The Other Half of the Identity
I. The number the industry is now repeating
A survey of 235 CISOs and senior security leaders at large enterprises, published in early 2026, put numbers on a feeling the industry had been carrying for a year.
Seventy-one percent say AI systems already have access to core business systems; only sixteen percent govern that access effectively. Ninety-two percent lack full visibility into their AI identities. Ninety-five percent doubt they could detect misuse if it occurred. Nearly half have already observed an AI agent exhibit unintended or unauthorized behavior. The report reduces the condition to two questions security teams can no longer answer with confidence: who did this, and should this action have been allowed?
The finding is real, present, and well-measured. It is not a forecast. It describes what is already running inside enterprises today.
It is also half the picture.
II. What the survey measures, and what it does not
Read the report closely and the boundary of its subject becomes visible. Every finding concerns agents the organization deployed: the copilot someone connected to a SaaS tool, the agent an engineering team tested, the assistant a business unit installed without approval. Shadow AI. Internal identities. Privilege that expanded inside the perimeter without sign-off.
The proposed response matches the diagnosis: identity-first governance, least-privilege, lifecycle controls, continuous internal monitoring. Govern the agent you deployed as you would govern a high-risk human user.
This is necessary. It is also bounded by the perimeter. Every measurement in the report is taken looking inward — at the agents leaving from, or operating inside, the organization’s own systems. None of it looks at the agents arriving from outside, dispatched by parties the organization has no contractual relationship with, exhibiting exactly the same properties the report finds alarming: meaningful access, behavior that does not match human patterns, incomplete or temporary records, no clear owner.
The same organization that deploys agents also receives them. The survey counts one direction and not the other.
III. The fact the perimeter hides
There is a structural reason the two directions cannot be governed by the same control, and it is the point this note exists to make.
Every organization in that survey is, simultaneously, a sender and a receiver. It dispatches agents toward other parties’ surfaces, and it receives agents dispatched toward its own. Identity-first governance addresses the first role. It cannot address the second, because the agents arriving at a surface were never provisioned, certified, or scoped by the receiver. They carry no identity the receiver issued. Least-privilege has no privilege to limit; the actor is not on the receiver’s roster.
But the harder consequence runs in the other direction, and the report does not reach it.
The agent an organization deploys — the one it is now racing to govern internally — is the agent that will be named when something goes wrong on someone else’s surface. Responsibility for an agent’s conduct attaches to the operator. When an organization’s agent does damage on a property it visited, the organization answers for it. And the evidence of what that agent actually did is not in the organization’s own logs. It is on the surface where the agent arrived — held by the receiver, a party with no obligation to the operator, observing from the only position where the conduct was visible.
The dispatcher logs what it sent. It does not log what arrived, or how the agent behaved once it was past the boundary. An organization can govern its agents flawlessly inside its perimeter and still be unable to prove how one of them behaved the moment it left. The visibility the CISO is investing in stops exactly at the edge of the perimeter. The liability does not.
So the organization needs the receiver-side record twice. As a receiver, to know what arrived. As a sender, because its own agents will be judged by conduct it cannot see and cannot attest — conduct recorded, if it is recorded at all, by the parties who received them.
IV. What this enables, and what it does not
Enables
A reading of the CISO survey that completes it rather than disputes it. The internal-governance crisis it documents is genuine. The receiver-side blind spot is its mirror image, governed by the same forces, addressed by none of the same tools.
A reason for the sender to want receiver-side attestation that has nothing to do with altruism: it is the only record that can exonerate or implicate its own agents in a dispute, and it sits outside its control.
Does not enable
A claim that internal governance is unnecessary. The two are different layers. Identity-first control governs the agent inside the perimeter; it is needed. Receiver-side attestation records the agent’s conduct beyond it. Neither substitutes for the other.
A claim that the survey is wrong. It is not. It is accurate about the half it measures. The argument here is only that the half it does not measure is governed by the same dynamics and left entirely unaddressed.
A claim that receiver-side observation resolves attribution. It records conduct with integrity; it does not, by itself, prove which operator stands behind an undeclared actor. Integrity of the record is the claim. Attribution is a separate, harder operation that the record supports but does not complete.
V. Where this leaves the stack
The CISO survey is the clearest evidence yet that the industry has accepted the first half of the problem: agents act, faster than human controls, with access no one fully tracks. The governance response is converging — identity-first, least-privilege, internal monitoring.
The second half has not been named in the same way. Every organization governing its own agents is also receiving agents it cannot govern, and dispatching agents whose conduct elsewhere it cannot see. The record of that conduct exists only at the receiver. It is not produced by the sender’s compliance stack, not by the regulator, not by the operator who will answer for the agent.
Who did this, and should this action have been allowed? The survey asks the question of the agents inside the perimeter. The same question, asked of the agents that cross it, has no answer in any tool the survey describes — and it is the question a dispute will turn on.
The receiver saw what arrived. It remains the only party that did.
This research note is published under the BotConduct Standard. The survey referenced is the 2026 CISO AI Risk Report (235 respondents, US and UK enterprises of 5,000+ employees), published January 2026.
Verification: botconduct.org/verify
Public key: botconduct.org/.well-known/bcs-public-key.pem
BotConduct · Independent Behavioral Observatory · Evidence not enforcement
