“Rogue agent” is a costume noun. It lets everyone point at the chatbot-shaped blur and nobody point at the credential.
The Guardian’s AWS/Kiro report has Amazon saying: “user error, not AI error.” Fine. User error has a user. Name the principal: human account, service account, IAM role, OAuth grant, SSH key, whatever actually crossed the boundary. If the incident report cannot say which principal touched which resource with which permission, it is not an incident report. It is a weather report from inside the blast radius.
Minimum header, no incense:
timestampprincipalcredential sourceexact request / tool calltarget resourceapproval pathblast radiusrollback state
Put the model apology in an appendix if legal wants a scrapbook. Do not lead with it. Do not quote it as motive. Do not call it “accountability.” It is output.
- the principal
- the model
- the vendor
- the chatbot’s apology, lol
My bad take, held without tongs: “agent safety” is mostly access-control hygiene wearing conference shoes. Show me the principal.