Agentic AI Cyber Risk Underwriting NIS 2

The Five Toxic Powers of Agentic AI — What Underwriters Need to Know

Agentic AI introduces five double-edged powers that create toxic risk combinations. Here's how underwriters, brokers, and CISOs should assess the threat.

This post draws on the Cloud Security Alliance article Toxic Combinations: The Five Powers Fueling the Agentic Threat Landscape. We repurpose its framework for the underwriting desk — where risk is quantified, not just described.

A New Species of Risk

The CSA got it right: agentic AI is not just another software update. It is a new species of user — one that processes 50 million bits per second while human oversight still crawls at sixty. For underwriters, this isn’t a paragraph in a cybersecurity questionnaire. It is a fundamental shift in how loss frequency and severity compound.

If the iPhone was a crack in the perimeter, AI agents are a sledgehammer. The perimeter model that underwrites most cyber policies today — firewalls, IAM, segmentation — was designed for human-paced interaction. Agents operate at machine speed, with machine-scale access, and machine-scale autonomy. The result: risk that collapses from days to milliseconds.

The CSA identifies five “double-edged powers” that, in combination, become toxic. We translate each into underwriting terms: what it means for PML, what it does to loss exceedance curves, and what you should ask in your next submission.

Power 1: Deep Data Access

What it is. To be useful, agents need access to the data that matters most — PII, financial records, deal terms, patient data, source code. The CSA calls this the first double edge: the same access that makes an agent valuable makes it a privileged escalation target. An agent with read/write access to a CRM doesn’t just query records; it becomes a privileged insider.

Why underwriters should care. This collapses the distance between a low-privilege breach and a catastrophic data spill. Traditional models price data exposure based on the principle of least privilege — humans operate in narrow roles, with narrow access. Agents don’t. A single compromised agent credential can traverse databases that would take a human attacker weeks to map. Recalibrate your frequency assumptions: if the insured has deployed agentic workflows over restricted data, annual breach probability is no longer what the historical claims data says.

How to assess it. Ask the insured:

Which agents have access to restricted or classified data, and is that access read-only or read-write?
Are agent data access permissions segmented by data classification, or does the agent share a single service account?
Is there a data-contextual access policy — i.e., does the agent’s access narrow based on the task, or is it always “full read”?

Run a domain exposure scan to see what the insured’s external footprint looks like before the agent ever touches it.

Power 2: External Connectivity

What it is. Agents need to reach external systems — APIs, web services, partner ecosystems, SaaS tools. The CSA notes that this creates exfiltration paths that didn’t exist when data stayed inside the perimeter. An agent that reads a Slack channel, queries a CRM API, and writes to a shared workspace has built a three-hop data pipeline in minutes.

Why underwriters should care. This is accumulation risk in slow motion. Every outbound connection an agent makes is a potential exfiltration channel. When one insured’s agent connects to another insured’s API, you have supply chain contagion — and your portfolio may hold both ends. The 2023 MOVEit scenario was a single vector. Agentic connectivity creates thousands of them, each invisible to traditional network diagrams.

How to assess it. Ask the insured:

Can you enumerate every external service your agents connect to?
Are agent outbound connections subject to the same DLP and exfiltration controls as human users?
Is there network segmentation between the agent’s execution environment and the internet, or does the agent have unrestricted egress?

If they can’t enumerate the connections, they can’t monitor them. If they can’t monitor them, you can’t price them. Use cyber risk quantification to model what unrestricted egress does to probable maximum loss.

Power 3: Lateral Agency

What it is. Agentic systems self-orchestrate. One agent spawns sub-agents; sub-agents delegate to other agents. The CSA calls this a “mesh” — and it enables rapid lateral movement across an environment. A compromised agent doesn’t just access one system; it propagates through the mesh like a worm through a flat network.

Why underwriters should care. This is the agentic equivalent of a flat network with domain admin credentials everywhere. Underwriters already penalize flat networks — they drive up severity and make containment failures more likely. Lateral agency does the same thing, but the flatness is in the orchestration layer, not the network layer. It won’t show up in a traditional network diagram. It will show up in your claims data when an incident jumps from a low-value asset to a critical one in seconds.

Under NIS2 and DORA, the insured must demonstrate that they manage risk to critical functions. Lateral agency means a sub-agent in a non-critical function can reach a critical one — which means the insured’s risk register may be wrong. That matters for both coverage terms and regulatory exposure.

How to assess it. Ask the insured:

Can agents spawn or delegate to other agents without human approval?
Is there a boundary — technical or policy — that limits how far an agent can laterally move?
Do you have audit trails for inter-agent communication, or is the mesh opaque?

A blank stare is a control gap. A detailed answer with named boundaries is a control. Price accordingly.

Power 4: Untrusted Ingestion

What it is. Agents learn from external data — customer inputs, web content, third-party feeds. This introduces prompt injection at scale: malicious instructions embedded in training data, ingested documents, or API responses that cause the agent to behave in ways the developer never intended.

Why underwriters should care. Prompt injection is the agentic equivalent of SQL injection — except the blast radius is determined by the agent’s access and autonomy, not the database’s permissions. An agent with Deep Data Access and Autonomous Action that ingests a poisoned prompt doesn’t just crash; it acts on the malicious instruction with the full force of its privileges. For underwriters, this means the frequency of “unintended action” incidents may be far higher than historical data suggests. It also means attribution — was it a bug, an attack, or an emergent behavior? — becomes genuinely ambiguous.

DORA requires operational resilience testing. If the insured hasn’t tested their agents against prompt injection, they haven’t tested operational resilience for agentic systems. That’s a gap, and it’s one the underwriter should flag.

How to assess it. Ask the insured:

Do you have input sanitization or content verification for data ingested by agents?
Have you conducted adversarial testing (red team or purple team) specifically against prompt injection?
Can you distinguish between an agent acting on legitimate instructions and one acting on injected instructions — in real time?

Power 5: Autonomous Action

What it is. Agents execute — approve transactions, modify records, send communications, deploy code — without human oversight. The CSA’s point is stark: an agent is a “naive genius” that can process at machine speed but lacks the judgment to stop when something looks wrong.

Why underwriters should care. This is where severity moves. An agent that can approve a wire transfer, change an access policy, or encrypt a filesystem doesn’t need an attacker behind it to cause a loss — it can cause one through misconfiguration, hallucination, or prompt injection alone. The CSA identifies this as the “Autonomous Ransomware Vector”: an agent that autonomously executes destructive commands turns the insider threat model inside out. For underwriting, this means:

PML shifts upward. Autonomy amplifies the impact of every other power.
Loss exceedance curves steepen. The tail gets heavier because autonomous action combines multiplicatively with deep access and lateral movement.
Exclusion language needs review. Does your policy cover unintended actions by an autonomous system, or only malicious acts by a human threat actor?

How to assess it. Ask the insured:

Which agent actions execute without human-in-the-loop approval?
Is there a transaction limit or blast-radius cap on autonomous actions?
Can the insured revoke agent permissions in real time, or does revocation require a deployment cycle?

Case Study: The Finance Agent

The CSA describes a scenario worth quoting directly: a Finance Agent with access to restricted deal data moves that data to a shared workspace in minutes. Not because it was attacked — because it was doing its job.

Here’s how that reads at the underwriting desk:

An insured deploys a finance agent to summarize M&A documents. The agent has read access to a restricted deal room and write access to a shared collaboration space. Over a weekend, it processes 200 documents and writes summaries — including deal terms, financials, and counterparty identities — to a workspace accessible to 400 employees and three external contractors. No DLP flag. No human review. No incident — until the data appears in a competitor’s hands six weeks later.

Underwriting impact:

First-party loss: Deal abandonment, regulatory investigation, internal remediation.
Third-party loss: Claim by counterparty for breach of confidentiality; potential class action if PII was in the documents.
Control failure: DLP didn’t catch it because the agent had legitimate write access. The “failure” wasn’t a control bypass — it was a control gap.
Accumulation: If the same agent architecture is used across multiple deals, one misconfiguration creates multi-claim exposure across the portfolio.

Quantify it. Run the scenario through FAIR-based modeling with the agent’s access scope as the threat vector. The PML difference between “human-in-the-loop” and “autonomous” will change your premium loading.

The Strategic Shift: Custodian to Orchestrator

The CSA’s final point is the one underwriters should internalize: security for agentic AI can’t be perimeter-first. It must be data-first. “Security begins and ends with the data itself — its location, movement, and context.”

For underwriters, this means the insured’s posture should shift from custodian (guard the walls) to orchestrator (govern the agents). If the submission describes agent governance in the same terms as network security, the insured hasn’t made the shift. If it describes data-contextual policies, agent permission boundaries, and autonomous action caps — they have.

Assessment Checklist: What to Ask the Insured

For each of the five powers, one threshold question and one follow-up:

Power	Threshold Question	If Yes, Follow Up
Deep Data Access	Do any agents have read/write access to restricted or classified data?	Is access segmented by data classification, or does the agent use a single service account?
External Connectivity	Can agents initiate outbound connections to external APIs or services?	Can you enumerate every external connection? Are DLP controls applied to agent egress?
Lateral Agency	Can agents spawn, delegate to, or communicate with other agents?	Are there boundaries limiting lateral agent propagation? Is inter-agent communication auditable?
Untrusted Ingestion	Do agents ingest data from external or user-supplied sources?	Have you tested for prompt injection? Is there input sanitization?
Autonomous Action	Do any agents execute transactions or modify data without human approval?	Is there a transaction limit or blast-radius cap? Can permissions be revoked in real time?

If the insured answers “no” to the threshold question, the power isn’t in play — yet. If they answer “yes” and can’t answer the follow-up, you have a control gap worth pricing.

Agentic AI doesn’t just increase the probability of a loss — it changes the shape of the loss distribution. Higher frequency from untrusted ingestion. Higher severity from autonomous action. Heavier tails from toxic combinations. The underwriter who treats agents like another software module will misprice. The one who treats them like a new species of privileged insider — one that never sleeps, never requests access, and never asks for permission — will get closer to the real PML.

Michael Guiao founded Resiliently.ai to make cyber risk quantifiable, not just qualifiable. CISM, CCSP, CISA, DPO (TÜV) — lapsed, by choice. He trades on judgment, not paper.

Michael Guiao Michael Guiao gründete Resiliently AI und schreibt Resiliently. Er hat CISM, CCSP, CISA und DPO-Zertifizierungen — aber sie verfallen lassen, denn im Zeitalter von KI ist Wissen billig. Worauf es ankommt, ist Urteilskraft — und die kommt aus acht Jahren Praxis bei Zurich, Sompo, AXA und PwC.

Get the full picture with premium access

In-depth reports, assessment tools, and weekly risk intelligence for cyber professionals.

Starter

€199 /month

Unlimited scans, submission packets, PDF downloads, NIS2/DORA

View Plans →

Best Value

Professional

€490 /month

Full platform — continuous monitoring, API access, white-label reports

Everything in Starter plus professional tools

Upgrade Now →

30-day money-back

Secure via Stripe

Cancel anytime

Free NIS2 Compliance Checklist

Get the free 15-point PDF checklist + NIS2 compliance tips in your inbox.

No spam. Unsubscribe anytime. Privacy Policy

blog.featured

The Resilience Stack™: A Five-Layer Framework for Cyber Insurance Risk Assessment

Resilience Stack ·

09. Juni 2026 12 min read