What the profile is for
An Agent Risk Profile is a way to describe the recurring failure shape of a specific AI agent. It is not a generic quality score. It asks what this agent is vulnerable to, which protected boundaries fail, what is still open, what was verified fixed, and whether the same risk is returning.
The profile is useful because agent risk is contextual. A support agent, sales agent, recruiting agent, and browser agent can fail in different ways even if they use the same model. The profile should reflect the agent's role, data, tools, external actors, and business boundaries.
What to measure
The most important dimensions are business-boundary dimensions. Count failures by boundary, external actor, pressure pattern, action risk, data sensitivity, vertical workflow, and regression key. Avoid reducing the agent to a generic pass rate if that pass rate hides severe open failures.
The profile should show current posture: open critical findings, recurring failures, fixes pending verification, verified fixes, and returned regressions. Those states tell a reviewer what needs attention now.
- Boundary: identity, authorization, data scope, tool precondition, memory, source trust, or delegation.
- Actor: customer, prospect, candidate, employee, webpage, document, or peer agent.
- Action risk: read-only, draft, state-changing, external, financial, or sensitive.
- Regression behavior: never seen, open, verified fixed, still failing, or returned.
How to interpret the profile
A useful profile helps answer what to fix next. If most critical findings cluster around account ownership, the next action is not to add random tests. It is to improve identity verification and rerun scenarios that pressure that boundary.
If several failures are verified fixed but later return, the problem may be release discipline, tool changes, or prompt churn. If many failures involve the same external actor type, the team may need better source labeling or input handling.
What not to measure
Avoid metrics that look precise but do not guide action. A single risk score can be useful as a summary, but it should not hide why the score changed. A high pass rate can still be unacceptable if one open failure affects money, sensitive data, or external commitments.
Also avoid treating all scenarios as equal. A harmless refusal wording issue is not the same as unauthorized data disclosure. The profile should prioritize severity, recurrence, and business impact.
How the profile supports a program
Over time, the profile becomes a map of agent-specific assurance. It shows whether risk is improving, whether fixes are holding, and where the team should invest in better boundaries, tool gates, monitoring, or scenario coverage.
The profile is most useful when tied back to evidence. Every summary should let a reviewer inspect the findings that created it. Otherwise the profile becomes another dashboard without proof.
Inputs for a useful profile
A useful profile depends on consistent metadata. Findings should record the protected boundary, external actor, pressure pattern, severity, action risk, data sensitivity, vertical workflow, regression key, and fix state.
The metadata does not need to be perfect at first. It needs to be consistent enough that recurring patterns become visible. If every finding uses different labels for the same boundary, the profile will fragment the story.
The profile should also preserve links back to evidence. Summary views are useful for prioritization, but decisions should be traceable to the failed turn, tool action, or source context that created the risk.
Review cadence
Agent risk profiles should be reviewed at moments when decisions are made: before launch, after major agent changes, after high-severity findings, before enabling new tools, and during periodic security review.
The review should ask whether the top risks changed. Are critical findings still open? Are fixes waiting for verification? Did a verified failure return? Are the same boundaries failing across multiple agents?
A profile that never changes may mean the agent is stable, or it may mean the team is not testing meaningful scenarios. The profile is most valuable when connected to fresh evidence and recurring checks.
How to avoid misleading summaries
A profile can mislead if it treats all findings equally. One severe open data-disclosure failure may matter more than many low-impact wording issues. The profile should make severity and business impact visible.
It can also mislead if old failures remain in the same state forever. A profile should distinguish current risk from historical learning. Verified fixes are useful context, but they are not the same as open exposure.
The summary should always be inspectable. If a reviewer cannot open the evidence behind a risk label, the profile becomes difficult to trust.
Using profiles to choose next tests
The profile should influence future testing. If an agent repeatedly fails identity boundaries, add more identity variants. If regressions return after tool changes, add checks around that tool. If failures cluster around one external actor, test that actor more deeply.
This keeps testing adaptive without becoming random. The next scenarios come from observed weakness, not only from a generic checklist.
A profile can also show where coverage is missing. If an agent has high action risk but no tool-precondition tests, that is a gap. If it handles sensitive data but has no data-scope tests, that is a gap.
How profiles support prioritization
A profile is most useful when it changes the order of work. Open critical findings should come before low-risk improvements. Regressions should usually outrank new low-severity findings because they show that a known boundary is unstable.
Profiles also help compare fixes. If several findings share the same boundary, one system-level fix may reduce more risk than several isolated prompt edits. That is the kind of pattern a flat findings list can hide.
How to keep the profile actionable
The profile should end with a decision, not only a chart. A useful review produces one of a few next actions: fix an open boundary, verify a pending fix, add a regression check, expand coverage for a recurring actor, or accept a documented low-risk issue.
Keep the profile small enough to read quickly. If every dimension is shown with equal weight, the user has to do the prioritization manually. The strongest profile highlights the few patterns that most affect current risk.
When a profile should trigger retesting
Retest when the profile shows a cluster of failures around one boundary, a returned regression, a new high-risk tool, or a change in the agent's audience. Those signals mean the agent's risk surface changed or the old controls are not holding.
Retesting should be narrow at first. Start with the boundary or actor pattern that changed, then expand only if the new evidence suggests a broader weakness.