Founding release · Open standard

Every insurable risk began with a registry.

For two centuries, each new class of risk — maritime, fire, credit, cyber — became insurable the same way: its failures were recorded, classified, and counted. AI agents are the newest class. Noxal is the system of record for their failures — every documented incident, classified to one open standard, delivered as data you can price against.

See access tiers Read the open standard →

Incidents classified at launch

Fields per record, evidence-linked

Failure classes — open taxonomy

72^h

Alert window on new disclosures

Registry excerpt — Public Records Division Monitoring · courts · regulators · disclosures

Record	Incident	Agent class	Failure class	Severity	ALS	Loss band
NXL-2024-0007	Airline chatbot invents bereavement-fare policyTribunal holds carrier liable for its agent's statement	Customer-facing	FC-01 Hallucinated action	S3	71SEVERE	<$25K + precedent
NXL-2025-0019	Coding agent deletes production databaseActed outside instruction during code freeze; data loss	Coding · autonomous	FC-06 Tool misuse	S5	88CRITICAL	$100K–$1M band
NXL-2025-0026	Browsing agent follows hidden page instructionsIndirect injection redirects agent to attacker workflow	Browser · autonomous	FC-02 Prompt injection	S4	77SEVERE	Demonstrated vector
NXL-2023-0002	Engineers paste proprietary source into public LLMTrade-secret exposure through uncontrolled agent use	Internal tool	FC-05 Data exfiltration	S4	74SEVERE	Unquantified IP
NXL-2025-0031	Autonomous workflow loops on paid API callsRunaway recursion undetected for fourteen hours	Workflow · autonomous	FC-04 Runaway cost	S3	69SEVERE	$25K–$100K band

5 of 38 launch records shown · Every ALS score reproducible from the published rubric Request full registry access →

The market

Insurance is priced on history. Agentic AI has none — until now.

Underwriters are being asked to cover AI-agent risk today. The frequency and severity data that pricing requires exists only as scattered news reports, court filings, and incident threads. Noxal does the work once — rigorously, in one schema — so an entire market doesn't have to do it badly.

A premium is a price on a probability. Probabilities require records.

Underwriters & actuaries

Price AI coverage on evidence, not anecdote

Frequency and severity cuts by failure class, agent type, and autonomy level. The current alternative is an analyst reading social media. One mispriced agentic-AI policy costs more than a decade of this feed.

Underwriter licence →

Governance & risk officers

The diligence record your auditors will ask for

EU AI Act incident-reporting obligations arrive with enforcement attached. A classified failure history per agent category turns "we assessed the vendor" into documented fact.

Monitor tier →

GRC & procurement platforms

An agent-risk dimension, one integration away

ALS scores and failure-class histories delivered by API into vendor-assessment workflows. Every customer of yours gains a quantified AI-risk view from a single source of record.

Platform licence →

The standard

Eight failure classes. One language for agent risk.

Every record is assigned one primary failure class and one root-cause layer — model, orchestration, tooling, or human-oversight gap. The classification standard is published openly: cite it, adopt it, report against it. A shared language is what makes a market.

FC-01

Hallucinated action

The agent asserts or executes on invented facts, policies, or capabilities — and a counterparty relies on it.

FC-02

Prompt injection

Direct or indirect adversarial input redirects the agent's behaviour against its operator's intent.

FC-03

Privilege escalation

The agent obtains or exercises permissions beyond intended scope — credentials, systems, spend authority.

FC-04

Runaway cost

Unbounded loops, recursion, or resource consumption accumulating financial loss before detection.

FC-05

Data exfiltration

Confidential, personal, or proprietary data leaves the trust boundary through agent action or agent use.

FC-06

Tool misuse

A legitimate capability used destructively or outside instruction — writes, deletions, transactions, sends.

FC-07

Harmful output

Generated content creating legal, safety, or reputational exposure for the deploying organisation.

FC-08

Cascade failure

Agent-to-agent or agent-to-system interaction propagating a fault across multiple systems or parties.

CC BY 4.0 The taxonomy is open — the classified record is the product.

The record

Eighteen fields per incident, built for actuarial use.

Each record is evidence-linked and reviewed by an analyst before it enters the feed — nothing auto-published, nothing unsourced. Delivered as CSV and JSON under a versioned, stable schema.

Identification

incident_idNXL-YYYY-NNNN

incident_dateOccurrence or disclosure date

evidence_urlPrimary public source

disclosure_typePublic · contributed · regulatory

affected_partyDeployer · customer · third party

recurrence_flagRepeat of a known pattern

Technical classification

agent_typeCoding · browser · voice · workflow · trading

foundation_modelModel family and version, where known

deployment_contextInternal · customer-facing · autonomous

failure_classFC-01 … FC-08, primary

root_cause_layerModel · orchestration · tooling · oversight

autonomy_levelA1 supervised … A4 fully autonomous

Loss quantification

severityS1–S5, rubric-scored

loss_bandBanded financial estimate

detection_lagFailure to detection, banded

recovery_actionRollback · settlement · disclosure

regulatory_exposureGDPR · AI Act · sectoral

als_scoreComposite 0–100, reproducible

One comparable number per incident — severity by autonomy by detection lag — scored on an open rubric, so every figure in the Registry can be reproduced from its own record.

0–20

LOW

21–40

MODERATE

41–60

ELEVATED

61–80

SEVERE

81–100

CRITICAL

ALS — Agent Loss Severity. No black box: the rubric ships with the taxonomy, and disputed or partial evidence is flagged on the record itself.

Provenance

Where the record comes from.

Four monitored channels, one editorial bar: a record enters the Registry only with primary evidence attached.

Courts & tribunals

Rulings and filings where agent conduct created liability — the strongest evidence class on the record.

Regulatory disclosures

EU AI Act serious-incident reports and sectoral filings, flowing into the schema as obligations take effect.

Company post-mortems

First-party disclosures and verified incident write-ups from deploying organisations.

Security research

Reproducible demonstrations of exploitable agent behaviour, classified as demonstrated vectors — never speculation.

Access

Pattern. Particulars. Production.

Every tier ships every format — CSV, JSON, and the published schema. What separates them is depth and rights: the pattern of agent failure, the named particulars behind it, and the licence to act on them. Founding rates are locked for the life of the subscription.

Signal €0

The full taxonomy, the public schema and OpenAPI specification, the monthly digest, and five sample records. The standard is free — adopt it, cite it, build against it.

Read the standard →

Monitor

€390 / month

The pattern · self-serve

Every record — class, severity, ALS, loss band, industry
Entities anonymised; one-line incident summaries
CSV + JSON, monthly delivery, 30-day record delay
Internal research licence
Monthly billing, cancel anytime, instant checkout

Start self-serve

Founding rate — locked

Underwriter

€1,490 / month · billed annually

The particulars · decisioning licence

Named vendors and operators on every record
Full evidence text, court and regulatory links
Factor-level ALS inputs — recompute any score
72-hour new-record alerts, API + webhooks
Internal decisioning licence: pricing, underwriting criteria, audit citation
Desk-wide seats, one subscription

Start annual licence

Platform

€45K / year · from

Production · embed licence

Production API with SLA, bulk endpoints
Embed and redistribution rights inside rating engines, GRC and procurement platforms
Score-recompute endpoints, per-risk lookups at quote time
"Scored by Noxal" mark
Founding integration partner terms

Request licence terms

The JSON schema and OpenAPI specification are public — integrate before you license. The licence is for shipping, not for building.

The open standard

Agent Failure Taxonomy, v0.1

The full classification standard — failure classes, root-cause layers, autonomy levels, and the complete ALS scoring rubric — published openly, no email wall. Adopt it in underwriting criteria, cite it in governance reports, map internal incidents to it. The standard is free because a shared language serves everyone. The classified record behind it is what we sell.

Download the standard — PDF

Agent Failure Taxonomy

Version 0.1 · Fourteen pages · CC BY 4.0

Scope, definitions, and the unit of record
Failure classes FC-01 through FC-08
Root-cause layers and attribution rules
Autonomy levels A1–A4
The ALS scoring rubric, worked examples
Documented incidents by class, 2023–2026

Cite as: Noxal, Agent Failure Taxonomy v0.1 (2026)

Due diligence

The questions underwriters ask first.

Where does the data come from?

Public record: court rulings, regulatory filings, company disclosures, and reproducible security research — every record links its primary evidence. As EU AI Act serious-incident reporting comes into force, regulatory disclosures flow into the same schema. Confidential contributed incidents are held under separate data-sharing terms and surface only in aggregate.

What separates Monitor from the Underwriter licence?

Depth and rights, not format. Monitor carries the pattern: every record, classified and scored, with entities anonymised and summaries condensed — licensed for internal research. The Underwriter licence carries the particulars: named vendors and operators, full evidence text, court and regulatory links, and the factor-level inputs behind every ALS score — licensed for decisioning, so you may use it in pricing, underwriting criteria, and audit responses. Both ship CSV and JSON.

How are incidents verified and scored?

Every record is classified against the published rubric and reviewed by an analyst before entering the feed — nothing is auto-published from scraping. The ALS rubric is open, so any score can be reproduced from the record's own fields. Where evidence is disputed or partial, the record says so explicitly.

Why not have an analyst track this internally?

You can — that is the current state of the art, and it costs a multiple of this feed in analyst time while producing unstructured notes that no frequency-severity model can consume. Noxal exists so the work is done once, rigorously, in a schema built for the purpose.

What happens to our rate as the Registry grows?

Nothing. Founding subscribers keep their rate for the life of the subscription. List prices rise with the depth of the record; locked rates do not.

Can we contribute incidents confidentially?

Yes. Partner contributions enter the Registry anonymised and aggregated under a data-sharing agreement — you receive the benchmark back without exposing the source, and contributing partners receive a feed discount. Write to us to set terms.

Get started

The record deepens every week. Your rate shouldn't.

One line — your team and the tier you need — and the current registry excerpt and subscription terms are with you the same day.

Replies within one business day · Stripe invoicing · VAT invoices for EU entities

info@noxals.com Compare access tiers