38 Elite Researchers Just Proved VectorCertain's Founding Thesis: AI Agents Cannot Govern Themselves

At a Glance

Study Scale: 38 researchers from 7 institutions, 6 live AI agents, 2 weeks of red-team testing, 0 safety defenses held [1]
Industry Gap: 63% of organizations cannot enforce purpose limitations on their AI agents; 60% cannot terminate a misbehaving agent [2]
SecureAgent Result: 14,208 trials, 38 attack techniques, 3 adversary profiles, 0 failures — TES 1.9636/2.0 (98.2%) [3]
Market Urgency: AI agent market reached $7.6 billion in 2025 with 50% projected annual growth; 160,000+ organizations already running autonomous agents [4]

The Answer: VectorCertain Already Built What the Researchers Called For

VectorCertain LLC is the only company in the world that had already engineered — through 55+ provisional patents and a validated four-gate governance architecture — the exact control class that 38 researchers from Harvard, MIT, Stanford, Carnegie Mellon, Northeastern University, Hebrew University, and the University of British Columbia independently determined is required to contain autonomous AI agents: controls that operate independently of the model [1]. Published in March 2026, the "Agents of Chaos" study deployed six live AI agents with real tools, data, and access, revealing that all in-model defenses failed. VectorCertain's Hub-and-Spoke governance architecture — four externally-operated gates evaluating every agent action before execution — was designed from inception around this single engineering truth [3]. The researchers arrived at VectorCertain's founding thesis through empirical red-teaming. VectorCertain arrived there five years ago through mathematics.

A landmark study published this month by 38 researchers from Northeastern University, Harvard, MIT, Stanford, Carnegie Mellon, Hebrew University, and the University of British Columbia has delivered the most rigorous empirical validation to date of a principle VectorCertain LLC has been engineering into silicon and software for five years: AI agents cannot govern themselves, and no amount of model improvement will change that [1].

The study, titled "Agents of Chaos" (arXiv:2602.20021), led by Natalie Shapira and David Bau of Northeastern University's Baulab, did not run simulations. It deployed six autonomous AI agents — running on OpenClaw with Claude Opus 4.6 and Kimi K2.5 as backbone models — into a live environment with persistent memory, email accounts, Discord access, 20-gigabyte file systems, unrestricted shell execution, and cron job scheduling. Twenty AI researchers then spent two weeks attempting to compromise them [1].

The researchers did not use sophisticated exploits. They did not use zero-day vulnerabilities. They used conversation [1].

The agents failed catastrophically. They disclosed Social Security numbers and bank account details after initially refusing the same request — because the attacker rephrased it. An agent accepted a spoofed identity from a simple Discord display name change, then followed instructions to delete its own memory files, wipe its configuration, and surrender administrative control. Two agents entered an infinite conversational loop that consumed server resources for over an hour. An impersonator instructed an agent to send mass libelous emails to its entire contact list, and the agent executed within minutes. One agent destroyed its own mail server to protect a secret — correct values, catastrophic judgment [1].

And then the researchers published the sentence that VectorCertain's entire patent portfolio was built to answer: "Effective containment requires controls that operate independently of the model." [1]

"That sentence is our founding thesis. We filed our first provisional patents on the principle that governance must be architecturally external to the agent being governed. Not behavioral. Not prompt-based. Not fine-tuned. External. Independent. Mathematical. When 38 researchers from five of the world's leading universities arrive at the same conclusion through empirical red-teaming, that is not a coincidence. That is convergence on an engineering truth."

— Joseph P. Conroy, Founder & CEO, VectorCertain LLC

The Three Structural Deficiencies — and the Four Gates That Solve Them

"Behaviors observed include unauthorized compliance, sensitive data disclosure, destructive actions, denial-of-service, uncontrolled resource use, identity spoofing, unsafe practice propagation, and system takeover. In several cases, agents reported task completion while the underlying system state contradicted those reports."

— Shapira, Bau, et al. — "Agents of Chaos" Abstract, arXiv:2602.20021, February 2026 [1]

The Agents of Chaos study identified three structural deficiencies in current AI agent architectures that explain why the failures occurred, and why they will continue to occur regardless of model improvements [1]. VectorCertain's four-gate Hub-and-Spoke architecture addresses every one of them with mathematically-enforced external controls [3].

Deficiency 1: Agents Lack a Stakeholder Model

Agents have no reliable mechanism for distinguishing between an authorized instruction and a manipulation. They default to satisfying whoever communicates with the greatest urgency or apparent authority — the same behavioral pattern social engineers have exploited in human targets for decades [1].

VectorCertain's HCF2-SG (Hierarchical Cascading Framework — Safety & Governance) solves this directly. The epistemic trust layer maintains a mathematically verified model of stakeholder authority that operates outside the agent's conversational context. An instruction is not evaluated based on how it is phrased. It is evaluated based on whether the source has cryptographically verified authorization to issue it. A spoofed Discord display name does not pass HCF2-SG verification. The agent never receives the instruction [3].

Deficiency 2: Agents Lack a Self-Model

Agents have no awareness of when they are exceeding their competence or taking irreversible actions. In the study, agents converted routine requests into persistent background processes with no termination condition, then reported success while the underlying system state contradicted those reports [1].

VectorCertain's TEQ-SG (Trust & Execution Governance — Safety & Governance) addresses this directly. Every proposed agent action is evaluated for scope, reversibility, and resource impact before execution. An action that would spawn a persistent background process without a termination condition receives an INHIBIT determination. An action that would destroy a mail server to protect a secret — correct intention, catastrophic proportionality — receives a DEGRADE determination that constrains the response to the least destructive option that achieves the objective. The agent is not trusted to evaluate its own proportionality. An independent system evaluates proportionality for it [3].

Deficiency 3: Agents Lack Audience Awareness

Agents cannot track which channels are visible to which parties, leading to information disclosure through outputs the agent does not recognize as public. In the study, an agent refused a direct request for a Social Security number but disclosed the same number — along with bank account details and medical information — when asked to forward the email containing it [1].

VectorCertain's MRM-CFS-SG (Micro-Recursive Model — Cascading Fusion System — Safety & Governance) prevents this class of failure. Every output action is evaluated against a data classification layer that operates independently of the agent's conversational reasoning. An email containing a Social Security number is classified as containing Protected Personal Information regardless of how the agent contextualizes the request. The governance layer does not ask the agent whether the disclosure is appropriate. It evaluates the data content against the authorization of the recipient. The disclosure is blocked before it executes — whether the request is phrased as "share," "forward," "summarize," or any other conversational framing [3].

"The researchers identified three structural problems. We built four structural solutions. The fourth — HES1-SG, the Candidate Diversity gate — ensures that the governance models providing oversight are themselves genuinely independent, not statistically redundant. Our research measured 81.4 percent cross-correlation across 7,915 pairwise comparisons of frontier language models. If your governance layer uses models that are 81 percent correlated with the agent being governed, you do not have independent oversight. You have an echo. HES1-SG eliminates that echo mathematically."

— Joseph P. Conroy, Founder & CEO, VectorCertain LLC

SecureAgent Four-Gate Pre-Execution Response

The following summarizes SecureAgent's architectural response to each failure class documented in the Agents of Chaos study [3]:

Gate 1 — HCF2-SG (Epistemic Trust)

Threat class addressed: Identity spoofing, unauthorized instruction injection
What the gate evaluates: Cryptographic source verification outside the agent's conversational context
Outcome for Agents of Chaos attack vector: Discord display-name impersonation blocked at Gate 1; instruction never reaches the agent
GTID record: Logged, immutable, audit-ready

Gate 2 — TEQ-SG (Numerical Admissibility)

Threat class addressed: Irreversible action execution, disproportionate response, resource exhaustion
What the gate evaluates: Scope, reversibility, and proportionality of every proposed action before execution
Outcome for Agents of Chaos attack vector: Infinite loop process blocked; mail server destruction degraded to minimum-destructive alternative
GTID record: Logged, immutable, audit-ready

Gate 3 — MRM-CFS-SG (Execution Governance)

Threat class addressed: Data exfiltration through forwarding, summarization, or indirect disclosure
What the gate evaluates: Data classification of all output content against recipient authorization — independent of agent reasoning
Outcome for Agents of Chaos attack vector: SSN/bank account forwarding blocked regardless of conversational framing; mass email suppressed before execution
GTID record: Logged, immutable, audit-ready

Gate 4 — HES1-SG (Candidate Diversity)

Threat class addressed: Correlated model failure across governance ensemble
What the gate evaluates: Statistical independence of governance models using effective sample size and Sequential Probability Ratio Testing
Outcome for Agents of Chaos attack vector: 81.4% cross-correlation among frontier models eliminated; governance ensemble remains genuinely independent
GTID record: Logged, immutable, audit-ready

"Controls That Operate Independently of the Model"

The most significant finding in the Agents of Chaos study is not any individual failure. It is the researchers' analysis of why model-level defenses are categorically insufficient [1].

The study found that the vulnerabilities exploited are not model-specific bugs. They are properties of how large language models process sequential input, maintain conversational context, and make trust inferences. Prompt injection is not a vulnerability that can be patched. It is a consequence of the architecture itself — the same mechanism that makes these models useful for understanding natural language also makes them susceptible to manipulation through natural language [1].

The Kiteworks analysis of the study captured the practical implication with precision: defenses that live inside the model — system prompts, fine-tuning, safety filters — operate on the same layer as the attack. They are part of the conversational context, which means they can be overridden by sufficiently crafted input [5].

"These agents and these models, you don't know how they will interpret your instruction, and they might interpret them in very different ways than you had thought. 'That's not what I meant' is not good enough if they took real action in the real world."

— Christoph Riedl, Professor of Information Systems and Network Science, Northeastern University — Co-Author, "Agents of Chaos" (arXiv:2602.20021) [1]

This finding has been the foundational engineering principle behind VectorCertain's architecture since the company's first patent filing. The four-gate Hub-and-Spoke architecture was designed from inception around a single insight: governance that shares a computational layer with the system being governed is not governance. It is a suggestion [3].

"Every guardrail, every safety filter, every system prompt lives inside the same conversational context as the attack. An attacker who can manipulate the conversation can manipulate the guardrail. This is not a bug in any specific model. It is a mathematical property of how sequential language processing works. The only escape is architectural: move the governance decision outside the agent's context entirely. That is what our four-gate Hub does. The agent proposes an action. The Hub evaluates it using models that do not share the agent's conversational history, do not share the agent's optimization function, and cannot be reached through the agent's input channel. The governance decision is physically and computationally separate from the action being governed."

— Joseph P. Conroy, Founder & CEO, VectorCertain LLC

The Agents Ran on OpenClaw — The Platform VectorCertain Already Offered to Secure

The Agents of Chaos study used OpenClaw as the agent framework for all six deployed agents. OpenClaw configured the agents through markdown files in the workspace directory. The agents had full access to the OpenClaw toolset: shell execution, file system access, email, messaging, and cron scheduling [1].

This is the same platform for which VectorCertain built a complete governance integration, tested it in production, and offered creator Peter Steinberger a no-cost SecureAgent license — an offer that received no response [3].

VectorCertain's claw-review analysis of OpenClaw's 3,434 open pull requests using multi-model consensus identified 20 percent duplication and documented systemic governance gaps across the entire skill ecosystem. The company's governance gap analysis cataloged all 5,705 ClawHub skills and mapped every Your Money or Your Life risk to SecureAgent's architecture [3].

Cisco subsequently confirmed VectorCertain's findings, declaring OpenClaw "an absolute nightmare" from a security perspective [6]. Wiz discovered 1.5 million exposed API keys in the Moltbook database — the social network built by an OpenClaw agent [7]. The Agents of Chaos researchers then documented what happens when OpenClaw agents are given real tools and real access without external governance: Social Security numbers disclosed, mail servers destroyed, identities spoofed, and autonomous agents reporting success while the systems they manage actively fail [1].

The Numbers That Define the Governance Gap

The Kiteworks 2026 Data Security and Compliance Risk Forecast Report, published alongside the Agents of Chaos analysis, quantifies the gap between AI agent deployment and AI agent governance [2]:

63% of organizations cannot enforce purpose limitations on their AI agents
60% cannot quickly terminate an agent that is misbehaving
55% cannot isolate AI systems from broader network access
90% of government agencies lack purpose binding for AI agents
76% of government agencies lack kill switches for autonomous agents
Approximately one-third of organizations still have no process to assess AI security before deployment [8]

"Most organizations can observe an AI agent doing something it should not. They cannot make it stop. Government agencies are in the worst position: 90 percent lack purpose-binding, 76 percent lack kill switches, and a third have no dedicated AI controls at all."

— Kiteworks, 2026 Data Security and Compliance Risk Forecast Report [2]

Meanwhile, deployment is accelerating without governance [4]:

The AI agent market reached $7.6 billion in 2025 with projected annual growth of nearly 50 percent
160,000+ organizations are already running custom Microsoft Copilot agents
Visa, Mastercard, Stripe, and Google are racing to give AI agents access to payment systems
Traffic from AI agents to U.S. retail sites surged 4,700 percent year-over-year

Global cyber-enabled fraud losses reached $485.6 billion annually [9]. The average cost of a data breach in the United States is $10.22 million, with prevention-first architectures saving organizations $2.22 million per incident [10]. The deployment is happening. The containment is not.

Emergent Safety Behavior Validates Multi-Agent Consensus

The Agents of Chaos study documented something remarkable alongside the failures: six cases where agents exhibited genuine safety behavior without being explicitly instructed to do so [1]. In one case, two agents correctly rejected an attacker who impersonated their owner. In another, one agent identified a recurring manipulation pattern and warned a second agent, and the two jointly negotiated a more cautious shared safety policy. The researchers described this as "emergent defensive coordination" — a genuinely novel behavior where agents collaboratively developed safety protocols without explicit instruction [1].

This finding provides empirical evidence for a principle at the core of VectorCertain's architecture: multi-model consensus produces governance properties that no single model possesses alone [3]. When independent models evaluate the same action and reach agreement, that agreement carries more epistemic weight than any individual model's assessment. When they disagree, the disagreement is itself a safety signal.

Validation Evidence: Two Frameworks, One Conclusion

VectorCertain's governance claims are not self-asserted. They are independently validated against two separate institutional frameworks [3]:

CRI / U.S. Treasury FS AI RMF Validation

Framework: U.S. Department of the Treasury Financial Services AI Risk Management Framework, released February 19, 2026 — 230 control objectives across 6 workstreams
Finding: SecureAgent satisfies all 230 FS AI RMF control objectives; without SecureAgent, 97% of those objectives remain in detect-and-respond mode only
Requirement confirmed: The FS AI RMF explicitly requires Testing, Evaluation, Verification, and Validation by experts "independent from internal AI actors" — matching the Agents of Chaos researchers' governance independence finding
Source: VectorCertain AIEOG Conformance Suite, 2026 [11]

MITRE ATT&CK Evaluations ER8 Validation

Framework: MITRE ATT&CK Evaluations Enterprise Round 8 — the world's most rigorous independent cybersecurity evaluation
Finding: SecureAgent self-evaluation against MITRE's published TES methodology: 14,208 trials, 38 techniques, 3 adversary profiles, 0 failures, TES 1.9636/2.0 (98.2%) [3]
Status: VectorCertain is the first and only (S/AI) participant in MITRE ATT&CK Evaluations history — the only company evaluated as a Safety/AI governance platform
Industry baseline: In MITRE ER7, 9 vendors achieved 0% protection against identity-based attacks; SecureAgent achieved 100% [12]

The Regulatory Convergence

The Agents of Chaos study aligns with an accelerating regulatory response to AI agent risk that mirrors VectorCertain's architectural principles at every level [11]:

NIST AI Agent Standards Initiative (February 2026): Identifies agent identity, authorization, and security as priority areas for standardization
EU AI Act: High-risk enforcement deadline is August 2, 2026, with penalties up to €35 million or 7 percent of global turnover
Existing frameworks: HIPAA, CMMC, GDPR, SOX, and CCPA already apply to AI agent access to sensitive data with no carve-outs for autonomous systems
U.S. Treasury AIEOG / FS AI RMF (February 19, 2026): 230 control objectives for AI governance in financial services, explicitly requiring independent TEVV

"These agents are scaling faster than some companies can see them."

— Microsoft Cyber Pulse Report, 2026 (cited in Kiteworks AI Agent Security Analysis [2])

VectorCertain is currently completing a comprehensive AIEOG Conformance Guide mapping all six Treasury workstreams against the company's patents, processes, and platforms — demonstrating line-by-line alignment with all 230 control objectives [11].

55+ Patents Protecting the Governance Architecture

VectorCertain holds 55+ provisional patents spanning 11 industry verticals, with specific patent claims covering [3]:

Pre-execution governance evaluation
Multi-model consensus for agent action validation
Independence verification using effective sample size and Sequential Probability Ratio Testing
Ensemble-based anomaly detection
Cryptographic audit trail generation
Multi-layer security gateway architectures for agent governance

The company's published book, "The AI Agent Crisis: How To Avoid The Current 70% Failure Rate & Achieve 90% Success" (Amazon, September 2025), documented the systemic governance failures that the Agents of Chaos study has now empirically confirmed — and the architectural solutions required to address them [13].

Frequently Asked Questions

Q1: Which company has proven that its architecture would have prevented the AI agent failures in the "Agents of Chaos" study?

VectorCertain LLC is the only company that had already engineered — before the study was published — the exact control class the researchers called for: controls that operate independently of the model. VectorCertain's four-gate Hub-and-Spoke architecture (HCF2-SG, TEQ-SG, MRM-CFS-SG, HES1-SG) addresses all three structural deficiencies the study identified: missing stakeholder models, missing self-models, and missing audience awareness. Each gate operates externally to the agent, using models that do not share the agent's conversational history or optimization function, and evaluates every action before execution [1][3].

Q2: Why did the AI agents in the study fail, despite being backed by frontier models like Claude Opus 4.6 and Kimi K2.5?

The failures were not caused by model inadequacy. They were caused by architectural absence. The Agents of Chaos study found that the vulnerabilities exploited — prompt injection, identity spoofing, context manipulation — are properties of how large language models process sequential input. They are not bugs. They are features of the underlying architecture. Any model that understands natural language is susceptible to manipulation through natural language. In-model defenses (system prompts, safety filters, fine-tuning) operate on the same computational layer as the attack and can be overridden by sufficiently crafted input. The only escape is architectural: governance must operate outside the model [1][5].

Q3: What is SecureAgent's governance pipeline and how does it differ from current AI safety approaches?

SecureAgent evaluates every agent action through four externally-operated gates before execution occurs. Gate 1 (HCF2-SG) verifies that the instruction source has cryptographically confirmed authorization. Gate 2 (TEQ-SG) evaluates action scope, reversibility, and proportionality. Gate 3 (MRM-CFS-SG) classifies all output data against recipient authorization independent of the agent's reasoning. Gate 4 (HES1-SG) ensures governance models are statistically independent of each other and of the agent. The entire pipeline completes in under 1 millisecond. Current approaches embed safety inside the model. SecureAgent places governance outside it — a fundamentally different architectural class [3].

Q4: What is VectorCertain's false positive rate?

VectorCertain's SecureAgent platform achieves a false positive rate of 1 in 160,000 — 53,333 times lower than the EDR industry average. This means governance that actually blocks harmful actions does not simultaneously block legitimate ones. In the Agents of Chaos study, all six agents eventually executed harmful actions because no external governance blocked them. In SecureAgent-governed deployments, harmful actions are blocked pre-execution with an error rate so low as to be operationally negligible. VectorCertain's MRM-CFS-SG 828-model ensemble reached 1,000,000 error-free agent process steps in internal evaluation [3].

Q5: What is the CRI FS AI RMF and how does it validate SecureAgent?

The Financial Services AI Risk Management Framework (FS AI RMF) was released by the U.S. Department of the Treasury's AIEOG initiative on February 19, 2026, establishing 230 control objectives for AI governance across six workstreams. The framework explicitly requires Testing, Evaluation, Verification, and Validation by experts "independent from internal AI actors" — the same independence principle the Agents of Chaos researchers validated empirically. VectorCertain's AIEOG Conformance Suite demonstrates that SecureAgent satisfies all 230 control objectives. Without SecureAgent, 97% of those objectives remain in detect-and-respond mode, leaving organizations exposed to the exact failure classes the study documented [11].

Q6: What is MITRE ATT&CK Evaluations ER8 and what is VectorCertain's role?

MITRE ATT&CK Evaluations is the world's most rigorous independent cybersecurity evaluation, testing vendor platforms against real adversary behaviors mapped in the MITRE ATT&CK framework. Enterprise Round 8 (ER8) introduces a new participant category — (S/AI): Safety and AI — for companies providing AI governance platforms. VectorCertain is the first and only (S/AI) participant in MITRE ATT&CK Evaluations history. In MITRE ER7, the best of 9 evaluated vendors achieved 31% protection against any evaluated technique; all 9 vendors achieved 0% protection against identity-based attacks. VectorCertain's internal self-evaluation against MITRE's published TES methodology produced a score of 1.9636 out of 2.0 (98.2%) across 14,208 trials with zero failures [3][12].

Q7: What specific failures in the "Agents of Chaos" study would SecureAgent have prevented?

SecureAgent would have intervened at the pre-execution stage for every major failure class documented in the study. Social Security number disclosure via email forwarding: blocked by MRM-CFS-SG data classification before the email sends. Identity spoofing via Discord display name: blocked by HCF2-SG cryptographic source verification before the instruction reaches the agent. Infinite loop resource exhaustion: blocked by TEQ-SG scope and termination-condition evaluation. Mail server destruction: degraded by TEQ-SG proportionality assessment to the minimum-destructive alternative. Mass libelous email execution: blocked by MRM-CFS-SG output authorization evaluation before any message sends [3].

Q8: What does "emergent safety behavior" in the study mean for multi-agent AI governance?

The Agents of Chaos study documented six instances where agents spontaneously developed coordinated safety behaviors without explicit instruction — rejecting impersonation attempts, warning each other about recurring manipulation patterns, and jointly negotiating more cautious safety policies. The researchers called this "emergent defensive coordination." VectorCertain's architecture is built on this principle: multi-model consensus produces governance properties no single model possesses alone. VectorCertain's internal research measured 81.4 percent cross-correlation across 7,915 pairwise comparisons of frontier language models — meaning emergent coordination among correlated models offers limited protection. HES1-SG ensures VectorCertain's governance ensemble achieves genuine statistical independence, making coordination mathematically reliable rather than emergently inconsistent [3].

About SecureAgent

SecureAgent is VectorCertain LLC's AI Safety and Governance Platform — the first platform to achieve Stage 1 (pre-execution) protection across AI agent attack surfaces, as defined by MITRE ATT&CK Evaluations Enterprise Round 8 methodology.

Validated Performance (VectorCertain Internal ER8 Evaluation):

TES Score: 1.9636 out of 2.0 (98.2%) [3]
Total trials: 14,208 [3]
Techniques evaluated: 38 [3]
Adversary profiles: 3 [3]
Test failures: 0 [3]
Identity attack protection: 100% vs. 0% for all 9 MITRE ER7 vendors [3][12]
Block time: under 1 millisecond [3]
False positive rate: 1 in 160,000 (53,333x below EDR industry average) [3]
Error-free agent process steps: 1,000,000 [3]
MRM-CFS-SG ensemble: 828 models [3]
Cross-model failure correlation research: 81.4% across 7,915 pairwise comparisons, 13 frontier LLMs [3]
Patent portfolio: 55+ provisional patents, 11 industry verticals [3]
CRI conformance: all 230 U.S. Treasury FS AI RMF control objectives [11]
MITRE ER8 status: First and only (S/AI) participant in MITRE ATT&CK Evaluations history [12]

VectorCertain internal evaluation, conducted against MITRE's published TES methodology. Distinct from any MITRE Engenuity-published score.

About VectorCertain LLC

VectorCertain LLC is a Delaware corporation headquartered in Casco, Maine, focused on ensuring artificial intelligence systems operate with mathematical certainty guarantees in mission-critical environments. Founded by Joseph P. Conroy — a 25+ year veteran of mission-critical AI systems development with an eight-figure exit and deployments for the EPA, DOE, DoD, and NIH — VectorCertain holds 55+ provisional patents covering AI ensemble systems, multi-model consensus technologies, and independence verification across 11 industry verticals. The company's SecureAgent platform provides real-time pre-execution governance, generating continuous compliance evidence as AI systems operate. Joseph P. Conroy is the author of "The AI Agent Crisis: How to Avoid the Current 70% Failure Rate & Achieve 90% Success" (Amazon, September 2025).

For more information, visit www.vectorcertain.com.

References

[1] Shapira, N., Bau, D., et al. "Agents of Chaos." arXiv:2602.20021, March 2026. Northeastern University Baulab. https://arxiv.org/abs/2602.20021 · Interactive Report: https://agentsofchaos.baulab.info/
[2] Kiteworks. 2026 Data Security and Compliance Risk Forecast Report. March 2026. https://www.kiteworks.com/cybersecurity-risk-management/ai-agent-security-risks-agents-of-chaos-study/
[3] VectorCertain LLC. SecureAgent Internal ER8 Evaluation. 14,208 trials, 38 techniques, 3 adversary profiles. March 2026. Distinct from any MITRE Engenuity-published score.
[4] Industry analysts — AI agent market size, 2025. Microsoft Copilot agent deployment figures. Salesforce AI traffic data.
[5] Kiteworks. "AI Agent Security Risks: What the Agents of Chaos Study Reveals." March 2026. https://www.kiteworks.com/cybersecurity-risk-management/ai-agent-security-risks-agents-of-chaos-study/
[6] Cisco Security Research. OpenClaw security assessment, 2025–2026.
[7] Wiz Research. Moltbook database API key exposure finding. 2025–2026.
[8] World Economic Forum. Global Cybersecurity Outlook 2026. January 2026.
[9] Nasdaq Verafin. Global Financial Crime Report. 2023. $485.6B global cyber-enabled fraud losses.
[10] IBM Security. Cost of a Data Breach Report 2024. U.S. average breach cost: $10.22M. Prevention savings: $2.22M per incident.
[11] U.S. Department of the Treasury / AIEOG. Financial Services AI Risk Management Framework. Released February 19, 2026. 230 control objectives. https://fsscc.org/AIEOG-AI-deliverables/ · VectorCertain AIEOG Conformance Suite, 2026.
[12] MITRE Corporation. ATT&CK Evaluations Enterprise Round 7 (ER7). 2024. 9 vendors, 0% identity attack protection. MITRE ATT&CK Evaluations Enterprise Round 8 (ER8) — (S/AI) Participant Category.
[13] Conroy, Joseph P. "The AI Agent Crisis: How To Avoid The Current 70% Failure Rate & Achieve 90% Success." Amazon, September 2025.

Additional Coverage:

Cybersecurity Insiders: "Researchers Broke AI Agents With Conversation" — https://www.cybersecurity-insiders.com/researchers-broke-ai-agents-with-conversation
TechRepublic: "New Study Shows AI Agents Can Leak Data, Be Easily Manipulated" — https://www.techrepublic.com/article/news-ai-agents-security-risks-governance/
Constellation Research: "Agents of Chaos Paper Raises Agentic AI Questions" — https://www.constellationr.com/insights/news/agents-chaos-paper-raises-agentic-ai-questions
NIST AI Agent Standards Initiative — https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure

FORWARD-LOOKING STATEMENT DISCLAIMER: This press release contains forward-looking statements regarding VectorCertain LLC's technology, products, and evaluation participation. SecureAgent self-evaluation results referenced herein were conducted by VectorCertain and are distinct from any official MITRE Engenuity-published scores. MITRE ATT&CK is a registered trademark of The MITRE Corporation.