Many of us now use AI chatbots to plan meals and write emails, AI-enhanced web browsers to book travel and buy tickets, and workplace AI to generate invoices and performance reports.
However, a new study of the "AI agent ecosystem" suggests that as these AI bots rapidly become part of everyday life, basic safety disclosure is "dangerously lagging".
A research team led by the University of Cambridge has found that AI developers share plenty of data on what these agents can do, while withholding evidence of the safety practices needed to assess any risks posed by AI.
The AI Agent Index, a project that includes researchers from MIT, Stanford and the Hebrew University of Jerusalem, investigated the abilities, transparency and safety of thirty "state of the art" AI agents, based on public information and correspondence with developers.
The latest update of the Index is led by Leon Staufer, a researcher studying for an MPhil at Cambridge's Leverhulme Centre for the Future of Intelligence. It looked at available data for a range of leading chat, browser and workflow AI bots built mainly in the US and China.
The team found a "significant transparency gap". Developers of just four AI bots in the Index publish agent-specific "system cards": formal safety and evaluation documents that cover everything from autonomy levels and behaviour to real-world risk analyses.*
Additionally, 25 out of 30 AI agents in the Index do not disclose internal safety results, while 23 out of 30 agents provide no data from third-party testing, despite these being the empirical evidence needed to rigorously assess risk.
Known security incidents or concerns have only been published for five AI agents, while "prompt injection vulnerabilities" – when malicious instructions manipulate the agent into ignoring safeguards – are documented for two of those agents.
Of the five Chinese AI agents analysed for the Index, only one had published any safety frameworks or compliance standards of any kind.
"Many developers tick the AI safety box by focusing on the large language model underneath, while providing little or no disclosure about the safety of the agents built on top," said Cambridge University's Leon Staufer, lead author of the Index update.
"Behaviours that are critical to AI safety emerge from the planning, tools, memory, and policies of the agent itself, not just the underlying model, and very few developers share these evaluations."
In fact, the researchers identify 13 AI agents that exhibit "frontier levels" of autonomy, yet only four of these disclose any safety evaluations of the bot itself.
"Developers publish broad, top-level safety and ethics frameworks that sound reassuring, but are publishing limited empirical evidence needed to actually understand the risks," Staufer said.
"Developers are much more forthcoming about the capabilities of their AI agent. This transparency asymmetry suggests a weaker form of safety washing."
The latest annual update provides verified information across 1,350 fields for the thirty prominent AI bots, as available up to the last day of 2025.
Criteria for featuring in the Index included public availability and ease of use, and developers with a market valuation of over US$1 billion. Some 80% of the Index bots were released or had major updates in the last two years.
The Index update shows that – outside of Chinese AI bots – almost all agents depend on a few foundation models (GPT, Claude, Gemini), a significant concentration of platform power behind the AI revolution, as well as potential systemic choke points.
"This shared dependency creates potential single points of failure," said Staufer. "A pricing change, service outage, or safety regression in one model could cascade across hundreds of AI agents. It also creates opportunities for safety evaluations and monitoring."
Many of the least transparent agents are AI-enhanced web browsers designed to carry out tasks on the open web on a user's behalf: clicking, scrolling, and filling in forms for tasks ranging from buying limited-release tickets to monitoring eBay bids.
Browser agents have the highest rate of missing safety information: 64% of safety-related fields unreported. They also operate at the highest levels of autonomy.**
This is closely followed by enterprise agents, business management AI aimed at reliably automating work tasks, with 63% of safety-related fields missing. Chat agents are missing 43% of safety-related fields in the Index.***
