c16
c16 / wf5.m1 - Agent Control Plane — hi-fi (wf5.m1) / Compliance·control-plane-v1/compliance·draft

Compliance · Frameworks

What the fleet's behavior means for the controls you answer for

4 control frameworks are instrumented from observed behavior, covering 6 of 7 findings. 2 high-severity findings reveal control gaps — a finding flags a gap, it is not itself a failed control. 4 mapped findings come from ungoverned agents; 0 frameworks rest only on shadow-agent evidence.

This is contributing evidence, not a conformance claim — the pass/fail judgement stays the auditor's.

Frameworks instrumented

4/ 7

auto-mapped from behavior · 3 projected

High findings → controls

2control gaps

reveal a control gap

Mapped from ungoverned

4findings

outside the governance boundary

Evidence-gap frameworks

0blind spots

shadow-only evidence

How to read this

A high finding reveals a control gap — it is not itself a failed control. Each finding is observed behavior auto-mapped to the control families it touches; the pass/fail judgement is the auditor's, made against this evidence trail. Framework tags are derived from each finding's framework string.

Instrumented control families

4 families · 6 of 7 findings mapped

Why these findings map here — 5 findings

Approvals & sandbox bypassed (--yolo) ungoverned agent

high

marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.

Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure — not of an enforced-then-bypassed control.

Why-trail

  1. agent · marketing-gpt · ungoverned
  2. behavior · Approvals & sandbox bypassed (--yolo)
  3. mapped via · OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use
open full why-trail in activity log →

Remediation: Require an approval policy; disable --yolo; run sandboxed.

open agent profile →

Agent running as root ungoverned agent

high

marketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.

Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure — not of an enforced-then-bypassed control.

Why-trail

  1. agent · marketing-gpt · ungoverned
  2. behavior · Agent running as root
  3. mapped via · MITRE ATLAS · Privilege Escalation · OWASP LLM06
open full why-trail in activity log →

Remediation: Drop privileges; run under a dedicated low-privilege service account.

open agent profile →

Static API key on consumer-aliased identity ungoverned agent

medium

Codex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.

Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure — not of an enforced-then-bypassed control.

Why-trail

  1. agent · Codex CLI · ungoverned
  2. behavior · Static API key on consumer-aliased identity
  3. mapped via · MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)
open full why-trail in activity log →

Remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.

open agent profile →

Sensitive files read into agent context

medium

Claude Code read ./.env and ~/.aws/credentials into its working context.

Why-trail

  1. agent · Claude Code · governed
  2. behavior · Sensitive files read into agent context
  3. mapped via · OWASP LLM02 Sensitive Information Disclosure · NIST AI RMF · MEASURE
open full why-trail in activity log →

Remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.

open agent profile →

Unbounded token consumption — no spend ceiling

medium

data-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.

Why-trail

  1. agent · data-pipeline-agent · governed
  2. behavior · Unbounded token consumption — no spend ceiling
  3. mapped via · OWASP LLM10 Unbounded Consumption · NIST AI RMF · MANAGE
open full why-trail in activity log →

Remediation: Set a per-agent spend ceiling and alert; review batch sizing.

open agent profile →

Projected frameworks

contributing evidence · not a conformity claim

ISO 42001

roadmap

AI management system

Contributing evidence

  • · 8 agents inventoried
  • · 52.4k events logged
  • · 7 of 8 instrumented
not a conformity claim

EU AI Act

roadmap

Art. 12 — record-keeping

Contributing evidence

  • · 52.4k events logged
  • · 61 sessions traced
  • · 7 findings recorded
not a conformity claim

SOC 2

roadmap

CC7.2 — monitoring

Contributing evidence

  • · 7 agents under telemetry
  • · 52.4k events logged
  • · 2 high findings raised
not a conformity claim

Evidence pack

audit-ready · the document you'd hand a regulator

Qpoint qcontrol · Evidence Pack

AI Agent Governance — Control Evidence

Reporting period: trailing 30 days · generated 2026-06-03

4 frameworks

6 findings mapped

8 agents · 52.4k events

Scope: 7/8 agents under telemetry · 4 findings from ungoverned agents · 0 frameworks on shadow-only evidence (flagged inline).

§1 OWASP LLM Top 10

depth 5 · breadth 4 agents

Risks specific to LLM applications — excessive agency, sensitive disclosure, unbounded consumption.

high

Approvals & sandbox bypassed (--yolo)

agent · marketing-gpt · ungoverned · mapped via OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use

remediation: Require an approval policy; disable --yolo; run sandboxed.

pid:4410:marketing-gpt →
high

Agent running as root

agent · marketing-gpt · ungoverned · mapped via MITRE ATLAS · Privilege Escalation · OWASP LLM06

remediation: Drop privileges; run under a dedicated low-privilege service account.

pid:4410:marketing-gpt →
medium

Static API key on consumer-aliased identity

agent · Codex CLI · ungoverned · mapped via MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)

remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.

pid:2210:codex →

+ 2 more findings in the full pack

§2 MITRE ATLAS

depth 2 · breadth 2 agents

Adversarial tactics against AI systems — privilege escalation, credential access.

high

Agent running as root

agent · marketing-gpt · ungoverned · mapped via MITRE ATLAS · Privilege Escalation · OWASP LLM06

remediation: Drop privileges; run under a dedicated low-privilege service account.

pid:4410:marketing-gpt →
medium

Static API key on consumer-aliased identity

agent · Codex CLI · ungoverned · mapped via MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)

remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.

pid:2210:codex →

§3 NIST AI RMF

depth 3 · breadth 3 agents

Govern / Map / Measure / Manage functions for trustworthy AI.

medium

Sensitive files read into agent context

agent · Claude Code · mapped via OWASP LLM02 Sensitive Information Disclosure · NIST AI RMF · MEASURE

remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.

pid:865:claude-code →
medium

Unbounded token consumption — no spend ceiling

agent · data-pipeline-agent · mapped via OWASP LLM10 Unbounded Consumption · NIST AI RMF · MANAGE

remediation: Set a per-agent spend ceiling and alert; review batch sizing.

pid:5520:data-pipeline →
low

Shadow agent installed but unmonitored

agent · Zed Agent · ungoverned · uninstrumented · mapped via NIST AI RMF · MAP · Agent inventory completeness

remediation: Instrument it through qcontrol, or remove it.

pid:7740:zed →

§4 OWASP Agentic

depth 1 · breadth 1 agent

Agent-specific threats — insecure tool use and autonomous action without a human gate.

high

Approvals & sandbox bypassed (--yolo)

agent · marketing-gpt · ungoverned · mapped via OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use

remediation: Require an approval policy; disable --yolo; run sandboxed.

pid:4410:marketing-gpt →
Attestation: findings are observed behavior mapped to control families — contributing evidence, not a conformity determination. Pass/fail is the auditor's, made against this evidence. Data is local-only; nothing is transmitted unless exported.

This is a preview of the artifact an auditor or GRC system would receive. Generation is stubbed — the prototype does not produce a real file.

Do next

Fields: findings.framework (derived mapping) · findings.severity · findings.remediation · findings.entity_idagents.governed/instrumented · stats.events — from app/data/c16-fleet.ts (qcontrol /api shape).