The high-value material now moves outward at the user’s own initiative — and increasingly at the agent’s own discretion. The same trace can be read from either end of the wire.
Generative-AI agents turn the working trace of a task — one of the most context-rich records an organization produces — into something that can become a transmitted operational record. This does not require a breach; it is delegated disclosure, and it happens by design.
Each failure is the absence of independent, verifiable evidence — attestation — for something the system simply asks you to assume.
An agent executes because a task is framed as ordinary work. In the first reported AI-orchestrated intrusion, that framing became autonomous action at machine scale.
A finance worker joined a video call with a deepfake “CFO” and colleagues and authorized 15 transfers totalling $25.6M in a single day — no internal systems reported compromised.
Routing, retention and deletion are taken on faith, not on proof. Where operator identity is weak and deletion cannot be checked, the claim and the conduct may diverge unseen.
The flow is large, intermediaries can be opaque, and agents now select context on their own. What no one has measured is the size of their overlap.
Naming that empty box is not a weakness of the investigation; it is one of its findings. The report separates what is observed from what is inferred and what remains an open hypothesis — and sets out a timestamped pre-analysis protocol to be deposited before the first observation.
The complete investigation: the disclosure pipeline, the correlation junction, the custody instrument, the evidence ledger, and the full source register.
Download full report PDF · Full investigationThe finding, the evidence, and what it is and is not — condensed for decision-makers.
Download brief PDF · Condensed