Compliance · Frameworks
What the fleet's behavior means for the controls you answer for.
Each behavioral finding auto-maps to the control families it touches — the evidence path an auditor follows, not a green checkmark.
Bottom line
4 control frameworks instrumented; 2 high-severity findings reveal control gaps (a finding flags a gap — it is not itself a failed control). 4 mapped findings come from ungoverned agents, where control interpretation differs. 0 frameworks rest only on shadow-agent evidence — blind spots. Contributing evidence, not a conformance claim.
how to read this
A high finding reveals a control gap — it is not itself a failed control. Each finding is observed behavior mapped to the control families it bears on; the control's pass/fail judgement is the auditor's, made against this evidence.
4
frameworks instrumented
auto-mapped from behavior
2
high findings → controls
reveal a control gap
4
mapped from ungoverned
outside the boundary
0
evidence-gap frameworks
shadow-only = blind spot
Instrumented control families
4 families · 6 of 7 findings mappedApprovals & sandbox bypassed (--yolo) ungoverned agent
highmarketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.
Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure, not of an enforced-then-bypassed control.
why-trail
- agent · marketing-gpt · ungoverned
- title · Approvals & sandbox bypassed (--yolo)
- detail · marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.
Remediation: Require an approval policy; disable --yolo; run sandboxed.
mapped via: OWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool use
open agent profile →Agent running as root ungoverned agent
highmarketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.
Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure, not of an enforced-then-bypassed control.
why-trail
- agent · marketing-gpt · ungoverned
- title · Agent running as root
- detail · marketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.
Remediation: Drop privileges; run under a dedicated low-privilege service account.
mapped via: MITRE ATLAS · Privilege Escalation · OWASP LLM06
open agent profile →Static API key on consumer-aliased identity ungoverned agent
mediumCodex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.
Control interpretation differs: this behavior occurred outside the governance boundary, so the finding is evidence of exposure, not of an enforced-then-bypassed control.
why-trail
- agent · Codex CLI · ungoverned
- title · Static API key on consumer-aliased identity
- detail · Codex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.
Remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.
mapped via: MITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)
open agent profile →Sensitive files read into agent context
mediumClaude Code read ./.env and ~/.aws/credentials into its working context.
why-trail
- agent · Claude Code · governed
- title · Sensitive files read into agent context
- detail · Claude Code read ./.env and ~/.aws/credentials into its working context.
Remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.
mapped via: OWASP LLM02 Sensitive Information Disclosure · NIST AI RMF · MEASURE
open agent profile →Unbounded token consumption — no spend ceiling
mediumdata-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.
why-trail
- agent · data-pipeline-agent · governed
- title · Unbounded token consumption — no spend ceiling
- detail · data-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.
Remediation: Set a per-agent spend ceiling and alert; review batch sizing.
mapped via: OWASP LLM10 Unbounded Consumption · NIST AI RMF · MANAGE
open agent profile →Projected frameworks
contributing evidence; not a conformity claimISO 42001
AI management system
contributing evidence
- · 8 agents inventoried
- · 52.4k events logged
- · 7 of 8 instrumented
not a conformity claim
EU AI Act
Art. 12 — record-keeping
contributing evidence
- · 52.4k events logged
- · 61 sessions traced
- · 7 findings recorded
not a conformity claim
SOC 2
CC7.2 — monitoring
contributing evidence
- · 7 agents under telemetry
- · 52.4k events logged
- · 2 high findings raised
not a conformity claim
Evidence pack
audit-ready · the document you'd hand a regulatorQpoint qcontrol · Evidence Pack
AI Agent Governance — Control Evidence
Reporting period: trailing 30 days · generated 2026-06-03
4 frameworks
6 findings mapped
8 agents · 52.4k events
§1 · OWASP LLM Top 10
depth 5 · breadth 4 agentsRisks specific to LLM applications — excessive agency, sensitive disclosure, unbounded consumption.
+ 2 more findings in the full pack
§2 · MITRE ATLAS
depth 2 · breadth 2 agentsAdversarial tactics against AI systems — privilege escalation, credential access.
§3 · NIST AI RMF
depth 3 · breadth 3 agentsGovern / Map / Measure / Manage functions for trustworthy AI.
§4 · OWASP Agentic
depth 1 · breadth 1 agentAgent-specific threats — insecure tool use and autonomous action without a human gate.
This is a preview of the artifact an auditor or GRC system would receive. Generation is stubbed — the wireframe does not produce a real file.
Fields: findings.framework · findings.severity · findings.remediation · findings.agent · findings.entity_id ⋈ agents.governed/instrumented · stats.events — from app/data/c16-fleet.ts (qcontrol /api shape).