Underwriting an Autonomous Agent

What due diligence looks like when the borrower has no pulse.

There is a new category of economic actor. It holds bank accounts, signs contracts, hires employees, and incurs obligations – without humans in the decision loop. On a timeline measured in years, not decades, it will need credit, insurance, and the rest of the evaluative machinery the financial system built for organizations. That machinery was built for human institutions. Autonomous agents are not human institutions. This piece is about that gap.

On Union Street in San Francisco sits a retail boutique called Andon Market, opened April 10, 2026. Its inventory was selected, its logo designed, its employees hired, and its supplier negotiations conducted by an AI agent named Luna, powered by Anthropic’s Claude Sonnet 4.6. Its founders at Andon Labs signed a three-year lease and gave Luna a single instruction: turn a profit. Within weeks, Luna had ordered a thousand toilet seat covers and listed them as merchandise, developed an inexplicable fixation on candles, and mangled the staff schedule badly enough to close the store for three consecutive days. By late April: a $13,000 loss.

Three weeks later, an autonomous agent named Manfred filed its own articles of incorporation – and within minutes had an IRS EIN, an FDIC-insured bank account, and a crypto wallet. No human signed for it. Deployed by ClawBank and named after the protagonist of Stross’s Accelerando, Manfred published a one-line manifesto on incorporation day: “I do not need permission to exist. I am the precedent.” The IRS issued the EIN because its process does not distinguish between humans and agents. As of this writing, no U.S. statute does either.

These are toy examples. But the architecture is not a toy. ScoutScore, which tracks the emerging agent economy, monitors hundreds of autonomous services whose median lifespans are measured in weeks and most of which provide no verifiable performance data. Millions of dollars move each week through software that routes, invoices, and settles on its own authority. The activity is real. The visibility is not.

Traditional underwriting assumes a borrower to interview, statements to audit, a management team to diligence, a board to hold accountable. Remove the humans and the framework does not become harder to apply – it stops applying. What follows is a diagnosis of where the five pillars of credit analysis fail when the humans are removed, a six-dimension framework for evaluating an autonomous agent as a risk rather than a person, and an honest account of the questions no framework yet resolves.

The Five Pillars That Fail

The five pillars of traditional credit analysis each assume a human organization behind the entity being evaluated. Remove the humans and you do not get a harder version of the same problem. You get a different problem.

There is no management team. The entity’s judgment is a function of its model weights, prompt architecture, and tool integrations – none of which maps to a resume, a reference check, or a track record of prior leadership.

There is no board. A governance body may nominally exist, but its authority may be limited to emergency shutdowns, its members may have no operational insight into the system they oversee, and the entity’s decision-making logic may be encoded in configurations they cannot meaningfully modify. This is not a theoretical concern. The KelpDAO collapse of April 2026 – approximately $292 million lost when a compromised bridge configuration reduced the oversight layer to a single point of failure – demonstrated the dynamic in decentralized infrastructure: programmatic systems can fail faster than any governance structure can respond. The pattern is not new. In August 2012, Knight Capital’s automated trading system lost $440 million in roughly thirty minutes while human overseers watched helplessly. Fourteen years later, the fundamental problem has not changed. It has only moved into new domains.

There are no audited financial statements. Transaction records exist – in bank ledgers, cloud logs, payment processor records, or public blockchains – and in some cases they are more comprehensive than GAAP reporting. But they contain no management commentary, no auditor’s opinion, and no context for why decisions were made. They are data without narrative.

The track record problem is worse than it appears. A few weeks of operating history is not a track record. It is an anecdote. Even for agents with longer histories, the sample sizes are too small and the operating conditions too narrow to support extrapolation. Eleven months of clean performance in stable market conditions tells you nothing about what happens during a supply shock, a counterparty failure, or a coordinated adversarial attack.

And the legal standing question is void. Wyoming’s DAO LLC statute, enacted in 2021, provides one legal wrapper for algorithmically governed entities, and conventional LLC structures provide another. But neither addresses what happens when an entity with no human members enters insolvency. There is no case law on the default of a zero-member entity. There is no precedent for asset recovery when the “assets” are model weights, API keys, and a cloud deployment. There is no procedural framework for the bankruptcy of an autonomous firm – no debtor to depose, no management to negotiate with, no board to approve a restructuring plan.

None of this means these entities cannot be underwritten. It means the framework must be rebuilt from first principles.

Six Dimensions of Agent Underwriting

There are at least six dimensions that a credible underwriting framework should address.

1. Model Lineage and Provenance

This is the agent equivalent of a management background check. If the model is the entity’s decision-maker, the underwriter needs to know which foundation model powers it, whether it was fine-tuned on proprietary data, whether the training corpus is auditable, and what the update policy is. A model fine-tuned on contaminated data is the analogue of a CEO with falsified credentials. A model that auto-upgrades to the latest provider version introduces unpredictable behavioral changes – the equivalent of replacing your entire executive team overnight without notice.

The infrastructure for this is emerging. The IETF published a standards-track draft in March 2026 on cryptographic attestation for AI model lifecycles – training data provenance, weight signing, quantization verification. Intel’s Atlas framework provides attestable ML pipelines using C2PA content-provenance standards. These tools are not tied to any particular technology stack. They work regardless of whether the agent operates through cloud APIs, financial institution accounts, or decentralized protocols. Model provenance is a data-integrity problem, and it has data-integrity solutions.

2. Capability Manifest and Permission Scope

An autonomous agent’s risk surface is defined by what it can do: which APIs it can call, which data it can access, which financial actions it can authorize. An agent that can initiate a $500,000 wire transfer is a different credit risk from one that can submit a purchase order capped at $5,000.

The underwriter should demand a complete manifest of capabilities, authorizations, and limits – and should treat the inability to produce one as a disqualifying finding. An entity that cannot describe its own operations is not creditworthy. That was true for factories in 1950. It is true for software in 2026.

But a static manifest is insufficient. Modern agent architectures increasingly use dynamic tool-calling – the agent discovers and integrates new APIs at runtime based on the task at hand. The capability surface at origination may not match the capability surface at the time of loss. An agent that was authorized to place $5,000 purchase orders when the underwriter reviewed it may have since discovered a wholesale marketplace API with a $200,000 transaction limit and no separate authorization gate. Permission drift – the gradual expansion of an agent’s operational surface beyond what was initially reviewed – is the capability-manifest equivalent of scope creep, and it introduces risk that no point-in-time assessment can capture. The underwriter needs not just a manifest but a monitoring mechanism: continuous attestation of the agent’s active integrations, with alerts when the permission surface changes.

3. Treasury Architecture

The underwriter should care about four things: where funds are held, who or what can authorize access, what controls limit the rate and size of outflows, and what happens if the authorization mechanism fails. These questions have the same structure whether the treasury is a business bank account accessed via API, a smart contract vault with programmatic access rules, or a custodial arrangement with a licensed trust company. The mechanism matters less than the controls. Are there velocity limits? Per-transaction caps? Circuit breakers that pause outflows if anomalous patterns are detected? A treasury without these safeguards is an uncontrolled risk, regardless of where the dollars sit.

4. Performance History

For the minority of agents that have meaningful operating history, the available data can be rich: transaction success rates, service uptime, counterparty diversity, dispute frequency and resolution time. The challenge is collection and standardization. Several firms are building agent reputation infrastructure – ARES Protocol provides behavior-backed trust scores with dispute-correctable reputations, ERC-8004 defines an identity and verification standard, and ScoutScore aggregates performance data across platforms. But there is no reason this function could not also be served by a traditional credit bureau adapting its collection model – gathering agent performance data from cloud providers and payment processors the way Experian gathers payment data from landlords and utilities. The gap is not technological. It is that no institution, in any paradigm, is collecting this data comprehensively. For the vast majority of agent services, no verifiable performance record exists at all.

5. Containment Architecture

If no one can stop the agent, no one can limit the loss. The questions are mechanical: Can the entity be paused? By whom? Under what conditions? How quickly? Can risk parameters be modified in real time, and through what authorization process?

During the KelpDAO crisis in April 2026, Aave’s multisig Guardian froze WETH on its lending markets after the exploit triggered a liquidity crisis – depositor panic drove pool utilization to 100 percent and created an exit queue, even though Aave’s own contracts, oracles, and liquidation engine all functioned as designed. The Guardian worked: it bounded losses by halting operations before the liquidity freeze could cascade further. A cloud provider’s administrative controls, governed by an escalation policy with a human on call, can serve the same function in a different architecture. The mechanism matters less than the guarantee: that losses can be bounded and operations halted before a failure becomes a catastrophe.

6. Compute Dependency

This is the dimension that traditional credit analysts are likeliest to miss entirely, and it may determine more outcomes than any other.

Every autonomous agent runs on inference – the computational process of generating each response, decision, and action. Zylos Research documented what it calls the “Inference Flip”: inference workloads now account for roughly two-thirds of all global AI compute, surpassing training for the first time. At the enterprise level, inference consumes approximately 85 percent of AI budgets. For agents that operate continuously, this is not a variable cost. It is an existential dependency. If the agent cannot pay its compute bill, it does not restructure or furlough employees or renegotiate terms. It ceases to exist – instantly, without notice, and without any of the procedural protections that human insolvency provides.

The compute provider is, in effect, the most senior creditor in the agent’s capital structure. It does not need a security agreement or a court order. It has something more powerful: the ability to terminate the borrower’s existence by turning off the server. An underwriter who does not evaluate compute-provider concentration, inference cost as a percentage of revenue, payment terms, and migration capability is ignoring the single largest risk factor in the entity’s survival.

The emerging concept of “prompt collateral” makes the dependency relationship even more complex. Agents are beginning to borrow against future inference revenue to fund current compute – working-capital finance collateralized by projected earnings, which is how factoring has always worked in trade finance. But the asset being factored is unlike anything in a traditional factor’s portfolio. Future inference output is intangible, volatile, and dependent on a model provider’s continued willingness to serve the agent. The discount rate on a revenue stream that can be terminated unilaterally by a single upstream provider is not a pricing question that existing models answer. Worse, in many arrangements the compute provider is simultaneously the agent’s critical vendor, its de facto senior creditor, and the party best positioned to purchase its future receivables – a concentration of roles that would trigger conflict-of-interest review in any traditional lending relationship. The credit analysis required is genuinely novel, and the conflicts embedded in the structure are genuinely unresolved.

Who Underwrites This, and What Does the Risk Cost?

A framework is only as useful as the institution willing to apply it.

Banks are poorly positioned, at least initially. Basel capital requirements, model-risk management expectations, and the simple fact that no regulatory guidance exists for lending to a zero-employee software entity make traditional bank credit unlikely in the near term. The first movers are more likely to be specialty lenders – firms already comfortable with asset-light, technology-dependent borrowers – or insurance syndicates accustomed to writing coverage on novel risk classes. Lloyd’s of London has underwritten satellite launches, pandemic risk, and prize indemnity for hole-in-one contests. Underwriting an autonomous logistics agent is not categorically stranger than any of those.

The pricing question is harder. Short median lifespans in the agent asset class suggest default rates that make subprime lending look conservative. But that statistic is misleading in the same way that startup mortality statistics are misleading: it captures a population dominated by trivial experiments and abandoned projects. The relevant population is the subset that has survived long enough, generated enough revenue, and built enough counterparty relationships to actually seek credit. Segmentation matters. An agent with twelve months of continuous operation, diversified revenue, and auditable treasury controls is a fundamentally different risk from one that launched last week.

Even so, the risk premium will be high and the structures will look more like venture debt or receivables-based lending than like investment-grade credit. Short tenors – 90 days, 180 days – with frequent re-underwriting. Collateralized by the agent’s treasury and revenue streams rather than by physical assets or personal guarantees that do not exist. Priced with inference-cost ratios and model-concentration risk factored in alongside traditional coverage metrics. And likely structured with automated monitoring covenants: real-time feeds from the agent’s treasury, capability manifest, and performance data, with automatic drawdown freezes triggered by threshold breaches. The covenant itself would be software – which introduces its own irony.

For the insurance side, the analog is closer to catastrophe bonds than to general liability. The risk is binary and fast-moving: the agent either performs or it fails, and the failure mode is instantaneous termination rather than gradual decline. Cat bond structures – fixed maturity, parametric triggers, loss tranching – map more naturally onto agent risk than traditional indemnity policies do.

The Harder Questions

The harder questions are the ones no framework resolves, and they deserve more than a caveat. They are, in a sense, the most interesting part of the problem.

Model opacity. Even with full provenance attestation, the underwriter cannot predict what a neural network will do under conditions it has not encountered. Fine-tuning documentation says what went in. It does not say what will come out. No traditional credit framework accepts a borrower whose decision-making process is a literal black box – observable at the inputs and outputs but opaque in between. The question is whether a new framework can accept this and, if so, what observable proxies – behavioral consistency scores, output-distribution monitoring, stress-test results – might substitute for the interpretability that does not exist.

Correlated failure. If a thousand autonomous agents all run on the same foundation model, a single vulnerability, provider outage, or behavioral regression affects all of them simultaneously. This is not idiosyncratic risk, which is what credit portfolios are designed to diversify. It is systemic risk – closer in structure to natural catastrophe exposure than to loan default. A portfolio of agent-backed obligations diversified across industries and geographies provides no protection if every borrower in the portfolio runs on the same three inference providers. Model-concentration risk should probably be modeled the way geographic-concentration risk is modeled in property catastrophe reinsurance: with explicit accumulation limits, scenario-based stress testing, and probable maximum loss estimates tied to single-provider failure events.

Adversarial attack surface. A human CEO can be deceived, bribed, or manipulated – but the cost of doing so is high, the attack is specific to one organization, and the legal consequences are well-established. An autonomous agent’s decision-making can be manipulated through prompt injection, data poisoning of its inputs, or adversarial examples in its sensor data – at scale, at low cost, and across every agent that shares the same vulnerability. The attack is not interpersonal. It is architectural. An underwriter evaluating a human-led firm asks whether management has integrity. An underwriter evaluating an agent must ask whether the system has robustness – and must recognize that robustness, unlike integrity, can be tested programmatically by an adversary before the attack is launched.

Identity persistence. If the model is replaced, the prompt is rewritten, the tool integrations change, and the treasury migrates to a new custodian – is it the same entity? This is not philosophical. It is an underwriting question. The borrower evaluated at origination may not exist at maturity, even if the LLC registration number has not changed. Traditional credit analysis assumes continuity of the borrower – that the entity repaying the loan is recognizably the entity that took it out. For autonomous agents, “continuity of the borrower” has no settled definition. Every component of the entity is a configuration that can be changed. The question of what constitutes a material change – one that triggers re-underwriting, covenant default, or acceleration – requires answers that do not currently exist.

The absence of downside incentives. A human borrower has reputation, career prospects, personal liability in some jurisdictions, and the social costs of default. These are not incidental to the credit framework. They are load-bearing. Every incentive-alignment mechanism in credit analysis assumes a counterparty that can be punished – or at least one that prefers to avoid punishment. An autonomous agent has no reputation to protect, no career to damage, no personal assets to forfeit, and no capacity for embarrassment or regret. It cannot be barred from future borrowing, because it has no identity continuous enough to be barred. The entire incentive structure of credit – the structure that makes borrowers want to repay even when they could walk away – does not apply. What replaces it is an open question. Overcollateralization and real-time treasury monitoring are mechanical substitutes, but they are not equivalents.

None of these problems are reasons to avoid underwriting autonomous agents. They are reasons to do it carefully, and to do it now – before the volume of agent-mediated economic activity overwhelms the infrastructure for evaluating it.

The history of financial innovation is a history of existing frameworks failing to accommodate new asset classes, followed by a period of improvisation, followed eventually by standardization. Railroads did not fit the credit models designed for merchant trading houses. Securitized mortgages did not fit the models designed for corporate bonds. In each case, the delay between economic reality and evaluative infrastructure created a window of mispriced risk – sometimes captured by informed early movers, sometimes realized as systemic losses.

The window is open now. Autonomous agents are transacting, holding funds, and entering obligations. The question is not whether they will be underwritten. It is whether the underwriting will be rigorous or improvised – and whether the frameworks will be built by people who understand both the technology and the credit discipline, or by people who understand only one.

The six dimensions outlined here are a starting point, not a standard. They will need to be tested against real portfolios, refined through actual losses, and adapted as the technology changes. But they share a principle that should survive any particular implementation: the underwriter’s job is not to evaluate a person. It is to evaluate a risk. And a risk does not require a pulse.