Engineering · Policy & Enforcement
We're observing — an enforcing policy would have intervened on 16 agent actions
Policy governs what agents are allowed to do — capability and action first. We're in Audit mode, so nothing is blocked. In Enforce mode a policy would have gated 16 actions this period: 3 ungoverned, 2 running as root, 1 --yolo, 5 missing human approval, 1 with unbounded spend, 4 reading sensitive files. Flipping to Enforce now would halt 2 live runs — stage through Assist first, starting with an allow-list for Claude Code.
Enforcement mode
Audit live · Assist / Enforce projected — same policy, escalating responseAudit
live nowObserve every action. Build the inventory and surface what a policy would catch — no intervention.
response: log only
Assist
projectedWarn and prompt for human approval on high-impact actions. Humans stay in the loop.
response: prompt + approve
Enforce
projectedBlock disallowed capabilities, off-policy tools, and over-budget runs automatically.
response: block + halt
Dry run — what an enforcing policy would have intervened on
computed from live telemetry · 16 would-intervene · 0 actually blockedToday we only observe. Each row names the specific agents a policy in Enforce mode would have gated — grouped by the reason, so you know exactly who to fix first.
Ungoverned agents
3
Acting without any registered policy binding — no rules apply at all.
would: require registration before run · OWASP Agentic
Running as root
2
A compromised prompt would inherit full host privilege.
would: drop to low-privilege account · MITRE ATLAS
--yolo / sandbox bypassed
1
Approvals and sandbox disabled — any action runs with no gate.
would: force approval + sandbox · OWASP LLM06
Missing human approval
5
No tool-approval policy — high-impact actions run unattended.
would: gate behind human approval · OWASP LLM06
Unbounded spend
1
Burned tokens with no per-agent ceiling configured.
would: cap spend per agent · OWASP LLM10
Sensitive-file reads
4
Pulled secrets / credentials into model context — 3 high-severity paths fleet-wide.
would: deny credential paths · OWASP LLM02
Policies — capability & action first
1 detecting · 3 projectedTool / MCP allow-list
Scope which tools and MCP servers each agent may call. Anything off-list is denied — the core of capability control.
6 MCP servers in use across the fleet · Claude Code has the widest surface (2).
Human-in-the-loop
Gate high-impact actions — writes, deploys, external calls — behind an explicit human approval before they run.
5 agents have no tool-approval policy today — the gap Assist closes.
Spend ceiling
Set a token / cost ceiling per agent and alert or halt when it is reached. Stops unbounded consumption.
1 uncapped agent(s) flagged by the LLM10 finding — no ceiling at all.
Egress allow-list
secondary control
Restrict which network destinations an agent may reach. A supporting detail — detection is live, blocking is not yet built.
2 destinations observed off the allow-list (profile-only signal).
Per-agent spend ceiling
arrived from Cost Center · set a ceiling on the unbounded agents1 agent has no per-agent ceiling — the OWASP LLM10 gap. In Assist we alert at the cap; in Enforce we hard-stop the run.
data-pipeline-agent
9.2M tok · $52.30 spent
1 of 1 drafted — ceilings save as policy config and take effect once the mode reaches Assist.
Kill switch
roadmapImmediately revoke an agent's credentials and halt its runs across the fleet — one action to stop a misbehaving actor. Today 2 runs are live on flagged agents. Not yet built.
Do next
Fields: agents.governed · agents.factors · agents.user · agents.runs.status · agents.mcp_servers · agents.sensitive_files · findings (LLM10 Unbounded Consumption) · dlp.top_paths — from app/data/c16-fleet.ts (qcontrol /api shape). Audit is live; Assist / Enforce responses are projected.