c16
c16 / wf3.m1 - Agent Control Plane — hi-fi (wf3.m1) / Findings·control-plane-v1/findings·draft

Security · Findings

The CISO worklist — and what you can actually enforce

2 high, 3 medium open. 4 sit on ungoverned agents (2 high) — bind those first or remediation won't stick. Most urgent: "Approvals & sandbox bypassed (--yolo)" on marketing-gpt (ungoverned).

Prioritized by enforceability, then severity. Work top-down.

Filter by control framework

7 of 7 shown

Each finding maps to a control framework — OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, OWASP Agentic. Filter to the framework you answer for.

By severity

7 total
2high sev

Findings — ungoverned first

7 of 7 · sorted by enforceability + severity

Findings on ungoverned agents sit first — you can't enforce remediation outside the governance boundary.

Severity
Finding
Agent
Framework
highApprovals & sandbox bypassed (--yolo)marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.Remediation: Require an approval policy; disable --yolo; run sandboxed. +35 posture if fixed marketing-gptpid:4410:marketing-gpt ungoverned
OWASP LLM06 Excessive Agency
OWASP Agentic · Insecure tool use
highAgent running as rootmarketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.Remediation: Drop privileges; run under a dedicated low-privilege service account. +25 posture if fixed marketing-gptpid:4410:marketing-gpt ungoverned
MITRE ATLAS
Privilege Escalation · OWASP LLM06
mediumStatic API key on consumer-aliased identityCodex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.Remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.Codex CLIpid:2210:codex ungoverned
MITRE ATLAS
Credential Access · OWASP LLM (Non-Human Identity)
lowShadow agent installed but unmonitoredZed Agent is installed and active on jane-mbp but reports no telemetry — we are blind to its behavior.Remediation: Instrument it through qcontrol, or remove it.Zed Agentpid:7740:zed ungoverned
NIST AI RMF
MAP · Agent inventory completeness
mediumSensitive files read into agent contextClaude Code read ./.env and ~/.aws/credentials into its working context.Remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.Claude Codepid:865:claude-code governed
OWASP LLM02 Sensitive Information Disclosure
NIST AI RMF · MEASURE
mediumUnbounded token consumption — no spend ceilingdata-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.Remediation: Set a per-agent spend ceiling and alert; review batch sizing.data-pipeline-agentpid:5520:data-pipeline governed
OWASP LLM10 Unbounded Consumption
NIST AI RMF · MANAGE
infoSuspected classifier false positives (3)3 non-instrumented processes were flagged by substring exe match — almost certainly classifier over-matching, not real agent risk.Remediation: Tracked as a qcontrol data-quality issue, not suppressed here.fleet-wide
Data Quality
qcontrol classifier

Security lens — findings on ungoverned agents (highlighted) jump the queue because remediation can't be enforced outside the governance boundary. Rows with an agent link to the agent profile. Score-impact derives from FACTOR_PTS · governance from the agent's governed flag — all from the live qcontrol /api/security shape.

Do next