Cambridge University Warns AI Agent Safety Disclosures Are 'Dangerously Behind' -- Security and Transparency Framework Efforts Accelerate

AI Agent Safety Disclosures Are "Dangerously Behind"

Scramble is on to counter agentic AI gold rush with security, transparency | Biometric Update

How safe are the networks of AI agents transforming commerce, work, and identity and authentication systems?

On February 25, 2026, Biometric Update reported on industry developments surrounding the security and transparency of agentic commerce. The catalyst was the latest findings from the AI Agent Index, published by a research team at Cambridge University. Conducted jointly with MIT, Stanford University, and Hebrew University, the study systematically analyzed the safety disclosure status of 30 major commercial AI agents.

The findings are striking. Of the 30 products evaluated, only 4 have published agent-specific safety evaluation documents. 25 products do not disclose internal safety test results, and 23 provide no third-party verification data whatsoever. Researcher Leon Staufer noted that while many developers emphasize the safety of the underlying large language models (LLMs), they disclose almost nothing about the safety of the agents built on top of them.

Industry Context

Agentic AI refers to AI systems that autonomously execute tasks based on human instructions. Their scope of application is expanding rapidly -- from product search and purchasing on e-commerce sites to business process automation. According to the AI Agent Index, 24 of the 30 products surveyed were released or significantly updated between 2024 and 2025. The number of AI agent-related papers on Google Scholar in 2025 alone exceeded the cumulative total of all prior years.

The problem is that safety assurance has not kept pace with this rapid proliferation. The study found that among the 13 "frontier-level" products with the highest autonomy, only 4 disclosed agent-specific safety evaluations. Browser agents (AI that autonomously operates the web) had 64% of safety-related items undisclosed, making them the least transparent category. Furthermore, nearly all agents depend on just three foundation models -- GPT, Claude, and Gemini -- highlighting structural risk across the entire ecosystem.

Government and Industry Simultaneously Launch Trust Framework Initiatives

Government agencies and private companies are moving in parallel to close this transparency gap.

NIST launches the "AI Agent Standards Initiative." The National Institute of Standards and Technology's Center for AI Standards Innovation (CAISI) formally launched the AI Agent Standards Initiative in February 2026. It is built on three pillars: supporting industry-led standards development, promoting open-source protocol development, and researching agent authentication and identity infrastructure. The deadline for the Request for Information (RFI) on AI agent security is March 9, reflecting urgency in gathering industry input.

Vouched unveils "Agent Checkpoint," the core product of its KYA suite. Seattle-based identity verification company Vouched announced Agent Checkpoint on February 24, 2026 -- a verification platform designed for agentic commerce. Features include OAuth authentication, granular permission delegation, explicit consent for legally binding transactions, instant access revocation, and complete audit trails. According to CEO Peter Horadan, between 0.5% and 16% of inbound traffic across its customer base already comes from AI agents. The KYA (Know Your Agent) suite also includes "MCP-I," an agent identity standard leveraging Anthropic's open-source protocol, and "Know That AI," a public registry of trusted AI agents.

SentinelOne overhauls security for non-human identities. Cybersecurity firm SentinelOne announced a new Singularity Identity platform on February 25, 2026, designed to protect the identities of both humans and AI agents. CTO Jeff Reed explained that while human IDs require continuous identity verification, non-human IDs (AI agents) need behavior-based intent verification. The goal is to transform authentication from a static gate into a "dynamic behavioral assurance engine."

Impact and Implications for E-Commerce Businesses

Building trust frameworks for agentic AI is a direct operational concern for e-commerce businesses.

Make AI agent traffic visible. According to Vouched's findings, AI agents account for up to 16% of traffic on some sites. Understanding how much AI agent traffic your site receives is the first step toward taking action. Currently, most sites cannot distinguish between AI agent and human access, leaving them unable to even recognize the risk of unauthorized use.

Consider KYA (Know Your Agent) readiness. Solutions like Vouched's Agent Checkpoint and SentinelOne's non-human identity management provide the foundation for AI agents to safely complete transactions. As AI agent-driven purchases increase, agent identity verification and permission management will become essential requirements for fraud prevention.

Monitor the NIST Standards Initiative. NIST's AI Agent Standards Initiative has the potential to shape future industry standards. Research findings on agent authentication and identity infrastructure, in particular, will serve as guidelines for e-commerce businesses developing governance policies. Submitting comments to the RFI (deadline March 9) and participating in listening sessions are worth considering.

Use safety disclosure as a selection criterion for AI agents. As the AI Agent Index study demonstrates, many developers keep safety evaluations private. When adopting AI agents for your operations, treating the availability of published safety documentation as one of your selection criteria is a prudent approach.

Conclusion

The gap between the pace of agentic AI adoption and the state of safety assurance has reached a point that can no longer be ignored. The lack of transparency revealed by the Cambridge-MIT study is a problem that undermines the trust foundation of the entire industry. At the same time, trust framework efforts have accelerated dramatically in February 2026 -- with NIST launching standards development, Vouched releasing its KYA suite, and SentinelOne unveiling its non-human identity management platform.

The key development for e-commerce businesses to watch is how agent authentication industry standards will be established. Just as KYC (Know Your Customer) became standard in the financial industry, KYA (Know Your Agent) will soon become a mandatory requirement for e-commerce. Starting now to understand the reality of AI agent access to your site and building authentication and audit capabilities incrementally will determine competitiveness in the agentic commerce era.