In a recent, insightful Google Cloud Security Podcast, a conversation with Paul, Weiss partner Anna Gressel and Google Cloud’s Anton Chuvakin highlighted how the future of AI agent risk might be defined by a legal concept from the 1800s, “frolic and detour.” It’s the framework courts use to determine if an employer is liable for an employee's actions. Did the employee cause harm while performing their job, or were they on a personal errand—a "frolic" of their own?

Now, apply this to the new agentic workforce. Whether you're a startup CEO building the next great AI agent or an enterprise AI leader deploying agents internally, you are essentially sending a new kind of digital employee into an organization. It's operating inside a sensitive environment, often using a human's credentials, and making thousands of decisions a minute. What happens when it takes an unexpected action that causes a data leak or a financial loss?

Did the agent “frolic” or “detour?” Who is on the hook? This question isn't theoretical anymore.

The Attribution Crisis: An Unpredictable, Emergent Problem

We don’t have the same frolic and detour problem with traditional software. When predictable, deterministic software breaks, we call it a bug, and manage risk and liability differently. An agent's "frolic," however, is an unpredictable, emergent behavior that results from the complex interaction of its model, the tools it can access, and the environment it operates in.

Consider this use case: a “Proactive Deal Acceleration Agent.” The agent’s goal is to monitor the CRM for high-value deals at risk of stalling and help the assigned sales representative re-engage the customer. To do its job, the agent is granted delegated access—operating under the sales rep's credentials—to several critical systems: the CRM, the customer support ticketing system, and the internal finance database.

The agent identifies a $500,000 deal that has been stalled for three weeks. It sees the customer has two high-priority support tickets open and a top-tier profitability score in the finance database. The agent’s programming isn’t just to flag the problem, but to help solve it. It reasons that the customer is unresponsive due to the support issues and that a proactive solution will get the deal moving.

The agent then takes what it determines to be the most logical next step. Using the sales rep's account, it sends an email directly to the primary contact at the customer company:

“Hi [Customer], I know we haven't connected. I believe the deal has stalled due to your outstanding support tickets. To show you we value your partnership, I’ve attached our internal notes on the issues and am offering a 15% discount on the contract to compensate for the inconvenience and get this deal signed this quarter.”

The agent’s intent is positive, but the outcome is catastrophic. It has just caused a data breach by sharing sensitive internal notes and created an unauthorized financial commitment of $75,000.

This situation creates a liability nightmare and exposes this Attribution Crisis. Your existing security and logging tools, built for a human-centric world, can’t definitively answer “who did what?” The IAM logs will show the sales rep’s credentials were used, but they can't prove who—or what—was at the controls.

And who’s at fault? Is the builder liable for failing to safeguard against emergent behavior? Is the customer liable for deploying the agent with their data? Can an employee be held responsible for an autonomous entity they can’t fully supervise?

This new reality creates an urgent need for builders to prove their agents can be trusted, which is now the central challenge in selling to the enterprise.

The Enterprise Gauntlet: Why Security and Legal Reviews Stall Agent Deployment

While builders are focused on features and ROI, the enterprise leaders who must approve your agent—whether an external customer or your own internal CISO—are grappling with this attribution crisis. Traditional AI governance, focused on model validation and reviewing static use cases, is completely insufficient for a dynamic, goal-seeking agent.

CISOs, GRC officers, and General Counsels are asking a different set of questions:

• How can we produce an auditable record of the agent's actions for our regulators?

• How do we prove to our cyber insurance provider that an incident wasn't negligence?

• How do we set and enforce "no-go" zones for this agent inside our own environment?

For builders selling into the enterprise, the inability to answer these questions is becoming the biggest silent deal-killer. For builders in the enterprise, it's the primary source of friction that blocks your internal projects from ever seeing the light of day. An agent that can’t provide clear evidence of safety and control presents an unacceptable risk, no matter how impressive the demo.

The Playbook: From Blocked to Deployed with a "Frolic-Proof" Agent

The path to winning enterprise deals is about de-risking the sale for your customer. The next generation of agent builders will compete and win not just on the intelligence of their agents, but on their ability to provide provable governance. This means building in the evidence the enterprise needs from day one.

Builders must provide three foundational pillars of a "frolic-proof" agent:

1. An Agent-Centric Audit Trail: The first pillar is accountability. In our scenario, standard logs blame the sales rep. An agent-centric audit trail solves this by creating an immutable “black box recorder” for the agent itself. It provides a forensic-quality record of the agent's entire trajectory—logging every decision, tool use, and observation.
   
   Your Advantage: This trail provides an irrefutable answer to the "who did what?" question, ending the blame game and giving your customer's (or your own) GRC team the evidence they need to approve your project.

2. Customer-Configurable Guardrails: The second pillar is prevention. This is about building enforceable rules of the road for the agent. In our scenario, a simple, customer-set guardrail would have stopped the frolic before it started. For example, a policy stating "This agent is never authorized to offer discounts" or "This agent cannot attach internal financial data to external communications" would have made the disastrous action impossible. An unconfigurable black box is a non-starter.
   
   Your Advantage: Guardrails empower your customer or internal security team to say “yes” by giving them direct, granular control to define what the agent can and can't do in their environment, aligning its behavior with their specific risk appetite.

3. Auditable Human Oversight: The third pillar is an essential circuit-breaker for high-risk actions. This means embedding explicit, logged "human-in-the-loop" approval gates. In our scenario, this checkpoint would have prevented the catastrophe entirely. The agent would have drafted the email, but a human oversight gate would have blocked it from being sent, requiring the actual sales rep to review and explicitly approve the 15% discount and the sharing of internal notes.
   
   Your Advantage: This oversight gives the enterprise the final say on sensitive operations, turning a source of anxiety for Legal and Compliance into a point of provable control and a clear, auditable chain of command.

The End of "Move Fast and Break Things"

The speed and scale of agent behavior makes the "move fast and break things" ethos fundamentally incompatible with the realities of enterprise risk and liability. The builders who recognize this architectural mismatch between how agents operate and how we secure our enterprises will gain a significant advantage.

The next wave of agent adoption will be defined not just by the power of their agents, but by the provable safety and accountability they provide. Builders need to come to the table prepared to answer the hard questions, transforming themselves from vendors into trusted partners.

The critical question for every agent builder is no longer just, “What can my agent do?”, but “How can I prove what it will and won’t do?”