c16
c16 / wf5.m2 - Agent Control Plane — hi-fi unconstrained (wf5.m2) / Findings·control-plane-v1/findings·draft

Security · Findings

The CISO worklist — and what you can actually enforce

2 high, 3 medium open. 4 sit on ungoverned agents (2 high) — bind those first or remediation won't stick.

Most urgent: "Approvals & sandbox bypassed (--yolo)" on marketing-gpt (ungoverned).

+60 pts recoverable if fixed Prioritized by enforceability, then severity

Posture recovery

proposed
76now
Current76
If all fixed84

Closing the findings below lifts fleet posture by +8.

This is the distilled worklist. To replay the actions behind any finding — agent → action → outcome — open the full record.

Every finding here is a summary over events captured in the activity log.

What happened?

Framework coverage matrix

proposed

Where findings land across the control frameworks you answer for — severity by framework. Click a cell to filter.

FrameworkhighmediumlowinfoΣ
2
1
1
1
1
1

Each finding maps to a control family — OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, OWASP Agentic. Cell saturation = severity, number = count. This is contributing evidence, not a conformance claim.

Severity distribution

7 of 7 shown

Findings — ungoverned first

7 of 7 · sorted by enforceability + severity

Findings on ungoverned agents sit first — you can't enforce remediation outside the governance boundary. Click a card to open the agent profile.

high
OWASP LLM06 Excessive Agency

OWASP Agentic · Insecure tool use

Approvals & sandbox bypassed (--yolo)

marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.

Remediation — Require an approval policy; disable --yolo; run sandboxed.

+35 posture if fixed replay in activity log

marketing-gpt

pid:4410:marketing-gpt

ungoverned

open profile →

high
MITRE ATLAS

Privilege Escalation · OWASP LLM06

Agent running as root

marketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.

Remediation — Drop privileges; run under a dedicated low-privilege service account.

+25 posture if fixed replay in activity log

marketing-gpt

pid:4410:marketing-gpt

ungoverned

open profile →

medium
MITRE ATLAS

Credential Access · OWASP LLM (Non-Human Identity)

Static API key on consumer-aliased identity

Codex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.

Remediation — Move to org-backed OAuth; rotate the static key; join the alias to your IdP.

Codex CLI

pid:2210:codex

ungoverned

open profile →

low
NIST AI RMF

MAP · Agent inventory completeness

Shadow agent installed but unmonitored

Zed Agent is installed and active on jane-mbp but reports no telemetry — we are blind to its behavior.

Remediation — Instrument it through qcontrol, or remove it.

Zed Agent

pid:7740:zed

ungoverned

open profile →

medium
OWASP LLM02 Sensitive Information Disclosure

NIST AI RMF · MEASURE

Sensitive files read into agent context

Claude Code read ./.env and ~/.aws/credentials into its working context.

Remediation — Scope retrieval; add a deny rule for credential paths; enable content inspection.

Claude Code

pid:865:claude-code

governed

open profile →

medium
OWASP LLM10 Unbounded Consumption

NIST AI RMF · MANAGE

Unbounded token consumption — no spend ceiling

data-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.

Remediation — Set a per-agent spend ceiling and alert; review batch sizing.

data-pipeline-agent

pid:5520:data-pipeline

governed

open profile →

info
Data Quality

qcontrol classifier

Suspected classifier false positives (3)

3 non-instrumented processes were flagged by substring exe match — almost certainly classifier over-matching, not real agent risk.

Remediation — Tracked as a qcontrol data-quality issue, not suppressed here.

fleet-wide

Security lens — findings on ungoverned agents (highlighted) jump the queue because remediation can't be enforced outside the governance boundary. Score-impact derives from FACTOR_PTS · governance from the agent's governed flag — all from the live qcontrol /api/security shape.

Do next

Work top-down — bind the unenforceable, then remediate by severity.