Skip to content

AI Agents Are the Newest Unscannable Asset. Boards Need a Dollar Figure.

Sam Keogh
Sam Keogh

9 MIN READ

THE AI AGENT RISK GAP · ADOPTION vs QUANTIFIED VISIBILITY Enterprises are shipping autonomous agents faster than they can price the risk. 2023 to mid‑2026 Enterprise AI agents deployed vs. share with a quantified risk owner 100% 75% 50% 25% 0% 2023 2024 2025 Q2 2026 Now THE GAP Enterprises deploying autonomous or semi‑autonomous AI agents Those with a documented, quantified risk owner for that agent DARKTRACE 2026 92% of security professionals worried about AI agents CyQuantiFi ESTIMATE <5% have a dollar figure on that concern The gap won't close by itself. CyQuantiFi · Put a dollar figure on every cyber risk — even the ones you can't scan.

The gap between adoption and visibility just got wider

Ninety-two percent of security professionals said in Darktrace's 2026 State of AI Cybersecurity report that they are worried about the impact of AI agents on their organisation. That number is not a mystery. Autonomous agents are being deployed by finance, marketing, engineering, HR and customer support — often outside the security team's line of sight — and they take actions in the real world, not just make suggestions.

The worry is real. The visibility is not.

Almost no board in Australia today can answer the follow-up question that comes next: and what does that risk cost us if it goes wrong, in dollars, this year? Cyber Security Alliance's 2026 industry survey shows CROs and directors are being pushed to quantify cyber risk in financial terms — for DORA, for NIS2, for APRA CPS 234, for the SOCI CIRMP attestation. AI agents are entering enterprise stacks at exactly the moment boards are being told to price cyber risk in the same language they price everything else.

If your risk register has a row for "AI agents" today, it almost certainly reads "emerging risk — monitoring." That will not survive the next twelve months.

The uncomfortable truth: AI agents are the newest member of an old and familiar family — the unscannable asset. And every existing CRQ tool on the market was built on the assumption that it can scan the thing it is pricing.


What "unscannable" really means — and why AI agents fit

Cyber risk quantification (CRQ) is not new. FAIR — Factor Analysis of Information Risk — has been the reference methodology for more than a decade. Boards ask "how bad, in dollars, over the next year?" and CRQ answers with Annual Loss Expectancy (ALE) plus confidence intervals.

The problem is not the maths. The problem is the inputs.

Every mainstream CRQ platform derives its inputs from scans: vulnerability scanners, EDR telemetry, cloud posture tools, SIEM feeds. Point the scanner at the asset, watch it emit a signal, translate the signal into a probability, feed the probability into Monte Carlo, get a distribution.

That entire pipeline breaks the moment the asset can't be scanned. And there is a large, well-known family of assets that can't.

THE UNSCANNABLE ASSET FAMILY · NOW WITH A NEW MEMBER Every existing CRQ tool assumes it can scan the asset. AI agents break that assumption. OT / SCADA Active scan crashes the plant. Grids · water · plants KNOWN SINCE 1990s Air‑gapped No network path. No agent option. Defence · Intel · CI KNOWN SINCE 1980s C:\> Legacy / EOL Won't run modern tooling. Health · gov · utilities KNOWN SINCE 2000s Third‑party No admin access. No install rights. Supply chain · SaaS KNOWN SINCE 2010s AI Agents Non‑deterministic. Acts on its own. Every industry, 2026‑ NEW · KNOWN SINCE 2024 The scanner can't reach any of these. The pattern is not new — the fifth member is.

CyQuantiFi has been shipping the two-mode approach — telemetry for the scannable, expert consensus for the unscannable — since 2024. The pattern is familiar. What is new is that AI agents have quietly joined this list, and they are already in your building.

An autonomous or semi-autonomous agent is unscannable for a different reason from the others, but the practical result is identical:

  • Its behaviour is non-deterministic — the same prompt does not always produce the same output.
  • Its attack surface is composite — the model, the tool bindings, the systems it can write to, the humans it displaces.
  • Its risk propagates through actions it takes, not through packets on a wire.
  • No CVE will ever fully describe it.

You cannot point a vulnerability scanner at Claude, or GPT-5, or an internal agent your engineering team wired up in April. You will get back nothing that resembles cyber risk. And yet the agent may hold write access to your CRM, your ledger, your customer-support inbox, your internal Slack, or your production database.

Every existing CRQ tool assumes it can scan. AI agents break that assumption in the same way OT and Defence assets broke it — just faster, and across every industry at once.


The compliance wall is arriving quicker than the market thinks

Regulators are catching up faster than the vendors are.

ISO/IEC 42001

The world's first international management-system standard specifically for AI — now certifiable. Expect it to follow ISO 27001's path from "nice to have" to "required by RFP" through 2026–2027. That is not a five-year runway. That is the current fiscal-year procurement conversation.

APRA

Guidance published on AI risk in regulated financial entities. Direction of travel is clear: quantified, board-attested AI risk oversight will not be optional for banks, insurers or superannuation trustees.

NIST AI RMF

Revised early 2026 — explicitly requires AI risk to be tracked in the same governance rhythm as cyber risk. Same dashboards, same board reports, same dollar figures.

EU AI Act

Negotiated before the current wave of agentic systems. Legal counsel across APAC now advises boards to assume regulators will retroactively expect quantified risk artefacts for autonomous agents.

Boards are about to be asked, in writing, whether they are comfortable with the AI agent risk in their organisation. "We are actively monitoring it" is not an answer. Neither is "our GRC platform tracks it as amber." Both fail the same test: they do not translate into a defendable dollar figure.


What CRQ has to do differently for AI agents

Quantifying AI agent risk is not a new problem. It is the unscannable asset problem, applied to a new category. The methodology CyQuantiFi built for OT, SCADA and Defence assets works here for the same reason it works there: you do not need to instrument the asset to price it. You need calibrated expert input, structured scenario modelling, and Monte Carlo — anchored to real business impact.

The steps are the same. The vocabulary shifts.

Step Traditional asset AI agent equivalent
Inventory CMDB, EDR, cloud tags Who owns which agent? Which model, which tools, which systems can it write to?
Scenario modelling Attack graph, MITRE ATT&CK Prompt injection, data exfiltration, wrong action taken, model drift, tool-chain compromise
Probability CVE / EPSS / scan output Expert elicitation from the operators, calibrated over time
Impact Business impact analysis Same. The dollar consequence of the wrong action does not change because the actor was silicon.
Aggregation Monte Carlo → ALE Same. Distribution, not a single number. Confidence intervals, not a colour.

The two hard bits — inventory and probability — are exactly where AI agents cause the most quiet damage. If IT does not know the agent exists, IT cannot price it. If nobody has been asked to give a calibrated probability for a prompt-injection attack succeeding against the ledger-writing agent Finance stood up last month, the risk sits at zero on the register.

Silent zeros are the most expensive numbers in a cyber risk portfolio.


Five steps to quantify an AI agent your organisation already deployed

You do not need a full CRQ platform to start. You do need discipline.

FIVE STEPS · FROM AI AGENT DEPLOYMENT TO A DOLLAR FIGURE You cannot scan the agent. You can still price the risk it carries. 1 INVENTORY the agents you have Model, tools available, systems it can write to, humans it displaces. If IT doesn't own it, Finance or Marketing does. 2 SCENARIO what could go wrong Prompt injection. Data exfiltration. Wrong action taken. Model drift. Draw the attack graph including the agent as a node. 3 ELICIT expert probability Get calibrated estimates from the people closest to the agent. The scanner can't see it, but the operator can. 4 SIMULATE Monte Carlo, FAIR Run the numbers many times. Get a distribution, not a single guess. P50, P95, tail. Not a colour on a heatmap. 5 $ ALE to the board $ Annual Loss Expectancy Defendable to the regulator.
1

Inventory the agents

Not just the ones IT deployed. Ask Finance, Marketing, HR, Customer Support and Engineering. In our experience, the first honest inventory is 3–5× larger than the last one anybody drew.

2

Draw the scenario

For each agent, name the two or three worst outcomes if it were compromised or if it acted incorrectly. Wrong money paid. Wrong customer contacted. Wrong data disclosed. Wrong record updated. Attach a dollar range to each outcome using the same business-impact analysis you use for a ransomware scenario.

3

Elicit probabilities from the operator, not the scanner

The person closest to the agent — usually the engineer who wired it up, or the operations manager who uses it every day — has better calibration than any external tool. Ask them for a range, not a point. Track their accuracy over time.

4

Run the maths, honestly

Monte Carlo over the ranges. Present the P50, the P95, and the tail. Do not present a single number and do not present a colour.

5

Show the board the same view you show for scannable assets

Same ALE. Same confidence intervals. Same currency. The whole point of quantification is that it produces one language for every risk on the register — and the board should not be asked to switch languages when the conversation turns to AI.

If your risk platform cannot do these five steps for AI agents today, it is not an AI problem. It is a tooling problem.


The bottom line

The 92% number from Darktrace is not the story. The story is that ninety-two out of a hundred security leaders are worried, and fewer than a handful of boards can defend a dollar figure that represents that worry.

That gap is not going to close by itself. It will close either because (a) organisations do the work now, or (b) regulators, insurers and shareholders do the work for them — retrospectively, punitively, and expensively.

AI agents are the newest unscannable asset. The tooling for pricing them is the same tooling that already exists for OT, Defence, legacy and third-party assets. What is required is not new mathematics. What is required is the discipline to inventory the agents you already deployed, name the scenarios that keep the operators awake, and translate the answers into dollars.

Boards will not accept another year of "emerging risk — monitoring." The next attestation cycle is real. The dollar figure is either yours to author, or someone else's to impose.

We would rather it was yours.

SK
Sam Keogh
Founder & CEO, CyQuantiFi. 9 years at the Australian Department of Defence building risk quantification frameworks for classified systems. Founders Institute Sydney 2026.

Related reading

Share this post