Multi-Perspective Platform Review — March 2026
Visual Overview
Sprint Roadmap — What Blocks What
Audience × Page Map — CISO vs Analyst Split
Phase 0 Blockers — Before / After
Executive Summary
SecurityV0 has made significant progress since the March 3 CISO readability review — 4 of 6 critical gaps are now closed. The platform is at ~70% readiness across all review perspectives. The evidence engine is the competitive moat: deterministic explanations, named departed owners, SHA256 integrity-hashed evidence packs, and temporal provenance are genuinely strong.
However, three sprint-critical issues block design partner demos:
-
Remediation doesn't name the object to change — "Restrict LLM endpoint access" instead of "Remove role
foundry_ai_executorfromsvc-foundry-agent701in Entra ID." This is the exact issue Sergey flagged. -
Authority paths hide total role scope — Each path row shows 1 role, but an identity may have 5 roles across 5 paths. The CISO and analyst both underestimate blast radius.
- Impact scores are inverted — The highest-priority remediation action ("Restrict LLM endpoint access") shows impact_score=0, rendering as an empty bar. The most generic action scores 10.
What's working well:
- Verdict sentences on cluster cards pass the 5-second comprehension test
- Exposure Brief (Sections A-D) is the strongest CISO artifact in the product
- Scope drift evidence with version-history role comparisons is strong
- Evidence packs with SHA256 integrity hashing are useful for audit review (cryptographic sealing deferred)
- Progressive disclosure flow (Overview → Cluster → Path → Detail) works
Review Team & Scores
| Reviewer | Verdict | Key Score | Report |
|---|---|---|---|
| CISO Executive | 70% CISO-ready | Evidence: 4.5/5, Prioritization: 3/5, Remediation: 3/5 | Full report |
| Product QA | Ready for internal demo | 17 implemented, 8 partial, 2 missing, 1 diverged | Full report |
| SecOps Analyst | NEEDS WORK (70%) | Evidence chain: partial, Remediation: mixed | Full report |
| UX Critic | Grade B- | Navigation: weak, Labels: 23 jargon terms | Full report |
| API/Security Auditor | Data quality issues | 2 count discrepancies, empty evidence fields | Full report |
| Enterprise Executive | Deliverable readiness: 1.8/5 | 60-70% partner rewrite needed, zero compliance mapping, zero cost framing. v1 (superseded) · v2 — canonical |
Findings Mapped to Sprint Priorities
Sprint Priority 1: Tighten UX Based on Recent Feedback
"There are small interpretation deviations from Claude Code vs the specs" — Sergey
| Finding | Severity | Flagged By | Detail |
|---|---|---|---|
Remediation applies_to uses generic terms, not object names | CRITICAL | Product QA, CISO, SecOps | Spec requires "Role: sql_admin_reader". API returns "LLM endpoint access". Operators can't act. |
| Impact scores inverted | CRITICAL | Product QA, SecOps | "Restrict LLM endpoint access" gets impact_score=0 (empty bar). "Reduce to least-privilege" gets 10. |
| Finding intervals still shown | MAJOR | Product QA | Drift UX spec says "Remove the intervals part." They still render alongside drift breakdowns. |
| Governance checklist mislabels finding types | MAJOR | Product QA, UX | reachability_drift → "Scope drift", ownership_drift → "Orphaned identities". Wrong labels. |
| Identity binding hardcodes "OIDC (Federated)" | MAJOR | Product QA | ServiceNow integration users use client credentials, not OIDC. |
| Ownership section hardcodes departure reason | MAJOR | Product QA | Shows "Service principal owner departed" instead of actual name "Maria Lopez (deleted)". |
| Evidence grades (A/B/C) still missing | MAJOR | CISO, Product QA | Competitive differentiator. Data exists (execution_30d > 0 = Grade A). Not rendered anywhere. |
| Breadcrumbs show hash IDs | MAJOR | Product QA, UX | /authority-paths/0a3a4bb8... instead of path name. Flagged in March 3 review. |
| Delta percentages re-added | MAJOR | UX | Feb 22 spec removed trend deltas. +838% on Overview is noise without baseline context. |
| Scope drift card uses API text, not spec template | MINOR | Product QA | Shows entity IDs in explanation. Spec has CISO-friendly template text. |
| Findings list shows entity hash IDs in descriptions | MINOR | Product QA, UX | deterministic_explanation contains raw hex IDs. |
Sprint Priority 2: CISO vs SecOps Clarity
"Overview + Cluster Details speak to the CISO, Cluster Details + Auth Path Details speak to the analyst" — Sergey
Where It's Working
- Overview page now leads with "Observed Autonomous Execution (30d)" — execution-determined, not path-focused
- Verdict sentences on cluster cards compose plain-English business risk: "3 autonomous identities accessed sensitive systems 681 times in the last 30 days — none have an assigned owner"
- Exposure Brief (A/B/C/D) on Cluster Detail is the single best CISO artifact. Sections answer: What happened? Am I exposed? Why is this unstable? How do I fix it?
- Authority Path Detail is a strong analyst page: graph-first, risk condition tiles with "Since Xd", remediation with impact scores
Where It's Failing
| Gap | Audience Impact | Detail |
|---|---|---|
| No "shut this down first" signal | CISO | 4 critical clusters but no differentiation between them. Highest-risk path buried in table. |
| No OWASP/business relevance tags | CISO | Deloitte asked: "What's the OWASP impact? What's the business relevance?" None mapped in UI. |
| Secondary stat cards are identity inventory, not risk | CISO | "Active Autonomous: 5 Identities" doesn't answer "so what?" Replace with "Sensitive Domains Reached: 6". |
| No "what changed since yesterday" | SecOps | No changed_since filter. Every morning starts from scratch. #1 daily workflow blocker. |
| Remediation is generic for LLM/sensitive findings | SecOps | "Restrict LLM endpoint access" — where? how? Only scope_drift remediations ("Remove role X") are concrete. |
| Execution evidence has empty target_resource | SecOps | Evidence says action: "read" with target_resource: "". Can't validate which resource was accessed. |
| "Create Ticket" button disabled | Both | Blocks CISO-to-analyst handoff and analyst remediation workflow. |
| No export capability | Both | "Export Report" and "Export" buttons disabled on Overview and Cluster Detail. |
| Findings page is analyst-only flat table | CISO | No grouping, no summary chart. API returns bySeverity/byType metadata — not rendered. |
| Governance checklist false deduplication | CISO | 3 different finding types all show as "Orphaned identities", hiding real governance failures. |
| 6 orphan pages not in sidebar | Both | Exposures, Findings, Entities, Execution Chains, Syncs, Temporal — all reachable but not discoverable. |
Sprint Priority 3: Collapsing Authority Paths
"It shows as 1 path with 'Microsoft Graph' role, but in reality it has 4 roles" — Sergey
| Finding | Detail |
|---|---|
| Table rows show zero roles | Authority path table rows show workload → identity → destination chain only. Roles only visible on expand. |
| Expanded view shows only per-path roles | Each path shows its own via_roles. No indicator of total roles for the identity across all paths. |
| Standing Authority panel truncates | path.via_roles.slice(0, 2).join(", ") + (+N) — shows first 2 roles, hides rest. |
| API returns correct data | via_roles arrays are populated per-path. Total role scope must be aggregated client-side. |
Fix approach: Add role count badge to path table rows. When expanding, show "Identity total: 5 roles across 5 paths" with aggregation. The data exists — this is a UI composition issue.
Sprint Priority 4: Partner Deliverable Readiness (NEW — from Sergey/SW1 conversation)
"They need data they can put a wrapper around, but it needs to be 'business speak' since companies like Deloitte talk to the CISO/CIO at large companies, and they hardly know what EntraID is" — Sergey
The Enterprise Executive reviewer scored the platform 1.8/5 for executive deliverable readiness. A partner would need to rewrite 60-70% of the output before presenting to a client CISO.
| Gap | Score | Detail |
|---|---|---|
| Compliance framework mapping: ABSENT | 1/5 | Zero OWASP, NIST, SOX, HIPAA references in any API output. The mapping document EXISTS internally but is not surfaced. Every finding type needs a deterministic compliance_references array. |
| Cost/effort framing: ABSENT | 1/5 | No remediation includes hours/days/weeks, FTE estimates, or responsible-role assignments. Partners can't build a cost case from the data. |
| Business language below cluster level: DROPS OFF | 3/5 | Cluster verdict sentences are genuinely strong. But findings, paths, and remediation revert to analyst language with technical identifiers and role names. | | Board-ready export: ABSENT | 1/5 | "Export Report" button disabled. No PDF generation. No structured board template. | | Technical terms everywhere | 2/5 | "egress", "service principal", "EntraID", "OAuth", "RUNS_AS", "scope drift" — a CIO would need a glossary. |
What works: The cluster verdict sentences ("3 autonomous identities accessed sensitive systems 681 times — none have an assigned owner") ARE business language and pass the CIO test. The posture summary provides the quantitative backbone for Slide 1 of any board presentation. The underlying data tells a compelling story.
Reports Architecture — One Engine, Many Channels
The gap is in the last mile: The data is there. The business narrative exists at the cluster level. But below that, the platform reverts to a security analyst tool. A partner can't hand this to a Fortune 2000 CIO without rewriting the details into "what's broken ($X risk), what to fix (Y weeks, Z FTE), which framework it violates (OWASP ASI-03)."
Cross-Cutting Issues (Found by Multiple Agents)
These issues were independently flagged by 3+ review agents, indicating high severity:
| Issue | CISO | QA | SecOps | UX | API | EE |
|---|---|---|---|---|---|---|
| Remediation missing object names | X | X | X | X | ||
| Authority path role collapsing | X | X | X | |||
| Evidence grades missing | X | X | ||||
| Impact scores inverted/misleading | X | X | ||||
| Compliance mapping absent | X | |||||
| Cost/effort framing absent | X | |||||
| Export/PDF disabled | X | X | X | |||
| Breadcrumb hash IDs | X | X | ||||
| Governance label mislabeling | X | X | ||||
| "Create Ticket" disabled | X | X | ||||
| No "what changed" filter | X | |||||
| Ownership terminology chaos | X | |||||
| Execution evidence empty fields | X | X |
Progress Since March 3 Review
| Gap from March 3 | Status | Notes |
|---|---|---|
| Missing verdict sentences on cluster cards | FIXED | buildVerdictSentence() composes from API data |
| Dashboard title too abstract | FIXED | Now "Observed Autonomous Execution (30d)" |
| Hero metric showed paths, not executions | FIXED | Now shows 769 observed executions |
| Missing trend deltas | PRESENT but contested | DeltaBadge shows +838% and +81%. UX says remove per Feb 22 spec. CISO says keep. Pending Sergey decision — do not count as closed. |
| Evidence grades (A/B/C) missing | NOT FIXED | Still the #1 missing differentiator |
| Ownership decomposition incomplete | PARTIALLY FIXED | 2 rows (Automation owner, Runtime identity) vs spec's 3 |
| Hash IDs in breadcrumbs | NOT FIXED | Still shows truncated hex |
Score: 3 of 6 critical gaps definitively closed, 1 contested (delta badges — needs Sergey decision). Remaining: evidence grades and breadcrumbs.
Security Findings
| Issue | Severity | Detail |
|---|---|---|
| JWT signatures not verified | CRITICAL | src/api/middleware/auth.ts:116-136 — decodeJwtPayload() decodes without signature validation. Forged tokens accepted if Bearer auth enabled. |
Missing X-Tenant-Id returns 200 with empty data | HIGH | Should return 400/401. With REQUIRE_AUTH=false, all requests accepted with fallback dev-tenant. |
/diagnostics endpoint exposes server internals | HIGH | Memory, uptime, Node version. Masked by UI SPA catch-all on production proxy but accessible directly. |
Raw tenant_id exposed in API responses | HIGH | Entity detail, execution chains, evidence records, timeline events all include tenant_id field. |
API & Data Quality Issues
| Issue | Severity | Detail |
|---|---|---|
| Posture summary says 32 paths (29+3), authority-paths API returns 30 | HIGH | 2-path discrepancy between endpoints. Dormancy counts also differ (5 vs 3). |
meta.bySeverity/byType are page-scoped, not total-scoped | HIGH | With 205 findings and limit=3, bySeverity sums to 3 instead of 205. Misleading for UI summaries. |
Execution evidence target_resource always empty | HIGH | All records show target_resource: "" — undermines observed authority claim |
Scope drift added_roles empty despite role count 0→2 | HIGH | Evidence pack says "Review 0 role assignments" when 2 were added |
| Identity nodes in exposure detail show raw IDs as labels | MEDIUM | src/api/routes/exposures.ts:286 — node label = ObjectID instead of display name |
Path remediation applies_to generic because entityContext not passed | MEDIUM | src/api/routes/authority-paths.ts:108 — cluster remediation has names, path-level does not |
Release Readiness Assessment
| Level | Status | Blocker |
|---|---|---|
| Internal demo | READY | — |
| Design partner demo | NOT READY | Fix D1 (object names), D2 (role collapsing), D3 (impact scores) |
| Broader pilot | NOT READY | Also needs evidence grades, "what changed" filter, export, Create Ticket |
What to Show Sergey
The product's strongest demo path right now:
- Overview → show 769 executions, 19 with invalid ownership, 838% growth
- Click "Unowned Sensitive Access with LLM" → Exposure Brief narrates the full story
- Section C governance checklist → shows orphaned identities + scope drift as failing conditions
- Section D remediation → shows concrete guidance (though
applies_toneeds the fix) - Expand paths table → click into Agent Ascribe_Summarizer → Authority Path Detail with graph
- Risk condition tiles → show "Since 45d" for orphaned ownership, scope drift with role breakdown
- Standing Authority panel → collapses non-executed paths, demonstrating observed vs potential
What to avoid in demo: Findings page (flat table), Graph Explorer (too dense), Exposures page (dual-audience confusion), breadcrumb navigation (shows hashes).
Note: Steps 4 and 5 above require P0 fixes (0.1 remediation object names, 0.3 impact score display) to demo well. Without these fixes, Section D remediation will show generic terms and inverted impact bars.
Review Caveats & Data Notes
Finding count discrepancy (6 vs 51): Different agents reported different finding counts. The API audit explains why: meta.bySeverity and meta.byType are page-scoped, not total-scoped. With a small page size, the metadata sums to the page count (e.g., 6), not the total (205 including all statuses, or 51 active). The default GET /findings endpoint returns a limited result set. Using ?severity=critical widens the results to all findings matching any severity rather than filtering to critical only. This is an API bug documented in the API audit report.
Path count: 29 active paths + 3 dormant per posture summary (32 total) vs 30 in the authority-paths list (25 active + 5 dormant). There is a 2-path discrepancy — the posture summary counts paths differently than the list endpoint. Documented in the API audit.
838% execution delta: This is a seed data artifact. The prior period had 82 executions; the current period has 769. Real environments would show different deltas. Used for illustration, not as a production metric.
Drift detection not testable: All findings share the same detected_at timestamp (single evaluation pass). Drift detection timing, re-evaluation behavior, and alert deduplication could not be validated. The drift architecture (version-history comparison, interval tracking) appears sound but is unproven in continuous operation. Note: the formal baseline subsystem (types/CRUD) exists but is not yet wired into the evaluator; drift rules currently use the oldest entity version from getEntityVersionHistory(..., 100) as an implicit baseline.
Unresolved product decision — delta badges: The UX reviewer says remove delta percentages from Overview KPI cards (per Feb 22 spec which explicitly removed them). The CISO reviewer says they're valuable trend signals. Sergey commented "be careful not to turn this into a telemetry product" but hasn't made a final keep/remove decision. Still pending.
Sergey's Decisions (2026-03-16)
Sergey reviewed the CISO executive review and combined review with 28 inline comments. See full tracker: Sergey Feedback Tracker. See authoritative action plan incorporating all decisions: Consolidated Action Plan.
Key decisions that changed the plan:
| Decision | What It Changes |
|---|---|
| Remove impact scores entirely | |
| Evidence labels in plain English | |
| Framework mapping confirmed | OWASP Top 10 + NIST CSF. "Most customers use these." Validates Phase 1.3 + 4.1. |
| Don't promote path details into clusters | |
| Create Ticket: not critical yet | Moved to polish. "Need to determine WHO to assign to." |
| Remediation must consider business impact | Actions can't just say "remove access" — restricting may break services. |
| Risk is in the change, not static access | LLM egress alone may be the automation's purpose. Drift/change is the real finding. |
| Drop effort/cost estimates if unreliable | No effort estimates in outputs — "if we can't confidently assess, drop it." |
North star (Sergey's words): "Presenting information in such a way that CISO and SI go to SecurityV0 to pull this data straight into their executive or board presentations."