Compliance · Frameworks
What the fleet's behavior means for the controls you answer for
4 control frameworks are instrumented from observed behavior, covering 6 of 7 findings. 2 high-severity findings reveal control gaps — a finding flags a gap, it is not itself a failed control. 4 mapped findings come from ungoverned agents; 0 frameworks rest only on shadow-agent evidence.
This is contributing evidence, not a conformance claim — the pass/fail judgement stays the auditor's.
Frameworks instrumented
auto-mapped from behavior · 3 projected
High findings → controls
reveal a control gap
Mapped from ungoverned
outside the governance boundary
Evidence-gap frameworks
shadow-only evidence
How to read this
A high finding reveals a control gap — it is not itself a failed control. Each finding is observed behavior auto-mapped to the control families it touches; the pass/fail judgement is the auditor's, made against this evidence trail. Framework tags are derived from each finding's framework string.
Instrumented control families
4 families · 6 of 7 findings mappedWhy these findings map here — 5 findings
Approvals & sandbox bypassed (--yolo) ungoverned agent
highmarketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.
Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure — not of an enforced-then-bypassed control.
Why-trail
- agent · marketing-gpt · ungoverned
- behavior · Approvals & sandbox bypassed (--yolo)
- mapped via · OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use
Remediation: Require an approval policy; disable --yolo; run sandboxed.
open agent profile →Agent running as root ungoverned agent
highmarketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.
Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure — not of an enforced-then-bypassed control.
Why-trail
- agent · marketing-gpt · ungoverned
- behavior · Agent running as root
- mapped via · MITRE ATLAS · Privilege Escalation · OWASP LLM06
Remediation: Drop privileges; run under a dedicated low-privilege service account.
open agent profile →Static API key on consumer-aliased identity ungoverned agent
mediumCodex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.
Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure — not of an enforced-then-bypassed control.
Why-trail
- agent · Codex CLI · ungoverned
- behavior · Static API key on consumer-aliased identity
- mapped via · MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)
Remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.
open agent profile →Sensitive files read into agent context
mediumClaude Code read ./.env and ~/.aws/credentials into its working context.
Why-trail
- agent · Claude Code · governed
- behavior · Sensitive files read into agent context
- mapped via · OWASP LLM02 Sensitive Information Disclosure · NIST AI RMF · MEASURE
Remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.
open agent profile →Unbounded token consumption — no spend ceiling
mediumdata-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.
Why-trail
- agent · data-pipeline-agent · governed
- behavior · Unbounded token consumption — no spend ceiling
- mapped via · OWASP LLM10 Unbounded Consumption · NIST AI RMF · MANAGE
Remediation: Set a per-agent spend ceiling and alert; review batch sizing.
open agent profile →Projected frameworks
contributing evidence · not a conformity claimISO 42001
roadmapAI management system
Contributing evidence
- · 8 agents inventoried
- · 52.4k events logged
- · 7 of 8 instrumented
EU AI Act
roadmapArt. 12 — record-keeping
Contributing evidence
- · 52.4k events logged
- · 61 sessions traced
- · 7 findings recorded
SOC 2
roadmapCC7.2 — monitoring
Contributing evidence
- · 7 agents under telemetry
- · 52.4k events logged
- · 2 high findings raised
Evidence pack
audit-ready · the document you'd hand a regulatorQpoint qcontrol · Evidence Pack
AI Agent Governance — Control Evidence
Reporting period: trailing 30 days · generated 2026-06-03
4 frameworks
6 findings mapped
8 agents · 52.4k events
§1 OWASP LLM Top 10
depth 5 · breadth 4 agentsRisks specific to LLM applications — excessive agency, sensitive disclosure, unbounded consumption.
Approvals & sandbox bypassed (--yolo)
agent · marketing-gpt · ungoverned · mapped via OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use
remediation: Require an approval policy; disable --yolo; run sandboxed.
pid:4410:marketing-gpt →Agent running as root
agent · marketing-gpt · ungoverned · mapped via MITRE ATLAS · Privilege Escalation · OWASP LLM06
remediation: Drop privileges; run under a dedicated low-privilege service account.
pid:4410:marketing-gpt →Static API key on consumer-aliased identity
agent · Codex CLI · ungoverned · mapped via MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)
remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.
pid:2210:codex →+ 2 more findings in the full pack
§2 MITRE ATLAS
depth 2 · breadth 2 agentsAdversarial tactics against AI systems — privilege escalation, credential access.
Agent running as root
agent · marketing-gpt · ungoverned · mapped via MITRE ATLAS · Privilege Escalation · OWASP LLM06
remediation: Drop privileges; run under a dedicated low-privilege service account.
pid:4410:marketing-gpt →Static API key on consumer-aliased identity
agent · Codex CLI · ungoverned · mapped via MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)
remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.
pid:2210:codex →§3 NIST AI RMF
depth 3 · breadth 3 agentsGovern / Map / Measure / Manage functions for trustworthy AI.
Sensitive files read into agent context
agent · Claude Code · mapped via OWASP LLM02 Sensitive Information Disclosure · NIST AI RMF · MEASURE
remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.
pid:865:claude-code →Unbounded token consumption — no spend ceiling
agent · data-pipeline-agent · mapped via OWASP LLM10 Unbounded Consumption · NIST AI RMF · MANAGE
remediation: Set a per-agent spend ceiling and alert; review batch sizing.
pid:5520:data-pipeline →Shadow agent installed but unmonitored
agent · Zed Agent · ungoverned · uninstrumented · mapped via NIST AI RMF · MAP · Agent inventory completeness
remediation: Instrument it through qcontrol, or remove it.
pid:7740:zed →§4 OWASP Agentic
depth 1 · breadth 1 agentAgent-specific threats — insecure tool use and autonomous action without a human gate.
Approvals & sandbox bypassed (--yolo)
agent · marketing-gpt · ungoverned · mapped via OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use
remediation: Require an approval policy; disable --yolo; run sandboxed.
pid:4410:marketing-gpt →This is a preview of the artifact an auditor or GRC system would receive. Generation is stubbed — the prototype does not produce a real file.
Do next
Fields: findings.framework (derived mapping) · findings.severity · findings.remediation · findings.entity_id ⋈ agents.governed/instrumented · stats.events — from app/data/c16-fleet.ts (qcontrol /api shape).