Skip to main content

Consolidated Action Plan — March 2026

Supersedes: 2026-03-19-consolidated-action-plan.md (Mar 19) and 2026-03-15-march-sprint-implementation-plan.md (Mar 15).

What changed (Mar 21): Incorporated Sergey's Mar 20 locked founder decisions (wedge, terminology, blast radius, connector priority). Added code audit findings on evidence pack and drift detection accuracy. Resolved 3 pending decisions. Normalized terminology to Access Path.

Guiding Principles (Locked Founder Decisions)

These are settled decisions — not open for re-research. All work below must comply:

  1. No visible scores — impact scores removed (PR #89 shipped). No dual-axis, no A/B/C grades in UI. Priority exists in the data layer for sorting, never displayed.
  2. Business conclusions, not technical facts — every finding resolves to a business risk category. Cluster verdicts are the model; extend this pattern downward.
  3. Partner-first framing — the report is what partners sell, the platform is what analysts operate. Two audiences, one engine. Reports and evidence packs are core product outputs, not secondary artifacts.
  4. Cut, don't add — prefer removing noise over adding features. If we can't confidently assess something, drop it.
  5. Plain English — if a term needs explaining, replace it. Exception: vendor names in official form ("Microsoft Entra ID", "ServiceNow").
  6. No effort/cost estimates in outputs — too risky to get wrong. Dropped per Sergey's decision.
  7. No telemetry creep — don't turn this into a monitoring product.
  8. Deterministic only — no ML, no probabilistic scoring. Not betting on behavior-based detection/response. The current wedge is deterministic governance, drift, and remediation guidance.
  9. Drift is core day-1 value — not supporting detail. Drift is the primary mechanism for showing "what changed and why it matters" across identity, scope, and data reachability. (Added Mar 20)
  10. Terminology: Access Path — default external term. Use Execution Access Path when formal precision is needed. Internal code references (authority-paths.ts, etc.) are unchanged. (Added Mar 20)
  11. Remediation must be handoff-ready — every remediation action must be specific enough to create a Jira or ServiceNow ticket. Include one strong business-impact detail per action. Not full dependency tree. (Added Mar 20)
  12. Connector breadth is subordinate — does not outrank report/product legibility work unless a committed late-stage customer requires it. (Added Mar 20)
  13. Wedge controls scope — north star is agentic AI and automation security and governance. Current wedge: real execution authority across ServiceNow and Microsoft, with drift and remediation guidance. All scope decisions flow from the wedge. (Added Mar 20)

Acceptance Benchmark: Stakeholder Acceptance Scores

Adapted from AutoResearchClaw research — this is the measurable target for each stakeholder role.

RoleWhat It MeasuresBaseline (March 15)TargetHow to Measure
CISO Executive"So what?" in 15 seconds70%≥85%Re-run ciso-reviewer agent
SecOps AnalystDay-1 task completion70% (NEEDS WORK)≥80%Re-run secops-analyst agent
Product QASpec match8 partial, 2 missing≤2 partial, 0 missingRe-run product-qa agent
UX CriticIA grade + jargon countB- / 23 termsA- / ≤5 termsRe-run ux-critic agent
Security AuditorData consistencyMultiple issuesZero criticalRe-run security-auditor agent
Enterprise ExecutiveSellability (1-5)1.8/5≥3.5/5Re-run enterprise-executive agent
CEO (Sergey)Items accepted / total18/28 (64%)≥24/28 (86%)Sergey review

Review cycle: Don't re-run all 7 agents after every change. Run the relevant agent against the changed area (per feedback tracker review cycle plan). Full 7-agent sweep before next Deloitte demo.

What We Took from the AutoResearchClaw Research

The full research (23 stages) completed March 19. CEO-readable summary: Research Findings Summary. Seven applicable elements:

ElementWhat It SaysHow We Apply It
Stakeholder Acceptance Scores benchmarkCustom 7-role acceptance scoring instrumentAdopted above as our measurable target table
NHI category timingNHI governance emerged as a distinct category in 2025 (OWASP NHI Top 10, CSA MAESTRO). SV0 is among the first platforms — decisions now define category norms.Use in pitch decks, partner conversations, and report methodology sections
Engine-first orderingFixing data quality projects +11-14pp improvement for technical reviewers with zero UI changes. Effects are multiplicative — presentation on bad data doesn't stick.Validates our phase ordering: Phase 0/3 (data quality) before Phase 1 (CISO clarity). Not just prioritization — structurally required.
Evidence-to-narrative gapNo systematic method exists for translating technical evidence to non-technical narrativesThis IS our core "last mile" problem. The report generator (Phase 4) is the solution. Business glossary + verdict sentences are the mechanism.
Legibility inversionEven a collapsed technical appendix hurts purchase intent by ~0.4 points. Methodology sections undermine the authority of the recommendation.Assessment report template (Phase 4.3) must NOT include a methodology appendix. Methodology belongs in the evidence export for auditors, not in the board-facing report.
Report API constraintReport generator must query for synthesized verdicts, not raw findings. If it can access raw evidence, technical detail gradually creeps in.Phase 4.2 (Report Service) should expose two API endpoint families: full-fidelity (platform UI) and pre-synthesized (report generator). Architectural constraint, not a suggestion.
Feedback channelsFour channels build ground-truth for calibration: finding accuracy ratings, remediation outcome tracking, report consumption analytics, divergence-outcome correlation.Not this sprint. Capture as Phase 5+ planning items. Needed to validate research projections with real production data.

What we rejected from the research:

  • H1 (Engine Completeness hypothesis) — rephrased as "fix the bugs" in Phase 0/3 below, no hypothesis testing needed
  • H2 (Two-Product Architecture) — contradicts Sergey's one-platform model. We have one platform with audience-appropriate views + a report generator
  • H3 (Cross-Source Disagreement) — interesting but premature with only 2 connectors. Filed for future research when we have 4+ sources
  • H4 (Opinionated Verdicts) — already decided and partially implemented. Cluster verdicts are the model
  • Literature clusters 1, 4, 5 — clinical guidelines, deep learning, mental health papers. Not applicable
  • Dual-axis scoring — contradicts "remove scores entirely" decision

Sergey Feedback Response (March 26)

Added March 26-30. These items respond directly to Sergey's March 26 feedback on sprint review and product direction. Ordered by value, not implementation sequence.

S.1 Evidence Classification — 5-Way Claim Model

Priority: MUST — core trust work per Sergey's directive Effort: 4-5 days Status: Shipped (#228, #242)

Every finding now carries an EvidenceClaim with 5-way classification (observed_execution, observed_absence, correlated_pattern, structural_authority, inferred_capability) and a two-layer confidence model (static rule classification + runtime evidence confidence → effective = weakest link). All 14 entity rules, path evaluator, and connector-report findings classified. Color-coded badges on findings list and detail header.

  • EvidenceClaim type with 5 classifications
  • Two-layer confidence model (effective = min of static + runtime)
  • All evaluator rules populated
  • API: classification filter, sort, aggregation
  • UI: evidence badges on findings list + detail header

S.2 Access Path Identity-Scoped Grouping

Priority: MUST — Sergey directive: "rethink the one-row-per-path unit" Effort: 5-7 days Status: Shipped (#230)

New GET /api/v1/authority-paths/grouped endpoint groups flat paths by identity_id into IdentityAccessSurface objects. Enhanced seed data adds 4 new identity scenarios. UI: "Group by Identity" toggle on access paths list.

  • IdentityAccessSurface type with aggregate metrics
  • MAX for execution (not SUM — avoids overcounting)
  • Cross-workload badges, [Unbound] labels
  • Offset pagination with Previous/Next
  • Enhanced seed data (76 paths → 13 surfaces)

S.3 Persistent Mitigation Tracking

Priority: MUST — Sergey directive: "core operating surface where product becomes sticky" Effort: 5-7 days Status: Shipped (#229)

Persistent MitigationActionDoc with 7-state lifecycle (proposed → assigned → in_progress → completed → verified), audit trail, optimistic locking, source-state staleness detection. Track button on UI, Tracked Actions section on path detail. Content hash on ephemeral actions for stable tracking.

  • MitigationActionDoc with 7-state lifecycle
  • Staleness detection (source_state_hash comparison)
  • 6 API endpoints with Zod validation
  • UI: Track button + Tracked Actions section
  • Evaluator staleness hook (incremental)

S.4 Ownership Assignment UI

Priority: SHOULD — Sergey directive: "who should own that action" Effort: 3-4 days Status: Shipped (#243)

Replaces "Coming soon" placeholder on access path detail with working assignment form. One active owner per target, assign/reassign/revoke with insert-first conflict resolution and restore-on-failure. Unique partial index prevents concurrent duplicates.

  • OwnershipAssignmentDoc (active/revoked, unique index)
  • 4 API endpoints (create, list, detail, revoke)
  • UI: assign/reassign/revoke inline form
  • Source system owner read-only row
  • Insert-first conflict resolution with restore

S.5 Attestation & Review Cadence

Priority: SHOULD — Sergey directive: "recurring review and attestation are first-class product value" Effort: 3-4 days Status: Shipped (#231)

AttestationDoc with 4 outcomes (accepted, accepted_with_risk, remediation_required, escalated), context snapshots for staleness detection, ReviewCadenceConfig with interval scheduling. Attestations do NOT suppress findings — parallel governance layer.

  • AttestationDoc with context_hash staleness
  • ReviewCadenceConfig (weekly/biweekly/monthly/quarterly)
  • 8 API endpoints with Zod validation
  • Evaluator staleness hook (incremental)
  • Review-due / review-overdue indicators

S.6 UX Improvements from Wiz Research

Priority: SHOULD — Sergey directive: "research Wiz presentation patterns" Effort: 3-4 days Status: Shipped (#242)

Based on 629-line Wiz UX pattern analysis. Top 5 patterns implemented: evidence confidence badges, smart default sort + preset filter buttons, entity name column on findings list, trend direction arrows on overview metrics, inline path visualization on finding detail.

  • Evidence confidence badge (color-coded by classification)
  • Default sort severity-descending, default filter active
  • 3 preset filter buttons (Critical Active, New This Week, High & Active)
  • Trend arrows (↑/↓/→) on overview metric cards
  • Inline path visualization on finding detail (workload → identity → destination)

S.7 Visual & Terminology Fixes

Priority: CAN — Quality fixes from QA Effort: 2-3 days Status: Shipped (#213, #226, #227, #236)

Metric card labels wrap to 2 lines (no truncation), remediation promoted out of Evidence Pack collapse, findings descriptions wrap to 2 lines, access paths table expanded by default on cluster detail, "Unowned" → "Orphaned" terminology alignment, null classification sort fix.

  • Metric card label wrapping (#213)
  • Remediation promoted above Evidence Pack (#226)
  • Findings descriptions 2-line wrap (#227)
  • Paths table expanded by default (#227)
  • Orphaned terminology alignment (#236)

Phase 0: Demo Blockers

These must be fixed before any design partner demo. Sprint plan items corrected per cross-review.

0.1 Remediation Must Name Specific Objects

Status: Not started Effort: 2-3 sessions Flagged by: CISO, Product QA, SecOps (cross-cutting), Sergey explicitly Sergey feedback: #14, #15, #16, #17

Root cause: src/api/routes/authority-paths.ts:108 calls generatePathRemediation() without passing entityContext. Cluster-level remediation already has names — path-level does not.

Fix: Pass entityContext (path nodes, via_roles with display names) to generatePathRemediation(). The method already accepts it.

Additional requirement from Sergey: Remediation must emphasize choke points — "show where one fix reduces multiple exposures. This is the real value." Deduplicate remediation across clusters: when the same action appears in 3 clusters, show once with "Applies across 3 clusters" (was Phase 5.6, promoted here).

Triage decision framework (Sergey #2): Every finding should map to one of four analyst triage actions: investigate now, ticket now, watch, or ignore. The remediation and finding UI should make this decision obvious — not just show the problem, but guide the analyst to the right response.

Blast radius (Mar 20 decision): Surface one strong business-impact detail per remediation action (e.g., "this role grants write access to the patient-records data domain"). Not full dependency tree — keep it limited and actionable.

Acceptance:

  • Path remediation applies_to includes named entities/roles from the path
  • No generic terms like "execution path" or "egress path"
  • Cross-cluster deduplication shows choke point impact
  • Each action includes one business-impact detail (per Guiding Principle #11)
  • Output is handoff-ready for Jira or ServiceNow ticket creation

0.2 Access Path Role Visibility

Status: Not started Effort: 1-2 sessions Flagged by: CISO, Product QA, UX, Sergey explicitly Sergey feedback: "We should show access held by the identity, not just the access used in this one path"

Fix: Add role count badge to path table rows. In expanded view, show "Identity total: N roles across M paths." Remove slice(0, 2) truncation in Standing Authority panel.

Acceptance:

  • Path table row shows role count without expanding
  • Expanded row shows identity's total role scope across all paths
  • Standing Authority panel shows all roles

0.3 Fix Impact Score Display → 0.3 Remove Impact Scores Entirely

Status: DONE — PR #89 shipped Cross-review correction: The original plan said "invert the display." Sergey's command was "remove scores entirely." The ImpactBar component has been removed. Remediation actions are displayed as a sorted list — sort order conveys priority implicitly.

Phase 1: CISO Clarity

1.1 Invert Visual Hierarchy on Cluster Cards

Effort: Low (CSS/layout)

Verdict sentence becomes dominant text. Path count becomes secondary badge. No content change — just visual weight.

1.2 Add Evidence Grade Badges (A/B/C) → 1.2 Add Execution Confidence Labels (Plain English)

Cross-review correction: Sergey said "avoid ABC grading — not a widely accepted term."

Use plain English labels:

  • "Execution Confirmed"execution_30d > 0
  • "Previously Active" — has execution evidence but execution_30d == 0 recently
  • "Standing Authority Only"execution_30d == 0, no execution evidence

Display as text labels on Access Path rows and cluster summary counts. No letter grades, no color-coded badges that look like scores.

1.3 Add OWASP/Business Relevance Tags

Effort: Low Sergey feedback: "OWASP and NIST are important, but first we need to fix the core." This is low-effort and doesn't block core work — implement alongside Phase 0.

Deterministic mapping: orphaned_ownership → ASI03, scope_drift → ASI10, llm_egress → ASI02, reachability_drift → ASI08. Render as small tags on cluster cards.

1.4 Fix Governance Checklist Deduplication

Effort: Low

Use distinct labels per finding type. Add path counts: "Scope drift (3 paths)."

1.5 Promote Highest-Risk Path + Global Risk Ranking

Effort: Low-Medium Cross-review gap fix: Original plan only promoted highest-risk within a cluster. Sergey said "Must show top absolute risks as well."

Two parts:

  1. Within cluster: Callout in Section A: "Highest risk: Agent Ascribe_Summarizer → GP_Clinical_Notes (127 executions, orphaned, LLM egress)"
  2. Global on Overview: Surface top 3 absolute risks across all clusters. Not just per-cluster grouping.

1.6 Replace Secondary Stat Cards with Business Metrics

Effort: Low

Replace inventory counts with: "Sensitive Domains Reached: 6", "Departed Owners Unresolved: 2", "LLM Endpoints Invoked: 3."

Addresses Sergey #9: "WOW effect for CISO — 'this touches this?' without 3 clicks."

1.7 Add "What Changed Since Yesterday" Filter

Effort: Medium (API + UI) Sergey feedback: "High priority — nobody asked yet but I expect this to be critical for repetitive use of the product."

Add ?changed_since=<ISO8601> to findings endpoint. On Overview, add "New since last visit" section.

Phase 2: Operator Clarity

2.1 Remove Finding Intervals

Effort: Low. Remove intervals rendering from FindingTile. Keep drift breakdowns.

2.2 Fix Ownership Section to Use Actual Names

Effort: Low. Replace hardcoded "Service principal owner departed" with actual name from owner_descriptions.

2.3 Fix Breadcrumbs

Effort: Low-Medium. Display entity/cluster names instead of hash IDs. Fix formatBreadcrumbSegment().

2.4 Fix Finding Description Hash IDs

Cross-review gap fix: QA flagged that deterministic_explanation contains raw hex IDs. The sprint plan missed this.

Replace entity IDs in finding description strings with display names.

Phase 3: Data Quality

These are the "engine completeness" items — bugs, not hypotheses.

Code audit update (Mar 21): Items 3.1 and 3.3 were investigated during the platform code audit. Both fields ARE populated correctly in production code. The original review may have been observing seed data artifacts. Items 3.2 and 3.4 are confirmed bugs.

3.1 Fix added_roles in Evidence Packs

Status: NOT A BUG (confirmed Mar 21 code audit). The added_role_targets field in scope-drift.ts line 176 correctly populates role IDs. The evidence pack builder (sections.ts lines 280-332) resolves these to role_id, role_name, first_seen_at, and grants_access_to. Tests confirm population in sections.test.ts lines 635-828. The original review may have observed a seed data issue.

3.2 Fix Posture Summary Path Count

2-path discrepancy between posture summary (32) and authority-paths list (30). Root cause confirmed (Mar 21 code audit): posture-service.ts line 58 uses countAuthorityPaths() for the total but computes dormant paths from a capped subset (queryAuthorityPaths() with 5000 limit). When the cap is hit, the dormant count is incomplete. Fix: compute dormant count from the full dataset or use the pre-computed total.

3.3 Populate Execution Evidence target_resource

Status: NOT A BUG (confirmed Mar 21 code audit). Connectors DO populate target_resource: Entra-ServiceNow sets it to resource_display_name from sign-in logs (transformer line 1993), flow names (line 2041), and job names (line 2082). Azure Foundry sets it to agent name (transformer line 498). The original review may have observed empty seed data.

3.4 Fix meta.bySeverity/byType Scoping

Cross-review gap fix: These are page-scoped, not total-scoped. Root cause confirmed (Mar 21 code audit): findings.ts lines 158-166 counts severity/type from the paginated result (normalized), but total_count comes from countFindings() across all pages. Fix: either run a separate aggregation query for total counts, or document that these are page-scoped in the API contract. Must be fixed before Phase 5.1 (Findings Summary Strip) or the UI will display misleading data.

3.5 Fix role_history Evidence Completeness Mismatch

NEW (Mar 21 code audit). The Entra-ServiceNow connector explicitly marks role history as "unavailable_not_applicable" with note "Role history extraction not yet implemented" (entra transformer line 2296). But scope-drift.ts line 187 marks role_history: "available" in evidence completeness. This is misleading — the platform claims to have data it doesn't. Fix: align the evaluator's completeness markers with the connector's actual data availability.

Phase 4: Reports & Deliverables (Next Sprint)

Architecture validated: One engine, many channels. Platform UI is one channel, reports are another.

4.1 Compliance Mapping to Data Layer (Pull into this sprint)

Effort: 1-2 sessions. Low effort, high value for both analysts and reports.

Add compliance_references array to findings/clusters. Static deterministic mapping from src/lib/compliance-mapping.ts. Source: existing OWASP ASI mapping doc in Notion-synced files.

4.2 Report Service + Store

Backend service generates structured report objects, stores in MongoDB. API endpoints for list/detail/PDF/generate.

Architectural constraint (from research — legibility inversion): The report service should expose two API endpoint families: a full-fidelity path consumed by the platform UI (source-level assessments, evidence chains, all technical detail) and a pre-synthesized path consumed by the report generator (clustered verdicts, business-impact sentences). The report generator must NOT have access to raw evidence — this prevents the gradual accretion of technical detail that degrades executive readability.

4.3 Report Templates

Scan Digest: 1-page summary after each scan. Top 3 risks, governance checklist, trend.

Assessment Report (5 sections, no methodology appendix): Cover → Executive summary → Findings summary with compliance mapping → Risk detail per cluster → Remediation roadmap with responsible roles.

Cover page format (Sergey #23): "[Client Name] — Exposure Assessment by SecurityV0." No partner logo, no "Autonomous Execution" subtitle. Simple, no jargon.

No methodology appendix. The research found that even a collapsed appendix hurts purchase intent — it shifts the buyer's frame from "expert recommendation" to "complex analysis." Methodology and evidence integrity belong in the separate Evidence Export (for auditors), not in the board-facing assessment report.

Evidence Export: Evidence packs with SHA256 integrity hashing and version chaining, methodology notes, data source documentation. This is the auditor artifact, separate from the assessment report. Note: current packs are synthesized summaries in mutable MongoDB — cryptographic sealing (WORM/KMS) is deferred to compliance-grade deployment requirements.

Key: Business glossary (src/lib/business-glossary.ts) used ONLY in report rendering, not in platform UI. "Service principal" → "automated account" only in reports.

4.4 Platform Reports Page

New sidebar item. List reports, read in-browser, download PDF.

4.5 Delivery Channels

Email → Slack → PDF → API. Build one at a time, email first (highest partner value).

Phase 5: Polish (Following Sprint)

  1. Findings Summary Strip — render meta.bySeverity/byType (after 3.4 API fix)
  2. Enable "Create Ticket" — ServiceNow integration. Sergey accepted as quick win. WHO to send to: deferred (needs ownership inheritance logic).
  3. Navigation Orphans — add Exposures, Findings, Execution Chains to sidebar
  4. Remove Legacy Dashboard — redirect /dashboard to /
  5. Posture Trend Chart — 90-day trend using posture_snapshots. Prerequisite (Sergey #28): Research how Wiz and other accepted products present risk-reduction tracking before implementing. "Need to see what the most commonly accepted way of showing this information is."
  6. Standardize Ownership Terminology — "orphaned" → "No active owner"

Pending Decisions (Sergey)

#DecisionContextStatus
1Delta badges on OverviewUX says remove (Feb 22 spec). CISO says keep. +838% is seed data artifact.RESOLVED (Mar 21). Remove. Too technical, doesn't aid readability or understanding.
2"Authority path" terminologySergey asked: "Is it something SIs and CISOs will immediately understand?"RESOLVED (Mar 20). Default = Access Path. Formal = Execution Access Path. See Guiding Principle #10.
3Absolute vs per-cluster risk rankingBoth useful. Global ranking on Overview? Or per-cluster only?RESOLVED (Mar 20). Both: per-cluster context AND global view of absolute risk. See Guiding Principle #13 reference in Phase 1.5.
4Evidence pack definition"How do we define the evidence pack?" — needs a jargon-free definition.DEFERRED (Mar 21). Not needed now — focus on readability and understanding first. Revisit when report templates are built (Phase 4). Proposed wording saved for later: "A timestamped, integrity-hashed record of exactly what we found, when, and what data supports it — designed for audit review."

Effort Summary (Corrected)

PhaseItemsEffortSprint
Phase 0: Demo Blockers2 remaining (0.1 + 0.2; 0.3 done)3-5 sessionsMUST — this sprint
Phase 1: CISO Clarity7 items (hierarchy, confidence labels, OWASP, governance, global risk, stat cards, what-changed)7-9 sessionsSHOULD — this sprint
Phase 2: Operator Clarity4 items (intervals, ownership, breadcrumbs, finding IDs)3-4 sessionsSHOULD — this sprint
Phase 3: Data Quality3 items (path count, meta scoping, role_history mismatch; 2 items resolved by code audit)2-4 sessionsCAN — this sprint
Phase 4.1: Compliance Mapping1 item1-2 sessionsPULL into this sprint
Phase 4.2-4.5: Report Service4 items9-14 sessionsNext sprint
Phase 5: Polish6 items5-8 sessionsFollowing sprint

Critical path for demo: Phase 0 → Phase 1 → Phase 2 Critical path for partner enablement: Phase 4.1 (this sprint) → Phase 4.2-4.3 (next sprint, validate template with Deloitte before full service)

Security Backlog (Parallel Track)

Not blocking demo/clarity sprint but must be fixed before any auth-enabled deployment:

  • JWT signature verification (src/api/middleware/auth.ts:116-136)
  • Missing X-Tenant-Id returns 200 instead of 400/401
  • /diagnostics endpoint exposes server internals
  • Raw tenant_id in API responses

Tracked at sv0-platform#82.