Security · Findings
The CISO worklist — and what you can actually enforce
2 high, 3 medium open. 4 sit on ungoverned agents (2 high) — bind those first or remediation won't stick. Most urgent: "Approvals & sandbox bypassed (--yolo)" on marketing-gpt (ungoverned).
Prioritized by enforceability, then severity. Work top-down.
Filter by control framework
7 of 7 shownEach finding maps to a control framework — OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, OWASP Agentic. Filter to the framework you answer for.
By severity
7 totalFindings — ungoverned first
7 of 7 · sorted by enforceability + severityFindings on ungoverned agents sit first — you can't enforce remediation outside the governance boundary.
Severity | Finding | Agent | Framework |
|---|---|---|---|
| high | Approvals & sandbox bypassed (--yolo)marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.Remediation: Require an approval policy; disable --yolo; run sandboxed. +35 posture if fixed | marketing-gptpid:4410:marketing-gpt ungoverned | OWASP LLM06 Excessive Agency OWASP Agentic · Insecure tool use |
| high | Agent running as rootmarketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.Remediation: Drop privileges; run under a dedicated low-privilege service account. +25 posture if fixed | marketing-gptpid:4410:marketing-gpt ungoverned | MITRE ATLAS Privilege Escalation · OWASP LLM06 |
| medium | Static API key on consumer-aliased identityCodex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.Remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP. | Codex CLIpid:2210:codex ungoverned | MITRE ATLAS Credential Access · OWASP LLM (Non-Human Identity) |
| low | Shadow agent installed but unmonitoredZed Agent is installed and active on jane-mbp but reports no telemetry — we are blind to its behavior.Remediation: Instrument it through qcontrol, or remove it. | Zed Agentpid:7740:zed ungoverned | NIST AI RMF MAP · Agent inventory completeness |
| medium | Sensitive files read into agent contextClaude Code read ./.env and ~/.aws/credentials into its working context.Remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection. | Claude Codepid:865:claude-code governed | OWASP LLM02 Sensitive Information Disclosure NIST AI RMF · MEASURE |
| medium | Unbounded token consumption — no spend ceilingdata-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.Remediation: Set a per-agent spend ceiling and alert; review batch sizing. | data-pipeline-agentpid:5520:data-pipeline governed | OWASP LLM10 Unbounded Consumption NIST AI RMF · MANAGE |
| info | Suspected classifier false positives (3)3 non-instrumented processes were flagged by substring exe match — almost certainly classifier over-matching, not real agent risk.Remediation: Tracked as a qcontrol data-quality issue, not suppressed here. | fleet-wide | Data Quality qcontrol classifier |
Security lens — findings on ungoverned agents (highlighted) jump the queue because remediation can't be enforced outside the governance boundary. Rows with an agent link to the agent profile. Score-impact derives from FACTOR_PTS · governance from the agent's governed flag — all from the live qcontrol /api/security shape.