Clarity: so what?/ what do i do now?
Document date: 2026-02-27
Strategic Context
CISOs today:
- Feel pressure to say yes to AI.
- Do not want to be the headline.
- Lack visibility into what autonomous agents are actually doing.
If Securityv0 disappeared tomorrow, CISOs would lose the only canonical map of autonomous execution authority in their environment.
We double down on:
- Deterministic authority graph
- Execution lineage
- Ownership decay
- Approval workflows
- Evidence for audit
We do not drift into:
- Risk scoring gimmicks
- Behavior detection arms race
- Alerting-first positioning
Securityv0 is the control-plane system of record for autonomous execution authority.
Objective
Restructure the cluster experience to:
- Remove cognitive load.
- Anchor on observed execution authority (evidence-based).
- Provide prevention-oriented governance guidance.
CISO sees verdict and risk posture.
Analyst sees traceable evidence.
The experience must pass a <5 second comprehension test.
This will strengthen our moat. Most security tools focus on potential authority. We anchor on observed authority. By doing that, we eliminate 90% of the noise that forces a CISO to think.
Core Principle
We distinguish between the strategic layer in ( CISO) and the analyst layer ( technical lead or security operations analyst ) while offloading the thinking and correlation to the product itself.
All CISO-facing views must be execution-determined and evidence-backed.
We describe:
- What authority was exercised
- Against which domain
- How often
- Under what governance condition
We do not describe:
- Theoretical access
- Unused roles
- Hypothetical blast radius
Observed authority is primary. Standing authority and blind spots are surfaced explicitly.
Mental Model
Overview → Cluster Exposure Brief → Authority Paths → Path Evidence
Each layer progressively increases technical depth. Remediation guidance remains advisory; details are in Actionability and remediation guidance (W1).
Step 1: Authority Prioritization (The “I Didn’t Know This Was Running” Layer)
UX Details: Overview page (Authority Prioritization)
Document date: 2026-02-27
This page maps to Step 1: Authority Prioritization (The “I Didn’t Know This Was Running” Layer)
Task
Modify to:
- Functional cluster name (not attribute-based)
| Current | Cluster Title |
|---|---|
| Orphaned + Sensitive | Unowned Sensitive Access |
| Orphaned + Sensitive + LLM | Unowned Sensitive Access with LLM |
| Unbound + Sensitive | Unbound Sensitive Access |
| LLM Egress | LLM Data Egress |
| Orphaned + External Egress | Unowned External Egress |
| Dormant + External | Dormant External Access |
- 5-second verdict sentence (execution-determined). The verdict summarizes observed activity, not telemetry details. Format:
<N> autonomous identities accessed <scope> <X> times in the last 30 days.
If a governance failure exists, append a short clause: — <governance condition>.
Examples:
Unowned Sensitive Access
13 autonomous identities accessed sensitive systems 681 times in the last 30 days — none have an assigned owner.
Unowned Sensitive Access with LLM
6 autonomous identities sent sensitive data to an LLM 142 times in the last 30 days — none have an assigned owner.
Unbound Sensitive Access
9 autonomous identities accessed sensitive systems 214 times in the last 30 days without a bound automation.
LLM Data Egress
4 autonomous identities sent data to LLM endpoints 87 times in the last 30 days.
Unowned External Egress
5 autonomous identities sent data outside the organization 63 times in the last 30 days — none have an assigned owner.
Dormant External Access
3 autonomous identities retain external access but have not executed in the last 30 days.
- Risk badge (clear, deterministic)
Critical
Sensitive domain + active execution + governance failure
High
Sensitive domain + active execution
Moderate
Governance failure but limited or no execution
Low
Dormant authority
- Keep paths + execution count
Remove:
- Attribute-style framing as primary label
- Anything that feels like a filter category instead of a threat definition
This page becomes: “Which autonomous authority is actively unstable?”
Purpose
Surface actively exercised autonomous authority touching sensitive domains.
Rules
- Rank by observed execution (Grade A).
- Activity required for prominence.
- Sensitivity + governance failure determine severity.
- Dormant authority remains visible but deprioritized.
- No probabilistic scoring.
- Surface standing authority without runtime evidence (Grade C) as governance gaps.
- Do not prioritize based on theoretical access.
Per Cluster Display
- Functional authority label (not attribute labels like “Orphaned + Sensitive”).
- Verdict sentence (execution-determined)
- Deterministic risk badge.
Outcome
Display
- What is actively running.
- What is unaudited.
- Where governance is decaying.
Step 2: Authority Exposure Brief (What Happened?)
UX Details: Authority Exposure Brief
Document date 2026-02-27
This replaces the current “header + table” flow. The table must appear below the narrative. The page is scrollable, structured top-to-bottom.
Section A — What Happened (Observed Authority)
One short execution-determined narrative.
Section B — Am I Exposed?
- paths
- Executions (30d)
- Domains exercised
- Endpoint type
- Active vs dormant
Section C — Governance Condition
- Orphaned?
- Drift?
- Identity reuse?
- Long-lived?
Section D — How Do I Fix It?
1–3 remediation guidance bullets.
Section Table
Button: “View Authority Paths (N)”
Then show filtered out authority path table. This prevents cognitive overload.
This replaces the current “header + table” flow.
Section A — What Happened (Observed Authority)
Describe:
- Authority exercised
- Domain touched
- Endpoint type invoked
- Execution frequency (30d)
- Evidence source.
Only exercised authority. No potential permissions. No hypothetical language.
Section B — Am I Exposed? (scale & activity)
Display:
-
of authority paths
- Total executions (30d)
- Sensitive domains exercised
- Endpoint types invoked
- Active vs dormant state
Purpose: quantify scale and velocity.
Section C — Governance Condition (why this is unstable)
Display instability drivers:
- Orphaned identities
- Scope drift
- Long-lived tokens
- Identity reuse across multiple paths
- Lack of runtime telemetry (if applicable).
This section explains structural amplification.
Blind spots are first-class findings.
Section D — How Do I Fix It? (remediation guidance)
Provide 1–3 recommended actions tied directly to exercised authority.
Examples:
- Restore ownership and revalidate approval
- Convert long-lived token to JIT
- Restrict external endpoint invocation
- Reduce scope to exercised domain
- Enable required runtime logging (if Grade C).
No enforcement logic. Advisory only.
After Section D
“View Authority Paths (N)” → table.
Step 3: Authority Evidence (execution lineage)
UX Details: Authority Path Detail (Authority Evidence)
Only minor refinement to the current page:
- Current view = observed authority only.
- Add collapsed panel: “Additional Standing Authority (Not Exercised)”
Audience: Analyst / Technical Lead.
Purpose
Provide deterministic traceability of exercised authority.
Rules
- Default view shows observed execution lineage only.
- Show only exercised branches.
- Collapse potential/latent authority separately.
- Always show evidence basis:
- Source system
- Timestamp
- Log reference (if available)
Outcome
- Verifiable execution proof.
- Clear separation between exercised and potential authority.
- Audit-ready defensibility.
Implementation Notes for Claude
- Do not change the number of top-level screens.
- Modify Overview and Cluster Detail.
- Path Detail requires minor refinement (observed vs potential separation).
- Remove attribute-based cluster naming as primary framing.
- Remove any probabilistic scoring.
- Always display evidence basis for execution-confirmed authority.
- Do not introduce new terminology.
- Keep CISO-facing sections compact (no dense paragraphs).
Acceptance Criteria
The product must clearly answer:
- What happened? (Execution-confirmed authority exercised.)
- Am I exposed? (Scale, activity, governance condition, blind spots.)
- What should I do? (Clear prevention-oriented remediation guidance.)
Without requiring the user to interpret a table.