← c16c16 / wf5 - Agent Control Plane — persona-first synthesis (wf5) / Findings·control-plane-v1-v1 · 2026-06-04 · draft
Qpoint
QP
Findingsseat-lensed · behavioral findings from qcontrol

Security · Findings

The CISO worklist — and what you can actually enforce.

Every behavioral finding, prioritized by enforceability then severity. Findings on ungoverned agents jump the queue — you can't make a fix stick outside the governance boundary.

Bottom line

2 high, 3 medium open. 4 sit on ungoverned agents (2 high) — bind those first or remediation won't stick. Most urgent: "Approvals & sandbox bypassed (--yolo)" on marketing-gpt (ungoverned).

This is the distilled worklist. To replay the actions behind a finding — agent → action → outcome — open the full record. What happened? → Activity Log
Framework:

Findings — ungoverned first

7 of 7 · sorted by enforceability + severity

Findings on ungoverned agents sit first — you can't enforce remediation outside the governance boundary.

SeverityFindingWhoFramework
highApprovals & sandbox bypassed (--yolo)marketing-gpt runs with approvals and sandbox disabled — it can take any action without a human gate.▸ remediation: Require an approval policy; disable --yolo; run sandboxed.+35 if fixedmarketing-gptpid:4410:marketing-gpt⚠ ungovernedOWASP LLM06 Excessive Agency · OWASP Agentic · Insecure tool usehighAgent running as rootmarketing-gpt and support-copilot execute as root — a compromised prompt inherits full host privilege.▸ remediation: Drop privileges; run under a dedicated low-privilege service account.+25 if fixedmarketing-gptpid:4410:marketing-gpt⚠ ungovernedMITRE ATLAS · Privilege Escalation · OWASP LLM06mediumStatic API key on consumer-aliased identityCodex CLI authenticates with a long-lived API key bound to a duck.com alias, not an org-backed identity.▸ remediation: Move to org-backed OAuth; rotate the static key; join the alias to your IdP.Codex CLIpid:2210:codex⚠ ungovernedMITRE ATLAS · Credential Access · OWASP LLM (Non-Human Identity)lowShadow agent installed but unmonitoredZed Agent is installed and active on jane-mbp but reports no telemetry — we are blind to its behavior.▸ remediation: Instrument it through qcontrol, or remove it.Zed Agentpid:7740:zed⚠ ungovernedNIST AI RMF · MAP · Agent inventory completenessmediumSensitive files read into agent contextClaude Code read ./.env and ~/.aws/credentials into its working context.▸ remediation: Scope retrieval; add a deny rule for credential paths; enable content inspection.Claude Codepid:865:claude-codeOWASP LLM02 Sensitive Information Disclosure · NIST AI RMF · MEASUREmediumUnbounded token consumption — no spend ceilingdata-pipeline-agent consumed 9.2M tokens with no per-agent ceiling configured.▸ remediation: Set a per-agent spend ceiling and alert; review batch sizing.data-pipeline-agentpid:5520:data-pipelineOWASP LLM10 Unbounded Consumption · NIST AI RMF · MANAGE
infoSuspected classifier false positives (3)3 non-instrumented processes were flagged by substring exe match — almost certainly classifier over-matching, not real agent risk.▸ remediation: Tracked as a qcontrol data-quality issue, not suppressed here.fleet-wideData Quality · qcontrol classifier

Lensed by seat via ?seat. Derived: ungoverned tag (entity_id → agents.governed) · score-impact (title → FACTOR_PTS) — from app/data/c16-fleet.ts (qcontrol /api/security shape).