Skip to main content

Actionability and remediation guidance (W1)

Date: 2026-03-05

Purpose

Drift intelligence explains what changed on an authority path. Security teams still need to know: What structural change would reduce exposure on this path?

Actionability provides deterministic remediation guidance tied to a single authority path. It identifies a small number of structural changes that reduce:

  • reachable systems
  • sensitive data access
  • privilege scope
  • governance instability

The feature is advisory only. No workflow automation. No enforcement. No ticketing logic.

Placement in the Authority Path UX

Authority Path page structure:

  1. Path header
  2. Execution-derived authority graph
  3. Active Governance Conditions (renamed from “Active risk conditions” according to the drift ux spec)
  4. Top Risk Reducers (new section)
  5. Other panels

Remediation guidance appears only in Top Risk Reducers.

Narrative explanation exists only in the cluster-level Authority Exposure Brief.

Top Risk Reducers

Top Risk Reducers lists the highest-impact structural changes that reduce exposure on the authority path.

Characteristics:

  • deterministic
  • evidence-backed
  • tied to specific path elements
  • ranked by exposure reduction impact

Reducers represent operator actions, not automated fixes.

Reducer Signals

Reducers are generated when governance conditions or structural signals exist on the path.

Common signals:

  • invalid or missing owner
  • scope drift
  • excessive privilege
  • sensitive data access
  • external LLM endpoint invocation
  • identity reuse across automations
  • unnecessary system reachability

Signals explain why a reducer appears. They appear as tags on the reducer entry.

Example:

Invalid owner + Scope drift
Scope drift + LLM egress
LLM egress

Reducer Types

Reducers correspond to structural changes operators can perform in the source system.

Examples:

Ownership governance

  • assign valid owner
  • restore ownership after departure

Privilege reduction

  • remove expanded role
  • reduce scope to exercised authority

Integration control

  • restrict LLM endpoint access
  • remove unused connector

Identity isolation

  • dedicate identity to automation
  • remove shared execution identity

Reducers must target specific nodes or edges on the authority path graph.

Generic advice is not allowed.

Impact Ranking

Reducers are ranked by expected reduction in authority exposure on this path. Ranking prioritizes actions that:

  1. remove access to reachable systems
  2. eliminate sensitive domain access
  3. reduce privilege scope
  4. shrink automation blast radius

Only max top 3 reducers are shown by default. Additional reducers may exist but are hidden unless expanded.

Reducer Entry Structure

Each reducer entry must contain:

Action

The operator action to take.

Example:

Remove role granting LLM endpoint access

Reduction Effect

One sentence explaining the exposure reduction.

Example:

Eliminates highest-risk vector: expanded scope reaching LLM egress.

Signals

Tags explaining the triggering conditions.

Example:

Scope drift + LLM egress

Applies To

Which path element the action targets.

Examples:

Role: sql_admin_reader
Identity: svc-foundry-ascribe-prod
Connection: Billing_Payment_Methods
Endpoint: external LLM

Evidence

Links to graph nodes or evidence objects confirming the condition.

UX Rules

Top Risk Reducers must follow these constraints:

  • show maximum 3 reducers by default
  • reducers must be unique actions
  • duplicate reducers must be merged
  • reducers should avoid bundling unrelated fixes
  • each reducer must link to graph evidence

Reducers must remain path-specific. They should never describe remediation for the entire cluster.

Cluster-Level Relationship

Cluster view contains the Authority Exposure Brief, which answers:

  • What happened?
  • Am I exposed?
  • Why is this unstable?
  • How do I fix it?

Cluster remediation guidance is aggregated from authority path reducers.

Clusters may show:

Top Risk Reducers Across Paths

Each item links to the authority path where the reducer applies. Clusters do not generate new reducers.

Definition of Done (W1)

The system can:

  • detect governance conditions on authority paths
  • generate deterministic risk reducers from those signals
  • rank reducers by exposure reduction impact
  • display Top Risk Reducers in the authority path view
  • aggregate reducers at the cluster level

Security teams can immediately see which structural change on this path meaningfully reduces exposure.