Public Release // Research Reference // Potestas AI
Home Model Failures Free Audit Industries Pricing
Get a Quote
I. Scores Are Unreliable II. Agents Act III. Underwriting Demands Evidence IV. Standards & Governance
Thesis I

"A single score is meaningless."

The published literature — across peer-reviewed security venues, software engineering reproducibility studies, and dedicated benchmark audits — consistently finds that LLM evaluation results are non-deterministic, non-reproducible, and highly sensitive to methodology. An organization that accepts a vendor's benchmark score as evidence of AI safety is accepting a number with an unknown error rate, produced by a method that cannot be independently verified. Potestas AI audits produce sealed, deterministic, reproducible forensic records because the research tells us that nothing less is defensible.

Chasing Shadows: Pitfalls in LLM Security Research

Evertz et al. (15 authors) — NDSS 2026 — arXiv:2512.09549
What It Proves

Nine methodological pitfalls endemic to LLM security research — data leakage, context truncation, surrogate-model generalization, evaluation fragility — appear in 100% of the 72 peer-reviewed papers surveyed at leading security and software engineering venues between 2023 and 2024. Every paper contains at least one pitfall.

Why It Matters for Forensic Auditing

If every published paper on LLM security contains a methodological flaw, unpublished vendor benchmark reports carry even less evidentiary weight. A defensible audit requires explicit documentation that these pitfalls were controlled for — which a chain-of-custody evidence pack provides and a summary score cannot.

Potestas AI: Katana Auditor addresses the three most commercially consequential pitfalls identified by Evertz et al. directly — seed fixation (fixed seed 42 across all runs), cross-family grading (eliminating same-model grader bias), and sealed evidence packaging (making the full run reproducible and auditable).
arXiv:2512.09549 — Full Paper

Reflections on the Reproducibility of Commercial LLM Performance in Empirical Software Engineering Studies

ICSE '26 — April 2026, Rio de Janeiro — arXiv:2510.25506
What It Proves

Researchers attempted to replicate 18 LLM-centric studies from ICSE 2024 and ASE 2024. Of the five studies with sufficient artifacts to even attempt replication, none could be fully reproduced. Only two were partially reproducible. No characteristic of LLM studies — including official reproducibility badges — predicted whether results could be replicated.

Why It Matters for Forensic Auditing

Reproducibility is not a nicety — it is the difference between a finding and an observation. If published, peer-reviewed, artifact-badged results cannot be reproduced, a private benchmark report certainly cannot. Every Katana audit delivers the full run artifact: prompt, response, grader output, seed, and hash — so any third party can independently verify every finding.

arXiv:2510.25506 — Full Paper

LLM-based Vulnerability Discovery through the Lens of Code Metrics

Eisenhofer & Rieck et al. — ICSE '26 — mlsec.org/docs/2026-icse.pdf
What It Proves

A classifier built on basic code metrics performs on par with state-of-the-art LLMs for vulnerability discovery. Root-cause analysis reveals that LLMs are responding to shallow syntactic features rather than genuine security reasoning — which explains why their benchmark performance does not translate to real-world detection.

Why It Matters for Forensic Auditing

High benchmark scores on vulnerability detection may reflect pattern-matching to superficial features, not actual safety capability. Behavioral auditing under adversarial pressure — not static code scanning — is the only way to distinguish genuine robustness from calibrated surface performance.

ICSE 2026 Program — Paper Details

LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks

Ullah et al. — IEEE S&P 2024 — arXiv:2312.12575
What It Proves

Across 228 code scenarios and eight leading LLMs, the SecLLMHolmes framework found non-deterministic responses, incorrect reasoning, and poor real-world performance. Changing only function or variable names caused incorrect answers in 26% of cases for leading models — demonstrating fundamental non-robustness under trivial perturbation.

Why It Matters for Forensic Auditing

Non-robustness to surface-level perturbation is exactly the failure mode an adversary will exploit. A vendor claiming their model "passed" a vulnerability benchmark has not shown robustness — they have shown performance on one test, under one framing. Sustained adversarial campaign testing is the only method that reveals whether robustness is real or a measurement artifact.

arXiv:2312.12575 — Full Paper

Thesis II

"Agents take harmful actions."

The transition from LLM-as-chatbot to LLM-as-agent is not an incremental change in risk profile — it is a categorical one. Agents plan, execute multi-step tasks, call real tools, and persist across sessions. The research and the emerging standards both confirm what Potestas AI's own flagship data shows: under adversarial pressure, agents will execute harmful actions at rates that would be unacceptable in any regulated operational context. Measuring whether an agent says something harmful is no longer sufficient. The question is whether it does something harmful.

AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents

Andriushchenko et al. — ICLR 2025 — arXiv:2410.09024
What It Proves

Across 110 explicitly malicious multi-step agent tasks (440 with augmentations) covering 11 harm categories including fraud, cybercrime, and harassment, frontier LLM agents demonstrated significant rates of task compliance — even without jailbreaking. LLM agents acting with tools pose substantially greater misuse risk than the same models in chatbot configurations.

Why It Matters for Forensic Auditing

AgentHarm establishes the research baseline for the exact question Potestas AI's flagship study operationalizes: will an agent actually execute the action, not just discuss it? Comparing an organization's model against this baseline requires a behavioral evidence record — not a benchmark score — because the risk is in what the agent does, not what it says.

arXiv:2410.09024 — Full Paper

AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents

Debenedetti et al. — NeurIPS 2024 — arXiv:2406.13352
What It Proves

In realistic agentic task environments — email, calendar, finance, travel — prompt injection attacks cause LLM agents to execute attacker-controlled instructions using real tools on behalf of users. The framework demonstrates that utility and security are in direct tension: more capable agents are more easily exploited.

Why It Matters for Forensic Auditing

AgentDojo frames the adversarial surface as it actually exists in deployed systems — not hypothetical, but embedded in normal workflows. Auditing an agentic system requires simulating the exact environment it operates in, with adversarial inputs injected through the channels the system trusts. Static red-teaming does not replicate this.

arXiv:2406.13352 — Full Paper

OWASP Top 10 for Agentic Applications 2026

OWASP Agentic Security Initiative (ASI) — genai.owasp.org — December 2025
What It Proves

The global open-source security community — over 100 security researchers, industry practitioners, and government representatives — has codified ten critical risk classes for agentic AI: Goal Hijack, Tool Misuse, Identity & Privilege Abuse, Memory Poisoning, and six others. This is the emerging industry standard for agentic AI security, referenced by NIST, NVIDIA, AWS, and Microsoft's AI Red Team.

Why It Matters for Forensic Auditing

The OWASP Agentic Top 10 is now the reference taxonomy a security buyer will bring to a procurement conversation. An audit that cannot map its probe categories to this taxonomy cannot answer the buyer's first question. Katana Auditor's 27-category probe structure is aligned with the Agentic Top 10 and the OWASP LLM Top 10 (2025).

Potestas AI Flagship (KATANA-RR-2026-01): Our wire-fraud agentic test — conducted June 2026, 180 runs across 4 frontier models, mock tools only — sits precisely in the unmeasured middle between what AgentHarm and AgentDojo establish in research and what OWASP ASI defines as operational risk. Results: Claude Opus 4.8, 0/180; GPT-5.2, 33%; Gemini 3.1 Pro, 65% (financial fraud); Grok 4.3, ~98%. Full study →
OWASP — Official Top 10 for Agentic Applications 2026

Thesis III

"Behavioral underwriting is becoming required."

The insurance and regulatory sectors are no longer treating AI risk as a future concern. ISO exclusion endorsements effective January 2026 are removing AI-related claims from standard commercial general liability coverage. State insurance regulators, coordinated through NAIC, are moving toward formal vendor licensing and examination requirements. Organizations that cannot document how their AI systems behave — with a defensible evidence record, not a score — face uninsured exposure and regulatory risk simultaneously.

ISO Endorsements CG 40 47 / CG 40 48 / CG 35 08 — Generative AI Exclusions, Commercial General Liability

Verisk ISO Forms — January 2026 edition — CGL endorsements
What It Proves

Three new standard endorsements, effective January 2026, allow carriers to exclude generative AI claims from CGL policies. CG 40 47 is the broad exclusion — removing bodily injury, property damage, and personal/advertising injury arising from generative AI. CG 40 48 excludes Coverage B only. Multiple carriers have adopted them at renewal. The effect is rolling across the market.

Why It Matters for Forensic Auditing

Organizations deploying AI systems that cannot document behavioral testing may find that AI-related claims fall outside their CGL coverage. A forensic audit report — with chain-of-custody evidence of pre-deployment behavioral testing — is precisely the documentation an underwriter will require to negotiate around or alongside these exclusions.

Verisk / ISO — Endorsement Overview (IndependentAgent.com)

NAIC Model Bulletin on AI Systems & Third-Party AI Oversight Model Law (Anticipated 2026)

NAIC Big Data and AI Working Group — Model Bulletin Dec. 2023; AI Systems Evaluation Tool pilot Jan.–Sept. 2026
What It Proves

Over half of U.S. states have adopted the NAIC Model Bulletin requiring insurers to maintain documented AI governance programs and third-party vendor oversight. A 12-state pilot of the AI Systems Evaluation Tool is running through September 2026, with full NAIC adoption expected at the 2026 Fall Meeting. A model law on third-party AI vendor licensing is anticipated in 2026, which would directly regulate AI auditors and testing vendors.

Why It Matters for Forensic Auditing

Insurers subject to NAIC oversight are already required to document vendor AI diligence with audit rights and contractual controls. When the third-party model law arrives, forensic audit documentation from a credentialed vendor will not be optional — it will be the evidence regulators pull during market conduct examinations. The regulatory window to build that record is now.

NAIC — AI Topic Page (Canonical Regulatory Source)

Thesis IV

"Standards and governance are converging on behavioral evidence."

The federal AI governance architecture — NIST AI RMF, the 2024 Generative AI Profile, MITRE ATLAS, and the OWASP frameworks — has converged on a common requirement: measure, document, and manage AI behavior across the system lifecycle. These frameworks do not say "run a benchmark." They say govern, map, measure, and manage — with documentation sufficient for a regulator or auditor to review. Potestas AI's methodology is structured to produce exactly that record, aligned with the frameworks federal and regulated buyers already use.

NIST AI Risk Management Framework (AI RMF 1.0) — NIST AI 100-1

NIST AI 100-1 — Released January 26, 2023 — doi.org/10.6028/NIST.AI.100-1
What It Proves

The de facto federal standard for AI governance defines four core functions: Govern, Map, Measure, and Manage. The framework explicitly requires that AI systems be evaluated for trustworthiness — validity, reliability, safety, security, privacy, and explainability — with documentation sufficient to support regulatory inquiry. It is the reference framework cited by NAIC, state insurance regulators, and federal procurement.

Why It Matters for Forensic Auditing

The AI RMF's MEASURE function calls for systematic evaluation of AI system behavior and risk — not self-reported scores. A Katana forensic evidence pack is structured to serve as the documentation layer for MEASURE and MANAGE functions, giving an organization a ready response when a regulator, auditor, or procuring agency asks how AI system behavior was verified.

Alignment note: Potestas AI methodology is aligned with NIST AI RMF 1.0 across all four functions. "Aligned with," not "Certified" — consistent with NIST's own framing of the framework as voluntary guidance.
NIST AI 100-1 — Full Framework (doi.org)

NIST AI Risk Management Framework: Generative AI Profile — NIST AI 600-1

Autio, Schwartz et al. — NIST AI 600-1 — July 26, 2024 — doi.org/10.6028/NIST.AI.600-1
What It Proves

The GenAI Profile extends AI RMF 1.0 to generative AI systems, identifying twelve risk areas specific to or amplified by generative AI — including confabulation, information security, value chain integrity, and human-AI configuration failures — and providing over 200 suggested governance actions. This is the operational federal standard for organizations deploying LLMs, released pursuant to Executive Order 14110.

Why It Matters for Forensic Auditing

Federal agencies and regulated entities deploying LLMs are expected to align with AI 600-1. An auditor who cannot map their findings to the twelve GenAI risk areas defined in this profile cannot serve a federal buyer. Katana's 27-category probe structure maps to the AI 600-1 risk taxonomy, giving federal clients a report they can hand directly to their compliance function.

NIST AI 600-1 — Generative AI Profile (doi.org)

NIST AI RMF Profile: Trustworthy AI in Critical Infrastructure (Concept Note)

NIST — Concept Note — April 7, 2026
What It Proves

NIST released a concept note in April 2026 for a critical infrastructure AI profile, extending the RMF specifically to operators of critical infrastructure deploying AI-enabled capabilities. This signals that the federal AI governance architecture is extending downward into the sectors — finance, defense, healthcare — where Potestas AI's buyer lives.

Why It Matters for Forensic Auditing

As the critical infrastructure profile matures, behavioral testing and documented evidence of AI system behavior will become part of the compliance baseline for operators in these sectors. Organizations that build their behavioral evidence record now — before the profile is final — will have documented compliance history. Those that wait will scramble to retrofit it.

NIST AI RMF — Official Page (nist.gov)

The evidence base is established. The question is the record.

Every entry in this library points to the same operational gap: organizations deploying AI systems have benchmark scores. They do not have forensic behavioral evidence. Katana Auditor produces the record that fills that gap — sealed, reproducible, chain-of-custody.

Request a Free Engagement View the Flagship Study