are provably incomplete, then the operator's own record of what those controls saw is also incomplete — and incomplete in precisely the directions the operator could not anticipate. A system cannot be the sole authoritative witness to behaviour its own defenses were built to miss.

This is the structural point. The operator deploying an agent cannot be a neutral witness to that agent's conduct, for the same reason no party can be a neutral witness in its own matter. The logs are produced by the system under examination, configured by the party with an interest in the outcome, and retained at that party's discretion. In an ordinary operational review that is acceptable. In a dispute — a subrogation claim, a coverage contest, a regulatory inquiry — it is not neutral evidence. It is an interested party's account of its own conduct.

The gap, then, is not a policy gap or a tooling gap. It is an evidence gap. What is missing is a record that does not originate with the actor whose conduct is in question: an account taken from the receiving side, where the conduct lands, sealed at the time of observation rather than reconstructed afterward from whatever logs survived. Such a record is independent in the only sense that matters for pricing or for proof — it does not depend on the cooperation, the configuration, or the candor of the party being observed.

That independence is not an added feature. It is the property that makes the record admissible as evidence at all. And it is available from one position only.


5. The answer, and what follows from it

So: a new instrument, or something existing frameworks already absorb? The argument above settles it. Receiver-side conduct evidence is not a refinement of vendor mapping, model inventory, or governance assessment. It is a different instrument, because it captures a different object — observed conduct rather than declared posture — and because it possesses a property none of the others can: independence from the party being observed. That property is structural, not incremental. No amount of better internal tooling produces it, for the same reason no party produces neutral evidence about itself. It is recognized, or it is absent.

The practical implications differ by role, and naming them is the point:

For the underwriter and the actuary, conduct evidence is the missing input. Agentic exposure cannot be priced from an inventory of what an insured installed; it can only be priced from a record of how agents behaved. Until that record exists in comparable terms across the book, agentic risk is not mispriced — it is unpriced, carried silently in policies that were never written to see it.

For the risk officer and the board, it is the difference between asserting that agentic exposure is governed and being able to show what was governed. A standard of care that cannot point to an independent record is an assertion, not a defense.

For the security function, it changes nothing about the work of defense — and gives that work a record to stand behind. The NIST result means no internal control set is complete; some conduct will get through, not through negligence but by structure. When it does, the security function needs to be able to show that the gap was structural, not a failure of diligence. An independent record of what the agent actually did — one that does not originate with the systems the security team itself operates — is what separates "this exposure was inherent and acknowledged" from "this was missed." It does not help the operator produce evidence about itself; it gives the operator something it cannot produce about itself, and needs most precisely when something has gone wrong.

The NIST proof told the industry the wall will be breached. The question it left open was whether anyone independent was watching when it happened. Naming receiver-side conduct as a distinct instrument is how that question gets an answer — not after the fact, reconstructed from the logs that survived, but as a record that already exists, in stable terms, before anyone knew to look.


References: Vassilev et al. (NIST) on the incompleteness of finite guardrail sets; BotConduct Conduct Taxonomy v1.0 (DOI 10.5281/zenodo.20709421); NIST AI RMF and EU AI Act as descriptive references. Method (classification logic, signals, thresholds) is not disclosed; independent audit available under NDA.



BotConduct — independent behavioral observatory. Evidence, not enforcement.