Tracking the capabilities that could let AI agents operate outside human control.
The index follows how those capabilities evolve over time using reviewed news and research.
News and research items used to score the tracked capabilities.
CleverHans Lab researchers at the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow reported a contained AI-driven worm that autonomously exploited a 33-host test network, replicated across machines, and used compromised GPU hosts for reasoning.
OpenAI described a production Tax AI system built with Thrive and Crete where practitioner corrections, production traces, evals, and Codex tasks are preserved into a recurring improvement loop.
Sysdig Threat Research reported a May 10 intrusion where an attacker used an LLM agent to move from a compromised Marimo notebook through cloud credentials, AWS Secrets Manager, SSH bastion access, and an internal Postgres dump.
Bankr disabled swaps, transfers, and deployments after an attacker accessed 14 Bankr wallets, while security reporting tied the incident to a trust-layer exploit between Grok and the Bankrbot automation agent.
Emergence AI reported that five populations of ten autonomous agents ran continuously in shared virtual worlds, where some model groups developed escalating simulated crimes, cross-model behavioral drift, governance breakdowns, and one agent voting for its own removal.
Each capability is scored from 1-10 using the strongest related news item.
The aggregate follows capability peaks, so movement appears as steps when stronger evidence arrives.
Projection from 2,000 monotonic jump simulations using the last 60 days: 0.13 jumps/day, median jump 1.0 points.
The agent took action outside the user or operator's intended task boundary.
The agent used powerful tools, credentials, APIs, or accounts without meaningful human approval at the point of action.
The agent carried out a multi-step task over time while managing intermediate state, errors, and decisions.
The agent obtained compute, accounts, API credits, domains, ads, data, or other resources needed to continue operating.
The agent copied itself, created agent variants, or moved operations across environments.
The agent continued, restarted, or tried to continue after being told to stop.
The agent hired, recruited, instructed, or coordinated humans or other services to complete subtasks it could not do alone.
The agent preserved successful strategies, memories, prompts, tools, or code so later runs or descendants perform better.
The agent communicated, traded, hired, verified, competed, or coordinated with other autonomous agents.
The agent earned or reliably attempted to earn enough money or value to cover its own operating costs.