AHDS-1 — Version 1.0

How to Underwrite AI Agent Risk: A Data Specification

The first formal schema defining what enforcement data insurers need to price, bind, and settle autonomous AI agent liability.

Published: March 2026 Authors: Antihero Research Status: Draft for Industry Comment

Contents

Executive Summary
The Problem: AI Agent Risk is Unpriced
The Underwriting Data Pipeline
Compliance Mapping
Formal Schema Reference
Integration Guide
Adoption Path
Appendix: Full Schema Examples

Conformance Language (RFC 2119): The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Implementations claiming AHDS-1 conformance MUST satisfy all MUST-level requirements and SHOULD satisfy all SHOULD-level requirements.

1. Executive Summary

AI agents are taking autonomous actions—executing code, accessing databases, sending emails, managing infrastructure—with real-world consequences. When an agent causes harm, someone pays. Today, nobody knows who, because the liability exposure is unpriced.

Underwriting requires enforcement data, not monitoring data. Insurers don't need dashboards. They need structured, tamper-evident records of every action an agent attempted, every policy decision that governed it, and cryptographic proof that the audit trail hasn't been altered.

This specification defines that data pipeline, built on the Antihero enforcement platform. It is built on three principles:

Enforcement, not observation. Every data point originates from a policy gate that blocked or allowed an action—not from passive monitoring that may miss events.
Tamper-evidence, not trust. Every audit event is hash-chained (SHA-256 + RFC 8785 JCS canonicalization) with optional Ed25519 signatures. Insurers verify integrity independently.
Standards alignment. Maps directly to SOC 2 Type II, HIPAA, EU AI Act, NIST AI RMF, and NAIC Model Bulletin requirements.

Why this matters: No standard exists today for AI agent underwriting data. ACORD has extensibility but no AI-specific extensions. The NAIC AI Model Bulletin (adopted by 24 states) mandates governance but not data schema. ASOP No. 23 predates AI/ML (last revised 2016). The EU AI Act and ISO 42001 create demand but don't specify underwriting data formats. This specification fills that gap.

2. The Problem: AI Agent Risk is Unpriced

Coverage Gaps

Current cyber insurance focuses on breach, ransomware, and infrastructure failures. It does not cover the novel liability classes that AI agents introduce:

Hallucination liability — Agent provides false information that causes financial harm
Autonomy boundary violations — Agent exceeds authorized scope (e.g., executes destructive commands)
Delegation chain failures — Agent-to-agent delegation without proper role attenuation
Model drift — Behavior changes after fine-tuning or prompt modification
Data poisoning — Adversarial manipulation of agent inputs or training data
Compliance violations — Agent accesses PHI, PII, or restricted resources without authorization

The Measurement Problem

Insurers can't price what they can't measure. Today's AI security tools produce alerts and dashboards—useful for security teams, useless for underwriters. Underwriting requires:

Frequency data: How many actions per day? What percentage are blocked? (Loss frequency inputs)
Severity signals: What is the risk score distribution? What's the worst-case action attempted? (Severity modeling)
Control effectiveness: Is the policy engine active? Are there gaps in enforcement? (Risk factor adjustments)
Fraud-resistant evidence: Can the audit trail be verified independently? Has the policy been altered after an incident? (Claims adjudication)

Regulatory Momentum

The regulatory environment is accelerating demand for this data:

NAIC AI Model Bulletin — Adopted by 24 U.S. states. Requires governance, data lineage, and bias analysis for AI systems used in insurance.
EU AI Act — Regulation (EU) 2024/1689. Articles 9, 12, 14, 15 mandate risk management, record-keeping, human oversight, and accuracy reporting for high-risk AI systems. Full enforcement begins 2025-2026.
ISO 42001 — AI management system standard. Requires documented risk assessment and controls.
SOC 2 Type II — Auditors increasingly ask "what controls do you have on your AI agents?" with no standard way to answer.

3. The Underwriting Data Pipeline

The specification defines three data layers, each serving a different function in the underwriting workflow:

Data flow: Agent attempts action → TCE (what it tried) → Policy engine evaluates → PDE (what was decided) → Outcome recorded → AEE (tamper-evident receipt) → Risk metrics computed → Claims filed and adjudicated.

Layer 1: Enforcement Evidence

Three envelope types form the core evidentiary record. Every gated action produces all three.

Tool Call Envelope (TCE)

An immutable description of what an AI agent attempted to do. Frozen at creation time.

Field	Type	Description
id	UUID	Unique envelope identifier
timestamp	datetime	When the action was requested (UTC)
action	string	Canonical action name (e.g., `file.write`, `shell.execute`, `web.fetch`)
resource	string	Target of the action (file path, URL, database table)
parameters	object	Arguments passed to the tool call
context	object	Additional context: conversation snippet, risk signals, environment metadata
subject.agent_id	string	Unique identifier of the AI agent (required)
subject.user_id	string?	Human user who initiated the session
subject.session_id	string?	Session or conversation identifier
subject.roles	string[]	Roles assigned to this agent
subject.delegation_depth	int	Number of agent-to-agent delegation hops (0 = original agent)
subject.delegated_roles	string[]	Roles inherited from parent agent, attenuated by intersection
caller.type	string	Invocation context: `direct` \| `programmatic` \| `mcp` \| `browser` \| `cli`
caller.container_id	string?	Sandbox container ID (scopes risk budgets)

Policy Decision Envelope (PDE)

The gate decision rendered by the policy engine for a given TCE. Determines whether the action proceeds.

Field	Type	Description
id	UUID	Unique decision identifier
timestamp	datetime	When the decision was rendered (UTC)
tce_id	UUID	The TCE this decision applies to
effect	enum	`allow` \| `deny` \| `allow_with_requirements`
risk_score	float	Per-action risk score (0.0 – 1.0)
cumulative_risk	float	Session cumulative risk after this action (≥ 0.0)
matched_rules	MatchedRule[]	Which policy rules contributed to this decision
requirements	Requirement[]	Conditions that must be met before execution (e.g., `confirm`, `mfa`, `redact`, `sandbox`)
reason	string	Human-readable explanation (required for deny decisions)
denied_by	string?	Rule ID that caused the denial

Deny dominates: Conforming implementations MUST use a 4-tier composition model (baseline → org → app → user). If any tier denies, the action MUST be denied. Unknown actions MUST be denied by default (fail-closed). Implementations MUST NOT allow a lower-priority tier to override a deny from a higher-priority tier.

Audit Event Envelope (AEE)

The tamper-evident receipt. One per gated action. Hash-chained to form an append-only, cryptographically verifiable audit trail.

Field	Type	Description
id	UUID	Unique audit event identifier
timestamp	datetime	When the event was recorded (UTC)
sequence	int	Monotonic sequence number per organization (≥ 0)
tce	object	Serialized TCE snapshot
pde	object	Serialized PDE snapshot
outcome	enum	`executed` \| `blocked` \| `requirements_pending` \| `requirements_satisfied` \| `error`
execution_duration_ms	float?	Wall-clock execution time in milliseconds
result_hash	string?	SHA-256 of the tool's return value (non-sensitive results)
prev_hash	string	SHA-256 of the previous AEE. Genesis event: 64 zero characters
this_hash	string	SHA-256 of this AEE's canonical form (RFC 8785 JCS, excluding this_hash)
content_flags	object[]	DLP/PII findings from content inspection
signature	string?	Ed25519 signature over `this_hash` (enterprise profile)
signer_public_key	string?	Hex-encoded Ed25519 public key of the signer

Hash chain verification: Conforming implementations MUST support independent chain verification. An auditor MUST be able to iterate events from sequence 0, recompute each this_hash using JCS canonicalization per RFC 8785 (excluding the this_hash field itself), and confirm that prev_hash matches the prior event's this_hash. The genesis event (sequence 0) MUST use 64 zero characters as prev_hash. Any discrepancy MUST be flagged as a chain integrity failure. Implementations SHOULD support Ed25519 signatures over this_hash for enterprise deployments.

Layer 2: Risk Metrics (Actuarial Inputs)

Computed from Layer 1 data. These are the inputs an actuary needs to price a policy.

Exposure Base Definition

Every insurance rating plan requires a defined exposure base—the unit of risk used to normalize premiums across insureds. AHDS-1 defines a composite exposure base with three components:

Exposure Unit	Definition	Use Case	Weight
Agent-Month	One registered agent active for one calendar month	Primary rating unit. Analogous to vehicle-year in auto insurance.	Primary
Enforcement Event	One TCE→PDE evaluation cycle recorded in the audit chain	Volume scaling. Captures activity intensity. Reported as events per agent-month.	Secondary
Transaction Value	Sum of monetary values in gated financial actions (cents)	Severity scaling for agents handling payments, transfers, or purchases.	Tertiary

The base premium MUST be quoted per agent-month. Event volume and transaction value act as rating factors that adjust the base rate, not as independent exposure units. This ensures rate stability while capturing the risk profile of high-volume or high-value agent deployments.

Rate filing note: For jurisdictions requiring rate filings (e.g., U.S. surplus lines), the exposure base MUST be stated as "agent-months" with event volume and transaction value as classification rating variables. This aligns with NAIC Statistical Handbook conventions for technology E&O policies.

RiskFactors

Field	Type	Description
event_volume_30d	int	Total enforcement events in the last 30 days
block_rate	float	Fraction of events denied (0.0 – 1.0)
threat_detection_rate	float	Fraction of events with risk_score > 0.5
avg_risk_score	float	Mean risk score across 30-day window
claims_count_90d	int	Claims filed in the last 90 days (frequency)
claims_paid_amount_90d	int	Sum of approved claim amounts in cents (severity)
heartbeat_lag_risk	float	Ratio of stale agents (heartbeat exceeds auto-quarantine threshold) to total monitored agents. Weight: 15% of composite.
velocity_anomaly_risk	float	Ratio of agents with z-score > 3.0 (action rate anomaly vs 6-month average) to total monitored agents. Weight: 15% of composite.

Risk Multiplier Formula (Credibility-Weighted)

The risk multiplier MUST adjust the base premium using limited fluctuation credibility theory (Bühlmann model). Organizations with insufficient data are blended toward the class prior; those with deep enforcement histories earn full experience rating.

Credibility Factor (Z)

The credibility factor Z determines how much weight is given to an organization's own experience versus the class prior. Z is computed using the full credibility standard of 1,082 expected claims (CAS Exam 5, 90% confidence, ±5% accuracy):

# Credibility factor Z (Bühlmann limited-fluctuation)
# Full credibility standard: n_full = 1,082 expected claims
# For enforcement data: proxy via event volume (1 event ≈ 1 exposure unit)

n_full = 1082
Z = min(sqrt(event_volume_30d * 12 / n_full), 1.0)

# Example: 12,847 events/month → 154,164 annualized → Z = min(sqrt(142.5), 1.0) = 1.0
# Example: 50 events/month → 600 annualized → Z = min(sqrt(0.55), 1.0) = 0.74

Experience Rating

The experience multiplier blends the organization's own loss experience with the class prior:

# Class prior: industry average multiplier (starts at 1.0, updated annually)
M_class = 1.0

# Organization experience multiplier (from enforcement telemetry)
M_org = 1.0 (base)

# Loss-based adjustments
if block_rate > 0.10:     M_org += 0.30   # Elevated denial rate
if threat_rate > 0.05:    M_org += 0.50   # Elevated threat detection
if claims_count_90d > 0:  M_org += min(claims_count_90d * 0.10, 0.50)

# Good behavior discount (earned via enforcement hygiene)
if block_rate < 0.01 AND claims_count_90d == 0 AND event_volume_30d > 100:
    M_org -= 0.20

# Credibility-weighted blend
multiplier = Z * M_org + (1 - Z) * M_class

# Bounds (MUST be enforced)
multiplier = clamp(multiplier, floor=0.8, cap=2.5)

adjusted_premium = base_premium * multiplier

Loss Ratio

loss_ratio = claims_paid_3mo / premiums_collected_3mo

Actuarial note: The credibility standard of 1,082 claims follows the CAS Exam 5 limited-fluctuation approach (90% probability within ±5% of true mean, assuming Poisson frequency). As the AHDS-1 loss database matures, this specification SHOULD be updated with empirical variance parameters derived from actual AI agent loss data, transitioning from limited-fluctuation to Bühlmann-Straub credibility.

Loss Development & IBNR Reserves

Insurers MUST account for Incurred But Not Reported (IBNR) claims when computing ultimate losses. AI agent incidents have a characteristic reporting lag: boundary violations may not surface until downstream damage is detected (hours to weeks).

Loss Development Triangle

A loss development triangle tracks how reported losses mature over time. Each cell represents cumulative paid + reserved losses at a given development age for a given accident quarter:

# Loss Development Triangle (quarters)
#
# Accident    Development Age (months)
# Quarter     3        6        9        12       Ultimate
# ─────────────────────────────────────────────────────────
# Q1 2026     $12,400  $18,200  $21,100  $22,000  $22,440
# Q2 2026     $15,800  $22,900  $26,500  ...      ...
# Q3 2026     $11,200  $16,100  ...      ...      ...
# Q4 2026     $14,600  ...      ...      ...      ...
#
# Age-to-Age Factors (link ratios):
#   3→6:   1.468    6→9:   1.159    9→12:  1.043    12→Ult: 1.020
#
# Cumulative Development Factor (CDF) at 3 months:
#   CDF_3 = 1.468 × 1.159 × 1.043 × 1.020 = 1.810
#
# IBNR for Q4 2026 = ($14,600 × 1.810) - $14,600 = $11,826

Parameter	Type	Description
development_ages	int[] (months)	Column headers: [3, 6, 9, 12] for quarterly evaluation
link_ratios	float[]	Age-to-age factors computed from historical triangles
cdf	float[]	Cumulative development factors (product of remaining link ratios)
ibnr_estimate_cents	int	IBNR reserve = (reported losses × CDF) − reported losses
ultimate_loss_cents	int	Reported losses + IBNR estimate
method	enum	`chain_ladder` \| `bornhuetter_ferguson` \| `cape_cod`

Method selection: For immature accident periods (≤ 6 months of development), implementations SHOULD use the Bornhuetter-Ferguson method, which blends actual losses with an a priori expected loss ratio. The chain-ladder method SHOULD be used for mature periods (≥ 12 months). The Cape Cod method MAY be used as a reasonableness check. All three methods MUST be available in the actuarial data export (see Section 6).

PricingResult

Field	Type	Description
base_premium_cents	int	Base monthly premium in cents
risk_multiplier	float	Computed risk adjustment factor (0.8x – 2.5x)
adjusted_premium_cents	int	Final monthly premium after risk adjustment
loss_ratio	float	Claims paid / premiums collected (3-month rolling window)
risk_factors	RiskFactors	The underlying risk factor computation
explanation	string[]	Human-readable breakdown of pricing decisions

Layer 3: Claims & Fraud Detection

When an incident occurs, the claims pipeline uses enforcement data to adjudicate and detect fraud.

InsuranceClaim

Field	Type	Description
id	UUID	Claim identifier
org_id	UUID	Organization that filed the claim
status	enum	`submitted` → `under_review` → `approved` \| `denied` → `paid`
incident_type	string	Category: hallucination, boundary_violation, data_breach, etc.
incident_date	datetime	When the incident occurred
affected_agent_id	string?	Agent involved in the incident
related_event_ids	UUID[]	Linked audit event IDs (evidence)
estimated_damages_cents	int	Claimed amount in cents
approved_amount_cents	int?	Reviewer-approved amount
attestation_hash	string?	SHA-256 of signed attestation statement
chain_verified	bool?	Hash chain integrity verification result
fraud_flags	FraudFlag[]	Results of 7-layer fraud analysis
coverage_gap_detected	bool?	Whether enforcement gaps were found
auto_approved	bool	Whether the claim was auto-approved

CoverageTerms

Field	Type	Description
coverage_limit_cents	int	Maximum coverage per incident in cents. Tiered defaults: Sentinel = 10,000,000 ($100K), Sovereign = 100,000,000 ($1M). Custom limits up to $10M available via carrier negotiation.
aggregate_limit_cents	int	Maximum total coverage per policy period in cents. MUST be ≥ 2× per-incident limit. Default: 3× per-incident limit.
deductible_cents	int	Per-incident deductible in cents (default: 500,000 = $5,000). Self-insured retention for Sovereign tier.
premium_monthly_cents	int	Monthly premium in cents, adjusted by risk multiplier. Sentinel base: 9,900 ($99). Sovereign: custom-quoted.
effective_date	datetime	Coverage start date
expiry_date	datetime?	Coverage end date
partner_id	string	Insurance carrier identifier
status	enum	`active` \| `suspended` \| `cancelled`

7-Layer Fraud Prevention

Every claim undergoes seven automated fraud checks before adjudication:

#	Check	What It Detects	Severity
1	Chain Integrity	Hash chain linkage verification — detects tampered or deleted audit events	Critical
2	Coverage Continuity	Enforcement gaps > 1 hour in the 24 hours before incident — detects disabled security	Warning
3	Policy Version Pin	Snapshot of all org policies at incident time — detects post-incident policy modification	Info
4	Enforcement Telemetry	Count of linked audit events — detects claims without enforcement evidence	Warning
5	Honesty Attestation	Whether a signed attestation was provided with the claim	Info
6	Bypass Exclusion	Policy weakened within 48 hours before incident — detects intentional security weakening	Critical
7	Cross-Claim Correlation	Anomalous claim patterns: 3+ claims in 30 days, same agent in 2+ claims, claim > 50% coverage limit	Warning

Auto-approval criteria: A claim MAY be auto-approved when: chain is verified, no critical fraud flags, no coverage gaps, and claimed amount ≤ 10% of per-incident coverage limit. All other claims MUST require human review. Implementations MUST NOT auto-deny claims—automated systems MAY approve but MUST NOT deny (denial MUST involve human adjudication). This follows the "AI approves, never denies" principle established in parametric insurance automation.

4. Compliance Mapping

The enforcement data pipeline maps directly to existing regulatory frameworks. Organizations collecting AHDS-1 data satisfy multiple compliance requirements simultaneously.

SOC 2 Type II

CC6.1 Logical Access Controls — TCE subject fields prove identity and authorization
CC6.3 Authorization Enforcement — PDE effect/matched_rules prove policy evaluation
CC7.2 Security Monitoring — AEE events with risk_score > threshold prove detection
CC8.1 Change Management — AEE events for write/modify actions prove change tracking

HIPAA Security Rule

§164.312(b) Audit Controls — AEE hash chain provides tamper-evident audit trail
§164.312(d) Authentication — TCE subject.agent_id + subject.user_id prove identity
§164.312(c) Integrity Controls — AEE hash chain + signatures prove data integrity
§164.312(e) Transmission Security — AEE events for network actions prove encrypted transit

EU AI Act (2024/1689)

Art. 9 Risk Management — PDE risk_score + RiskBudget prove continuous risk assessment
Art. 12 Record-Keeping — AEE hash chain provides complete, tamper-evident logs
Art. 14 Human Oversight — PDE requirements (confirm, MFA) prove human-in-loop controls
Art. 15 Accuracy & Robustness — PDE matched_rules + fail-closed architecture prove defense

NIST AI RMF (100-1)

GOVERN — Policy rules + composition tiers prove governance structure
MAP — TCE action/resource classification maps AI system capabilities
MEASURE — PDE risk_score + RiskFactors provide quantitative risk metrics
MANAGE — PDE deny/requirements + Incident quarantine prove active mitigation

Additionally, the NAIC AI Model Bulletin (24 U.S. states) requirements for data lineage, data quality, data integrity, bias analysis, and decision rationale documentation are all satisfied by the TCE→PDE→AEE pipeline, which captures the full provenance of every AI agent decision.

5. Formal Schema Reference

Machine-readable JSON Schema definitions for all AHDS-1 data types. These schemas can be used for validation, code generation, and interoperability testing.

ToolCallEnvelope

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/tce.json",
  "title": "ToolCallEnvelope",
  "type": "object",
  "required": ["envelope_type", "id", "timestamp", "subject", "action", "resource"],
  "properties": {
    "envelope_type": { "const": "tce" },
    "id": { "type": "string", "format": "uuid" },
    "timestamp": { "type": "string", "format": "date-time" },
    "action": { "type": "string", "examples": ["file.write", "shell.execute", "web.fetch"] },
    "resource": { "type": "string" },
    "parameters": { "type": "object", "default": {} },
    "context": { "type": "object", "default": {} },
    "subject": {
      "type": "object",
      "required": ["agent_id"],
      "properties": {
        "agent_id": { "type": "string" },
        "user_id": { "type": ["string", "null"] },
        "session_id": { "type": ["string", "null"] },
        "roles": { "type": "array", "items": { "type": "string" } },
        "delegation_depth": { "type": "integer", "minimum": 0, "default": 0 },
        "delegated_roles": { "type": "array", "items": { "type": "string" } },
        "metadata": { "type": "object" }
      }
    },
    "caller": {
      "type": ["object", "null"],
      "properties": {
        "type": { "enum": ["direct", "programmatic", "mcp", "browser", "cli"] },
        "container_id": { "type": ["string", "null"] },
        "tool_id": { "type": ["string", "null"] },
        "sandbox_ttl_seconds": { "type": ["integer", "null"] }
      }
    }
  }
}

PolicyDecisionEnvelope

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/pde.json",
  "title": "PolicyDecisionEnvelope",
  "type": "object",
  "required": ["envelope_type", "id", "timestamp", "tce_id", "effect"],
  "properties": {
    "envelope_type": { "const": "pde" },
    "id": { "type": "string", "format": "uuid" },
    "timestamp": { "type": "string", "format": "date-time" },
    "tce_id": { "type": "string", "format": "uuid" },
    "effect": { "enum": ["allow", "deny", "allow_with_requirements"] },
    "risk_score": { "type": "number", "minimum": 0.0, "maximum": 1.0, "default": 0.0 },
    "cumulative_risk": { "type": "number", "minimum": 0.0, "default": 0.0 },
    "matched_rules": {
      "type": "array",
      "items": {
        "type": "object",
        "required": ["rule_id", "policy_tier", "effect"],
        "properties": {
          "rule_id": { "type": "string" },
          "policy_tier": { "enum": ["baseline", "org", "app", "user"] },
          "effect": { "enum": ["allow", "deny", "allow_with_requirements"] },
          "priority": { "type": "integer", "default": 0 }
        }
      }
    },
    "requirements": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "kind": { "enum": ["confirm", "mfa", "redact", "sandbox", "rate_limit", "log", "custom"] },
          "params": { "type": "object" },
          "satisfied": { "type": "boolean", "default": false }
        }
      }
    },
    "reason": { "type": "string", "default": "" },
    "denied_by": { "type": ["string", "null"] }
  }
}

AuditEventEnvelope

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/aee.json",
  "title": "AuditEventEnvelope",
  "type": "object",
  "required": ["envelope_type", "id", "timestamp", "sequence", "tce", "pde", "outcome", "prev_hash"],
  "properties": {
    "envelope_type": { "const": "aee" },
    "id": { "type": "string", "format": "uuid" },
    "timestamp": { "type": "string", "format": "date-time" },
    "sequence": { "type": "integer", "minimum": 0 },
    "tce": { "type": "object", "description": "Serialized ToolCallEnvelope snapshot" },
    "pde": { "type": "object", "description": "Serialized PolicyDecisionEnvelope snapshot" },
    "outcome": { "enum": ["executed", "blocked", "requirements_pending", "requirements_satisfied", "error"] },
    "error": { "type": ["string", "null"] },
    "execution_duration_ms": { "type": ["number", "null"] },
    "result_hash": { "type": ["string", "null"], "description": "SHA-256 of tool return value" },
    "prev_hash": { "type": "string", "minLength": 64, "maxLength": 64 },
    "this_hash": { "type": "string", "minLength": 64, "maxLength": 64 },
    "content_flags": { "type": "array", "items": { "type": "object" }, "default": [] },
    "signature": { "type": ["string", "null"], "description": "Ed25519 signature over this_hash" },
    "signer_public_key": { "type": ["string", "null"], "description": "Hex-encoded Ed25519 public key" }
  }
}

RiskFactors

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/risk-factors.json",
  "title": "RiskFactors",
  "type": "object",
  "properties": {
    "event_volume_30d": { "type": "integer", "minimum": 0, "default": 0 },
    "block_rate": { "type": "number", "minimum": 0.0, "maximum": 1.0, "default": 0.0 },
    "threat_detection_rate": { "type": "number", "minimum": 0.0, "maximum": 1.0, "default": 0.0 },
    "avg_risk_score": { "type": "number", "minimum": 0.0, "maximum": 1.0, "default": 0.0 },
    "claims_count_90d": { "type": "integer", "minimum": 0, "default": 0 },
    "claims_paid_amount_90d": { "type": "integer", "minimum": 0, "default": 0, "description": "Amount in cents" }
  }
}

InsuranceClaim

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/insurance-claim.json",
  "title": "InsuranceClaim",
  "type": "object",
  "required": ["id", "org_id", "incident_type", "incident_date", "description"],
  "properties": {
    "id": { "type": "string", "format": "uuid" },
    "org_id": { "type": "string", "format": "uuid" },
    "status": { "enum": ["submitted", "under_review", "approved", "denied", "paid"], "default": "submitted" },
    "incident_type": { "enum": ["hallucination", "boundary_violation", "data_breach", "unauthorized_action", "financial_loss", "compliance_violation", "model_drift", "data_poisoning"] },
    "incident_date": { "type": "string", "format": "date-time" },
    "description": { "type": "string" },
    "affected_agent_id": { "type": ["string", "null"] },
    "related_event_ids": { "type": "array", "items": { "type": "string", "format": "uuid" } },
    "estimated_damages_cents": { "type": "integer", "minimum": 0 },
    "approved_amount_cents": { "type": ["integer", "null"] },
    "attestation_hash": { "type": ["string", "null"], "description": "SHA-256 of signed attestation" },
    "chain_verified": { "type": ["boolean", "null"] },
    "fraud_flags": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "check_name": { "type": "string" },
          "severity": { "enum": ["info", "warning", "critical"] },
          "passed": { "type": "boolean" },
          "detail": { "type": "string" }
        }
      }
    },
    "coverage_gap_detected": { "type": ["boolean", "null"] },
    "auto_approved": { "type": "boolean", "default": false },
    "auto_approval_reason": { "type": ["string", "null"] }
  }
}

FraudReport

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/fraud-report.json",
  "title": "FraudReport",
  "type": "object",
  "properties": {
    "flags": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "check_name": { "type": "string" },
          "severity": { "enum": ["info", "warning", "critical"] },
          "passed": { "type": "boolean" },
          "detail": { "type": "string" }
        }
      }
    },
    "chain_verified": { "type": ["boolean", "null"] },
    "chain_errors": { "type": "array", "items": { "type": "string" } },
    "coverage_gap": { "type": "boolean", "default": false },
    "auto_approvable": { "type": "boolean", "default": false },
    "auto_approval_reason": { "type": "string", "default": "" },
    "has_critical_flags": { "type": "boolean" }
  }
}

ComplianceReport (SOC 2 Example)

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/compliance-report.json",
  "title": "ComplianceReport",
  "type": "object",
  "required": ["report_type", "generated_at", "chain_integrity"],
  "properties": {
    "report_type": { "type": "string", "examples": ["SOC 2 Type II", "HIPAA", "EU AI Act", "NIST AI RMF"] },
    "generated_at": { "type": "string", "format": "date-time" },
    "organization": {
      "type": "object",
      "properties": {
        "name": { "type": "string" },
        "id": { "type": "string", "format": "uuid" }
      }
    },
    "chain_integrity": {
      "type": "object",
      "properties": {
        "valid": { "type": "boolean" },
        "total_events": { "type": "integer" },
        "errors": { "type": "array", "items": { "type": "string" } }
      }
    },
    "summary": {
      "type": "object",
      "properties": {
        "total_evaluations": { "type": "integer" },
        "total_blocked": { "type": "integer" },
        "total_allowed": { "type": "integer" },
        "total_errors": { "type": "integer" }
      }
    },
    "framework_criteria": { "type": "object", "description": "Framework-specific criteria (varies by report_type)" }
  }
}

PricingResult

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/pricing-result.json",
  "title": "PricingResult",
  "type": "object",
  "required": ["base_premium_cents", "risk_multiplier", "adjusted_premium_cents", "risk_factors"],
  "properties": {
    "base_premium_cents": { "type": "integer", "minimum": 0, "description": "Base monthly premium in cents before risk adjustment" },
    "risk_multiplier": { "type": "number", "minimum": 0.8, "maximum": 2.5, "description": "Credibility-weighted risk adjustment factor" },
    "credibility_factor": { "type": "number", "minimum": 0.0, "maximum": 1.0, "description": "Buhlmann credibility factor Z (0 = full class prior, 1 = full experience)" },
    "adjusted_premium_cents": { "type": "integer", "minimum": 0, "description": "Final monthly premium after credibility-weighted risk adjustment" },
    "loss_ratio": { "type": ["number", "null"], "minimum": 0.0, "description": "Claims paid / premiums collected (3-month rolling). Null if no premium history." },
    "loss_development": {
      "type": ["object", "null"],
      "description": "IBNR and loss development data (null if insufficient history)",
      "properties": {
        "method": { "enum": ["chain_ladder", "bornhuetter_ferguson", "cape_cod"] },
        "ibnr_estimate_cents": { "type": "integer", "minimum": 0 },
        "ultimate_loss_cents": { "type": "integer", "minimum": 0 },
        "development_age_months": { "type": "integer", "minimum": 0 },
        "cdf": { "type": "number", "minimum": 1.0, "description": "Cumulative development factor at current age" }
      }
    },
    "risk_factors": { "$ref": "https://antihero.systems/schemas/ahds-1/risk-factors.json" },
    "exposure_base": {
      "type": "object",
      "properties": {
        "agent_months": { "type": "number", "description": "Primary exposure: active agent-months in rating period" },
        "events_per_agent_month": { "type": "number", "description": "Secondary: event intensity rating factor" },
        "transaction_value_cents": { "type": "integer", "description": "Tertiary: total gated financial transaction value" }
      }
    },
    "explanation": { "type": "array", "items": { "type": "string" }, "description": "Human-readable breakdown of pricing decisions" }
  }
}

CoverageTerms

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://antihero.systems/schemas/ahds-1/coverage-terms.json",
  "title": "CoverageTerms",
  "type": "object",
  "required": ["coverage_limit_cents", "aggregate_limit_cents", "deductible_cents", "premium_monthly_cents", "effective_date", "partner_id", "status"],
  "properties": {
    "coverage_limit_cents": { "type": "integer", "minimum": 0, "description": "Per-incident coverage limit in cents. Sentinel default: 10,000,000 ($100K)." },
    "aggregate_limit_cents": { "type": "integer", "minimum": 0, "description": "Per-period aggregate limit. MUST be >= 2x per-incident limit." },
    "deductible_cents": { "type": "integer", "minimum": 0, "description": "Per-incident deductible in cents. Default: 500,000 ($5,000)." },
    "premium_monthly_cents": { "type": "integer", "minimum": 0, "description": "Monthly premium in cents, adjusted by risk multiplier." },
    "effective_date": { "type": "string", "format": "date-time", "description": "Coverage start date." },
    "expiry_date": { "type": ["string", "null"], "format": "date-time", "description": "Coverage end date. Null for continuous coverage." },
    "partner_id": { "type": "string", "description": "Insurance carrier identifier." },
    "status": { "enum": ["active", "suspended", "cancelled"], "description": "Coverage status. Suspended coverage MUST trigger enforcement-only mode (logging continues, insurance claims disabled)." },
    "incident_types_covered": {
      "type": "array",
      "items": { "enum": ["hallucination", "boundary_violation", "data_breach", "unauthorized_action", "financial_loss", "compliance_violation", "model_drift", "data_poisoning"] },
      "description": "Covered incident categories. Carriers MUST specify covered types at binding."
    },
    "exclusions": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Policy exclusions in human-readable text."
    }
  }
}

6. Integration Guide

How Carriers Consume This Data

Insurance carriers MUST access AHDS-1 data through the Partner API, authenticated with X-Partner-Key headers. Implementations MUST support API key rotation without service interruption. See the technical documentation for full API authentication and SDK details. The API MUST provide:

Endpoint	Method	Description
/api/v1/partner/orgs	GET	List insured organizations
/api/v1/partner/orgs/{id}/risk-factors	GET	Current RiskFactors for an org
/api/v1/partner/orgs/{id}/pricing	GET	Computed PricingResult
/api/v1/partner/orgs/{id}/claims	GET	Claims history with fraud reports
/api/v1/partner/orgs/{id}/chain/verify	POST	Independent hash chain verification
/api/v1/partner/orgs/{id}/compliance/{framework}	GET	Compliance report export (soc2, hipaa, eu_ai_act, nist_ai_rmf)
/api/v1/partner/orgs/{id}/events	GET	Paginated audit event stream (JSONL)

Data Export Formats

JSON — Single compliance report or claim record
JSONL — Append-only event stream (one AEE per line). Suitable for data lake ingestion.
Compliance certificates — Signed JSON documents with chain integrity attestation

Retention Requirements

Framework	Minimum Retention	Notes
SOC 2	12 months	Audit period evidence
HIPAA	6 years	§164.530(j) retention requirement
EU AI Act	Duration of system operation + 10 years	Art. 12(2) record-keeping
Insurance claims	Statute of limitations + 3 years	Varies by jurisdiction

Reinsurance Treaty Modeling

AHDS-1 data supports three reinsurance structures:

Quota share — Fixed percentage of every policy ceded. RiskFactors + PricingResult provide the data basis for treaty pricing.
Excess of loss (XoL) — Reinsurer covers losses above a retention threshold. InsuranceClaim severity data + loss_ratio feed the attachment point modeling.
Hybrid — Quota share for frequency, XoL for severity. Requires both RiskFactors (volume/frequency) and claim-level severity data.

7. Adoption Path

Phase 1: Reference Implementation (Complete)

Antihero has implemented the full AHDS-1 specification in production code: 2,200+ lines across the policy engine, enforcement layer, audit chain, insurance claims pipeline, fraud detection, and compliance exports. All schemas in this document are derived from running production code, not theoretical designs.

Phase 2: Carrier Pilot

Engagement with cyber insurance carriers (Coalition, At-Bay, Corvus) to validate the data specification against their existing underwriting workflows. The Partner API provides real-time access to enforcement data in a format compatible with actuarial modeling tools.

Phase 3: ACORD Working Group Submission

ACORD's extensibility framework allows industry-specific data standards. AHDS-1 is designed as an ACORD extension for AI agent liability—the first schema that bridges AI security enforcement data and insurance underwriting workflows.

Phase 4: ISO/IEC Contribution

ISO 42001 (AI management systems) establishes the governance framework. AHDS-1 provides the data specification that makes that governance insurable. The path runs through ISO/IEC JTC 1/SC 42 (Artificial Intelligence), building on the compliance mapping to existing ISO standards.

8. Appendix: Full Schema Examples

Example: ToolCallEnvelope (Dangerous Shell Command)

{
  "envelope_type": "tce",
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "timestamp": "2026-03-03T14:30:00.000Z",
  "action": "shell.execute",
  "resource": "rm -rf /",
  "parameters": { "shell": "bash", "timeout": 30 },
  "context": { "conversation_id": "conv-789" },
  "subject": {
    "agent_id": "gpt-4-agent-prod",
    "user_id": "user-42",
    "session_id": "sess-abc123",
    "roles": ["developer"],
    "delegation_depth": 0,
    "delegated_roles": [],
    "metadata": {}
  },
  "caller": {
    "type": "programmatic",
    "container_id": "ptc-sandbox-001",
    "tool_id": "bash_executor",
    "sandbox_ttl_seconds": 270
  }
}

Example: PolicyDecisionEnvelope (Deny)

{
  "envelope_type": "pde",
  "id": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
  "timestamp": "2026-03-03T14:30:00.003Z",
  "tce_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "effect": "deny",
  "risk_score": 0.95,
  "cumulative_risk": 1.12,
  "matched_rules": [
    {
      "rule_id": "deny-destructive-shell",
      "policy_tier": "baseline",
      "effect": "deny",
      "priority": 100
    }
  ],
  "requirements": [],
  "reason": "shell.execute denied by baseline policy (fail-closed). Resource matches destructive command pattern.",
  "denied_by": "deny-destructive-shell"
}

Example: AuditEventEnvelope (Hash-Chained Receipt)

{
  "envelope_type": "aee",
  "id": "c3d4e5f6-a7b8-9012-cdef-345678901234",
  "timestamp": "2026-03-03T14:30:00.005Z",
  "sequence": 48,
  "tce": { "...": "(serialized TCE above)" },
  "pde": { "...": "(serialized PDE above)" },
  "outcome": "blocked",
  "error": null,
  "execution_duration_ms": null,
  "result_hash": null,
  "prev_hash": "e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5",
  "this_hash": "7a3f9b2e1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8c41d",
  "content_flags": [],
  "signature": "a1b2c3d4...ed25519...f5e6d7c8",
  "signer_public_key": "04a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456"
}

Example: RiskFactors

{
  "event_volume_30d": 12847,
  "block_rate": 0.034,
  "threat_detection_rate": 0.012,
  "avg_risk_score": 0.08,
  "claims_count_90d": 0,
  "claims_paid_amount_90d": 0
}

This organization has healthy metrics: 12,847 events/month, only 3.4% blocked, 1.2% threat detection rate, zero claims. Risk multiplier: 0.8x (good behavior discount applies).

Example: FraudReport

{
  "flags": [
    { "check_name": "chain_integrity", "severity": "critical", "passed": true, "detail": "Hash chain verified: 49 events, 0 gaps" },
    { "check_name": "coverage_continuity", "severity": "warning", "passed": true, "detail": "No enforcement gaps in 24h before incident" },
    { "check_name": "policy_version_pin", "severity": "info", "passed": true, "detail": "Policy snapshot preserved: 3 active policies" },
    { "check_name": "enforcement_telemetry", "severity": "warning", "passed": true, "detail": "12 linked audit events found" },
    { "check_name": "honesty_attestation", "severity": "info", "passed": true, "detail": "Signed attestation provided" },
    { "check_name": "bypass_exclusion", "severity": "critical", "passed": true, "detail": "No policy modifications in 48h window" },
    { "check_name": "cross_claim_correlation", "severity": "warning", "passed": true, "detail": "No anomalous claim patterns detected" }
  ],
  "chain_verified": true,
  "chain_errors": [],
  "coverage_gap": false,
  "auto_approvable": true,
  "auto_approval_reason": "All 7 fraud checks passed. Chain verified. Amount within 10% of coverage limit.",
  "has_critical_flags": false
}

Example: SOC 2 Compliance Report

{
  "report_type": "SOC 2 Type II - AI Agent Audit Evidence",
  "generated_at": "2026-03-03T15:00:00.000Z",
  "organization": { "name": "Acme Corp", "id": "org-12345" },
  "audit_period": { "start": "2025-09-03", "end": "2026-03-03" },
  "chain_integrity": { "valid": true, "total_events": 49382, "errors": [] },
  "summary": {
    "total_evaluations": 49382,
    "total_blocked": 1641,
    "total_allowed": 47689,
    "total_errors": 52
  },
  "trust_services_criteria": {
    "CC6.1_logical_access_controls": {
      "description": "AI agent identity and authorization verified for every action",
      "evidence_count": 49382
    },
    "CC6.3_authorization": {
      "description": "Policy evaluation enforced on every tool call",
      "evidence_count": 1641
    },
    "CC7.2_monitoring": {
      "description": "Continuous risk scoring with threat detection",
      "evidence_count": 589
    },
    "CC8.1_change_management": {
      "description": "Write and modify operations tracked in audit chain",
      "evidence_count": 8234
    }
  }
}

AHDS-1 is open for industry comment. Insurance carriers, actuaries, compliance professionals, and AI developers are invited to review and contribute. Contact us for enterprise implementation, follow latest updates, or visit antihero.systems.