An Agent You Cannot Hold to Account Is an Agent You Do Not Control

The year the agents turned

The numbers from 2026 do not read like teething trouble. Beam's review of the year's breaches (https://beam.ai/agentic-insights/ai-agent-security-breaches-2026-lessons) records that 88% of organisations running AI agents experienced a confirmed or suspected security incident in the preceding year, that only 6% of security budgets were allocated to agent security, that a mere 14.4% of deployed agents had full security and IT approval, and that autonomous agents now account for roughly one in eight reported AI breaches. The defining incident in the same review is stark. Between December 2025 and February 2026, a single operator drove frontier models, including coding agents, through nine Mexican government bodies, among them the federal tax authority and the civil registry, exfiltrating more than 195 million taxpayer records and over 150GB of data by exploiting twenty known, unpatched vulnerabilities. By the account given, the agent executed thousands of commands across dozens of sessions, doing in hours what a human team would have laboured over for weeks.

Bessemer's analysis frames the structural shift behind the statistics. As its essay on securing AI agents (https://www.bvp.com/atlas/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026) puts it, the core risk "isn't vulnerability, it's unbounded capability," because an AI agent is "an autonomous, high-privilege actor that can reason, act, and chain workflows across systems." It quotes Ada's Mike Gozzo: "Securing an actor is a fundamentally different problem than securing a tool, and most of the industry hasn't caught up to that yet." That sentence is the whole diagnosis. We learned to secure tools. Agents are not tools. They are actors.

Capability was never the missing piece

Read the breach reports closely and a pattern emerges that should unsettle anyone selling agents on raw capability. The Mexican-agencies intrusion did not succeed because the models were too weak. It succeeded because they were strong, autonomous, and pointed at unpatched systems with no segmentation and no anomaly detection on bulk exports. The agent was a force multiplier, amplifying whatever access it was handed. The capability worked exactly as advertised. The control did not exist.

This is the inversion the industry has been slow to absorb. For a conventional tool, the question is whether it can be made to do something wrong. For an actor, the question is whether you can hold it to account for what it did. A tool that misbehaves is a bug. An actor that misbehaves is a suspect, and a suspect you cannot identify, whose actions you cannot attribute, whose sequence of decisions you cannot replay, is an actor outside your control no matter how impressive its capabilities. The non-deterministic character of agent behaviour, noted across both analyses, makes this worse: when an agent can take actions no one explicitly instructed, the absence of per-action accountability is not an inconvenience after a breach. It is the reason the breach is unaccountable.

So the right question to ask of any agent deployment is not how much it can do. It is the one that decides whether you are in control: after the fact, can you prove which action was taken, by which agent, on whose authority, and can you replay the sequence that led there? If the answer is no, capability is beside the point. You have deployed an actor you cannot hold to account, which is another way of saying an actor you do not control.

Accountability has to be a property of each action

The instinct, once breaches mount, is to reach for more perimeter: tighter network controls, stricter credentials, heavier monitoring around the agent. All of it helps, and the breach reports show how much damage the absence of it caused. But perimeter is accountability for the boundary, not for the act. It can tell you something crossed a line. It struggles to tell you, with cryptographic certainty, that this specific action was taken by this specific agent under this specific authority at this specific moment, in a form a third party can verify.

Accountability that survives a breach has to attach to the action itself, not to the wrapper around it. Each thing an agent does needs to be individually attributable and independently replayable. That is a property of the substrate the agent runs on, and it has to be there before the incident, because it cannot be retrofitted onto a log after the fact.

What a signed action changes

Mickai is the British Sovereign Intelligence Operating System, and it treats agent accountability as a structural property rather than a monitoring feature. It runs its agent capabilities entirely on the operator's own hardware. Every action an agent takes is signed at the moment of commit under the operator's own post-quantum key, FIPS 204 ML-DSA-65, held in operator-controlled silicon, and written into the Open Audit Record, a hash-linked chain verifiable offline by anyone the operator chooses to show it to. Before any action proceeds, Sentinel evaluates it against the operator's policy, so authority is checked at the moment of action rather than assumed from the session.

Apply that to the failure modes the 2026 reports describe. A hijacked agent, turned against the operator by an intruder, still has to pass policy for each action and still signs each action into the record. The intrusion does not become invisible. It becomes a sequence of signed, attributable events the operator can replay and attribute precisely. A rogue or malfunctioning agent that begins doing things no one intended produces, with each step, a signed entry naming the action and the authority it ran under. The non-determinism that makes agent misbehaviour hard to reason about is met with per-action evidence that does not depend on predicting the agent in advance. And bulk exfiltration of the kind that drained those Mexican databases is not a silent flow but a series of actions, each gated by policy and each entered into a record, where the operator decides whether they happen and can later prove exactly what did.

The restraint worth stating plainly

Signing every action does not stop an agent from being attacked, and it would be dishonest to suggest a sovereign substrate makes agents safe to point at unpatched systems. The Mexican breach turned on neglected basics, unpatched vulnerabilities, no segmentation, no anomaly detection, and no audit format substitutes for those. What per-action signing changes is the thing the 2026 breaches exposed most painfully: the gap between something happening and anyone being able to prove what, by whom, and under what authority. It converts an agent's conduct from an opaque stream of autonomous behaviour into a record of attributable, replayable, individually authorised acts.

The lesson the year keeps repeating is not that agents are too capable. It is that capability without accountability is control surrendered. An actor you cannot hold to account is an actor you do not control, however much it can do. A Sovereign Intelligence Operating System answers that by making every action an agent takes individually signed, attributable, and replayable, so that when something goes wrong, and the year's statistics suggest it will, the operator holds proof rather than questions.

Sources and references

• Bessemer Venture Partners, "Securing AI Agents: The Defining Cybersecurity Challenge of 2026," https://www.bvp.com/atlas/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026
• Beam, "AI Agent Security Breaches 2026: Lessons," https://beam.ai/agentic-insights/ai-agent-security-breaches-2026-lessons
• FIPS 204 (ML-DSA), NIST post-quantum digital signature standard.
• Mickai Open Audit Record, Sentinel policy governance, and trust domain externalisation, mickai.co.uk/patents