Security · Findings
The CISO worklist — and what you can actually enforce
2 high, 3 medium open. 4 sit on ungoverned agents (2 high) — bind those first or remediation won't stick.
Most urgent: "Approvals & sandbox bypassed (--yolo)" on marketing-gpt (ungoverned).
Posture recovery
proposedClosing the findings below lifts fleet posture by +8.
This is the distilled worklist. To replay the actions behind any finding — agent → action → outcome — open the full record.
Every finding here is a summary over events captured in the activity log.
Framework coverage matrix
proposedWhere findings land across the control frameworks you answer for — severity by framework. Click a cell to filter.
| Framework | high | medium | low | info | Σ |
|---|---|---|---|---|---|
| 2 | |||||
| 1 | |||||
| 1 | |||||
| 1 | |||||
| 1 | |||||
| 1 |
Each finding maps to a control family — OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, OWASP Agentic. Cell saturation = severity, number = count. This is contributing evidence, not a conformance claim.
Severity distribution
7 of 7 shownFindings — ungoverned first
7 of 7 · sorted by enforceability + severityFindings on ungoverned agents sit first — you can't enforce remediation outside the governance boundary. Click a card to open the agent profile.
OWASP Agentic · Insecure tool use
Approvals & sandbox bypassed (--yolo)
marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.
Remediation — Require an approval policy; disable --yolo; run sandboxed.
marketing-gpt
pid:4410:marketing-gpt
ungovernedopen profile →
Privilege Escalation · OWASP LLM06
Agent running as root
marketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.
Remediation — Drop privileges; run under a dedicated low-privilege service account.
marketing-gpt
pid:4410:marketing-gpt
ungovernedopen profile →
Credential Access · OWASP LLM (Non-Human Identity)
Static API key on consumer-aliased identity
Codex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.
Remediation — Move to org-backed OAuth; rotate the static key; join the alias to your IdP.
Codex CLI
pid:2210:codex
ungovernedopen profile →
MAP · Agent inventory completeness
Shadow agent installed but unmonitored
Zed Agent is installed and active on jane-mbp but reports no telemetry — we are blind to its behavior.
Remediation — Instrument it through qcontrol, or remove it.
Zed Agent
pid:7740:zed
ungovernedopen profile →
NIST AI RMF · MEASURE
Sensitive files read into agent context
Claude Code read ./.env and ~/.aws/credentials into its working context.
Remediation — Scope retrieval; add a deny rule for credential paths; enable content inspection.
Claude Code
pid:865:claude-code
governedopen profile →
NIST AI RMF · MANAGE
Unbounded token consumption — no spend ceiling
data-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.
Remediation — Set a per-agent spend ceiling and alert; review batch sizing.
data-pipeline-agent
pid:5520:data-pipeline
governedopen profile →
qcontrol classifier
Suspected classifier false positives (3)
3 non-instrumented processes were flagged by substring exe match — almost certainly classifier over-matching, not real agent risk.
Remediation — Tracked as a qcontrol data-quality issue, not suppressed here.
Security lens — findings on ungoverned agents (highlighted) jump the queue because remediation can't be enforced outside the governance boundary. Score-impact derives from FACTOR_PTS · governance from the agent's governed flag — all from the live qcontrol /api/security shape.
Do next
Work top-down — bind the unenforceable, then remediate by severity.