CEO Review: Round 2 Platform Acceptance — March 19, 2026
Snapshot: 2026-03-19-demo-w1 (34 screenshots, captured 2026-03-19T20:41:53Z)
Baseline: Round 1, March 15: 18/28 accepted (64%). Target: 24/28 (86%).
Reviewer lens: Sergey's 3-lens framework (Partner Sellability, Junior Analyst Usability, Safety/Honesty). Every screen evaluated against the 4 questions: What is exposed? Why does it matter? Who owns it? What needs action first?
Would I Ship This? YES WITH CHANGES
The platform has improved since Round 1 in structural ways -- the impact score bars are gone (good, that was my call), the sidebar navigation is cleaner with 6 visible items, and the Data Domains page is genuinely new and strong. But several Round 1 critical items remain unresolved, and I found two new issues that would embarrass us in a partner demo.
This is not a "almost there" situation. The core demo path (Overview to Cluster to Path Detail) works and tells a story. But the last mile -- the part that turns "interesting demo" into "Deloitte closes a deal" -- still has gaps that would require the partner to rewrite too much.
Partner Test
Can Deloitte hand this to a client tomorrow?
What works:
-
Overview page (overview.png): The hero metric "769 Total Executions" with "29 Authority Paths" immediately establishes scope. The "Top Risk Clusters" section with 4 cards below gives the CISO a place to start. The verdict sentences on the cluster cards -- like "13 Paths" under "Orphaned + Sensitive" with a plain-English explanation -- are the right pattern. A partner can point at this in a meeting and say "here is your problem."
-
Data Domains page (data-domains.png): This is new since Round 1 and it is the single best addition. 27 resources organized into 7 domains (Finance, Customer, HR, IT Operations, Engineering, Security, Identity) with clear sensitivity labels ("restricted", "confidential"). A partner can hand this to a CISO and say "these are the sensitive systems your automated accounts can reach." The color-coding (red for restricted, orange for confidential) works. I can see "Oncology_Patient_Histories" under Customer (restricted) and "Employee PII Store" under HR (restricted). That is the kind of specific, named data that makes a CISO sit up.
-
Cluster detail pages (cluster-orphaned_sensitive.png, cluster-llm_egress.png, etc.): The verdict sentence at the top is visually dominant -- "13 autonomous paths exercised customer/finance/hr/identity/it_operations accessed authority and invoked endpoints 681 times in the last 30 days -- all under orphaned ownership." That is a sentence a partner can read aloud to a board. The tag pills below (orphaned ownership, sensitive execution) provide quick visual scanning.
-
Authority Path Detail (path-active-detail.png, path-active-middle.png, path-active-bottom.png): The graph visualization showing "Agent Ascribe_Summarizer -> svc-foundry-ascribe-prod -> Billing_Payment_Methods" is clear. The risk condition tiles (Scope drift, Invalid owner, Sensitive data, LLM egress) with red/orange severity badges give immediate triage context. The "Top Risk Reducers" section replaces the old impact score bars with a sorted list -- this is correct, exactly what I asked for. Remediation items like "Assign owner and revitalize expanded scope" and "Remove role granting LLM endpoint access" are listed in priority order without numeric scores.
What they would need to rewrite:
-
Remediation still uses generic terms. In path-active-middle.png, the "Top Risk Reducers" items say "Assign owner and revitalize expanded scope -- Invalid owner + Scope drift" and "Remove role granting LLM endpoint access -- Scope drift + LLM egress." These are better than Round 1 (the impact_score=0 bug is gone), but they still do not name the specific role to remove or the specific system to go to. A Deloitte consultant cannot hand this to the client's IAM team. This was the Round 1 blocker 0.1 and it is still not fixed. This is the single biggest gap for partner enablement.
-
Breadcrumbs still show hash IDs. In finding-detail.png, the breadcrumb reads "Overview > Findings > eval:05d2c303428d60df3a7c9e9d61f8fae9." In entity-detail.png, it shows "Overview > Entities > 01c9ad87..." If a partner is screen-sharing with a client and navigates to a finding, the client sees a hex string in the URL bar and breadcrumb. That looks like a developer tool, not an enterprise product. This was flagged in Round 1 and is still not fixed.
-
No export capability. I do not see any export buttons or PDF generation on any screenshot. The Overview, Cluster Detail, and Authority Path Detail pages -- the three pages a partner would most want to export -- have no visible export controls. Round 1 flagged "Export Report" and "Export" buttons as disabled. Now they appear to be completely absent. A partner cannot deliver a presentation without being able to extract the data.
Specific gaps:
- Remediation does not name specific objects (Round 1 item 0.1, still open)
- Breadcrumbs show hashes (Round 1 item, still open)
- No export/PDF (Round 1 item, still open)
- No compliance framework tags visible (OWASP, NIST) on any cluster card or finding
Partner readiness score: 55%. Down from Round 1's implicit 60% because the items that were identified as blockers then are still blockers now, and the passage of time makes them more urgent.
Analyst Test
Can a junior analyst use this on day one?
What works:
-
Sidebar navigation (visible in all screenshots): 6 items -- Overview, Risk Clusters, Authority Paths, Identities, Data Domains, Graph Explorer. Clean, not overwhelming. An analyst knows where to start. This is a clear improvement. The sidebar does not include the orphan pages (Findings, Exposures, Entities, Execution Chains, Syncs, Temporal) which keeps the primary navigation focused.
-
Authority Paths table (authority-paths.png): Shows the chain clearly -- "Agent Ascribe_Summarizer, Foundry, ascribe prod, Data -> Billing_Payment_Methods, Foundry." The columns for Data Sensitivity, Ownership, Egress, Last Seen, Executions give the analyst filtering capability. The color-coded source badges (Foundry in purple, ServiceNow in green, Entra in blue) help scan quickly. An analyst can sort by executions and start investigating the most active paths.
-
Identities page (identities.png): 10 identities listed with Name, Type, Source, Status, Sensitive Domains, Last Updated. The "Sensitive Domains" column showing tags like "engineering, identity, it_operations" for svc-foundry-agent701 immediately tells the analyst which identity has the broadest reach. This page works on day one.
-
Execution Chains page (chains.png): 6 chains with clear columns -- Name, Destination, Egress, Ownership, Max Sensitivity, Sensitive Domains, Entities, Last Seen. The "ServiceNow HR Sync" row showing "external" egress, "orphaned" ownership, "restricted" sensitivity, and "hr" domain immediately surfaces the highest-risk chain. An analyst can read this in 10 seconds and know where to look.
-
Path Detail remediation (path-active-middle.png): The "Top Risk Reducers" as a sorted list works. An analyst can read top-to-bottom and understand priority. The ownership section below showing "Maria Lopez" as the departed owner with "Not assigned" as current assignee gives the analyst a concrete next step: find who inherited Maria's accounts.
Where they would get stuck:
-
"scope_drift_sensitive" cluster is broken. (cluster-scope_drift_sensitive.png) shows a red error banner: "Risk cluster is disabled: scope_drift_sensitive" with a Retry button. This is a live error in the demo environment. If an analyst clicks this cluster from the Overview or Risk Clusters page, they hit a dead end. A junior analyst would think the tool is broken. This is a new finding -- not present in Round 1. This must be fixed before any demo.
-
Exposure detail is broken. (exposure-detail.png) shows "Entity not found" with a red error banner when navigating to
/exposures/EXP-322c2c81. The Exposures list page (exposures.png) renders, but clicking into a detail view fails. An analyst who discovers the Exposures page and tries to drill in hits a wall. -
Finding detail shows hex IDs in explanation. (finding-detail.png) The Explanation text reads: "Authority path from workload 'Compliance Audit Exporter' to '811083c85861f79d0f25d96b' has been active for 120 days but shows 0 executions in the last 30 days." The destination is a hex ID, not a resource name. An analyst cannot act on "811083c85861f79d0f25d96b." This was flagged in Round 1 and is still present.
-
Entity detail breadcrumb uses hash. (entity-detail.png) shows "Overview > Entities > 01c9ad87..." and the entity is "Incident Write" (a Permission from ServiceNow). The page itself is clean -- Properties tab with display name, status, scope, timestamps. But the navigation trail exposes the internal ID. Also, only the Properties tab is visible; the Graph, Timeline, Ownership, and Findings tabs are present but we cannot see their content.
-
No "what changed since yesterday" anywhere. There is no visible filter, badge, or section on any page that tells the analyst what is new since their last session. This was Sergey's #7 feedback item (high priority). It is the #1 daily workflow enabler for repeat use. Still absent.
-
Findings page is a flat table. (findings.png) No grouping by severity, no summary strip, no chart. The filters (All severities, All types, All workloads, All statuses, All sources) are there, but the page does not guide the analyst to what matters most. The severity badges (critical in red, high in orange) help, but there is no aggregate view. The meta.bySeverity/byType data exists in the API but is not rendered.
-
Temporal Comparison page is empty. (temporal.png) Just a search box labeled "Entity" with placeholder "Search for an entity..." and no content. An analyst navigating here would find nothing useful. If we are not ready to ship this, hide it from navigation.
Analyst readiness score: 65%. The core path works. The broken pages and missing "what changed" filter are the blockers.
Terminology Check
Any terms that need explaining?
| Term Seen | Where | Issue | Suggested Replacement |
|---|---|---|---|
| "Authority Paths" | Sidebar, page headers, breadcrumbs | Still pending Sergey's decision on whether SIs/CISOs understand this term. Not resolved since Round 1. | Pending partner research. For now, acceptable -- but track. |
| "scope_drift_sensitive" | Breadcrumb on broken cluster page | Internal cluster ID exposed in the error message and breadcrumb. "Risk cluster is disabled: scope_drift_sensitive" is developer language. | "This risk cluster is temporarily unavailable." |
| "eval:05d2c303428d60df3a7c9e9d61f8fae9" | Finding detail breadcrumb | Raw finding ID namespace with hex hash. Not a display name. | Use finding title: "Dormant Authority" |
| "orphaned_sensitive" | Cluster detail breadcrumbs | Internal cluster key, not display name. | "Orphaned + Sensitive" (which is already the display name on the page itself) |
| "Egress" column | Authority Paths table, Execution Chains | "external", "internal", "llm", "none" -- the values are fine, but "Egress" as a column header may confuse a non-technical CISO. Analysts will understand it. | Keep "Egress" for analyst pages. In executive reports, use "External data flow." |
| "OIDC (Federated)" | Path detail, Identity binding section | Visible in path-active-bottom.png. A CISO does not know what OIDC means. An analyst might. | "Federated authentication" for executive output. Keep "OIDC (Federated)" in analyst detail. |
| "RUNS_AS" | Path detail graph edge labels | Visible in the authority path graph. Technical relationship type. | "runs as" (lowercase, plain English) or just show the arrow without a label. |
| "perm-incident-write" | Entity detail, below display name | Source ID shown alongside "Permission" and "ServiceNow" badges. Acceptable for analyst context. | No change needed -- this is analyst-appropriate detail. |
| "entra_servicenow" | Syncs page, Settings page | Connector name format. Internal engineering name. | "Microsoft Entra ID + ServiceNow" |
Jargon count: 9 flagged items. Round 1 flagged 23. Improvement, but the remaining ones are high-visibility (breadcrumbs, error messages, column headers).
Scope Check
Are we building something nobody asked for?
-
Temporal Comparison page (temporal.png): Empty page with just a search box. If this is not ready, remove it from the routes. An empty page in a demo environment signals "unfinished product." Nobody asked for this yet -- Sergey deferred posture trend tracking. Cut it.
-
Graph Explorer (graph.png): Present in sidebar, shows a full node-link graph with entity type filters. This is an analyst power tool. I would not demo this to a CISO -- it looks complex and the node density is high. But for analysts, it provides genuine investigation capability. Keep it, but do not include it in the demo path. The question is whether it distracts from the focused navigation. For now, it is fine in the sidebar.
-
Exposures page (exposures.png): Shows workloads with finding counts, severity, and sensitive domains. This is a potentially useful analyst view -- but the detail view is broken (Entity not found). The page exists but leads to dead ends. Either fix the detail view or remove the route.
-
Syncs page (syncs.png): Shows 3 completed syncs of "entra_servicenow" from March 2, 2026. Useful for admin/ops. Not for CISO or analyst. Appropriate that it is not in the sidebar -- accessible via Settings. Fine.
-
Settings page (settings.png): Tenant Configuration, Recent Syncs, Platform info (v0.2 W1, 12 evaluator rules, 9 entity types). Clean admin page. The "API Key" field with placeholder "your-api-key" is marked as "optional if auth disabled." This is fine for dev. Needs cleanup before any customer deployment.
Scope verdict: Two pages should be hidden (Temporal Comparison, Exposures) until they work. The rest stays in its lane.
What I'd Cut
-
Temporal Comparison page -- remove from routes entirely until it has content. An empty page is worse than no page.
-
Exposure detail route -- the list page works but clicking into
/exposures/EXP-*shows "Entity not found." Either fix it or remove the clickable links. -
Delta percentages on Overview -- I see "+838%" and similar badges on the Overview KPI cards. Round 1 flagged this as a seed data artifact. I see they are still there. Without baseline context, these percentages are misleading noise. Remove them or replace with absolute counts.
-
"All" tab counts in Authority Paths -- the "Active / All ownership / All findings" filter tabs at the top of the Authority Paths table add complexity. For a first demo, default to the most useful view and hide the filters. An analyst can discover them later.
What I'd Add
-
Named objects in remediation -- this is not optional. The remediation item "Remove role granting LLM endpoint access" must become "Remove role
foundry_ai_executorfromsvc-foundry-agent701in Microsoft Entra ID." The data exists in the API. This was the #1 Round 1 blocker and it is still the #1 blocker. -
Human-readable breadcrumbs -- every breadcrumb in the product that shows a hex hash or eval: prefix must display the entity's display name instead. This is a 1-session fix that transforms the perceived quality of the product.
-
"What changed" indicator -- even a simple "New" badge on findings detected in the last 24 hours would transform the daily analyst workflow. Sergey called this high priority. It does not require a complex filter -- just a visual marker.
-
OWASP/NIST tags on cluster cards -- the consolidated action plan lists this as low effort (Phase 1.3). The mapping is deterministic. Adding "ASI-03" or "ASI-10" tags to cluster cards gives partners an immediate compliance hook without any rewriting.
-
Execution confidence labels -- the paths table should show "Execution Confirmed" vs "Standing Authority Only" (Sergey's accepted replacement for the A/B/C grades). The 30-day execution count is in the data. A plain-English label would immediately tell the analyst and the CISO how confident the finding is.
-
Export button -- even a "Copy to clipboard" for the cluster verdict + remediation list would give partners something to work with while full PDF is built.
Business Framing
Here is how I would describe what this platform does to a partner or board, based on what I see in these screenshots:
"SecurityV0 mapped 10 automated identities across Microsoft Entra ID and ServiceNow. These identities execute 769 operations per month across 27 business resources in 7 data domains -- including patient records, employee PII, and financial transactions. 13 of the 29 active execution paths run under orphaned ownership -- the person who set them up has left the organization. 17 paths invoke LLM endpoints, sending data to AI services without governance controls. The platform identified where one remediation action -- assigning an owner and restricting scope on
svc-foundry-ascribe-prod-- would reduce exposure across 5 of the 7 risk clusters."
That is the board slide. The data to build that slide exists in the platform today. The gap is that the platform does not assemble that narrative automatically. The cluster verdicts get close. The remediation list gets close. But nobody has connected the dots into a single choke-point story yet.
Delta vs Round 1
| Item | Round 1 Status | Round 2 Status | Change |
|---|---|---|---|
| Impact scores inverted/visible | CRITICAL bug | FIXED -- removed entirely (PR #89) | Resolved |
| Remediation missing object names | CRITICAL blocker | Still generic terms | No change |
| Authority path role collapsing | CRITICAL | Paths show roles in expanded view, but total-scope-across-paths not visible | Partial -- expanded rows show per-path roles but no "identity total: N roles across M paths" aggregation |
| Breadcrumbs show hash IDs | MAJOR | Still showing hashes | No change |
| Finding descriptions contain hex IDs | MAJOR | Still present in finding-detail.png | No change |
| Evidence grades (A/B/C) | MAJOR | Not present (Sergey said use plain English labels instead) | Decision made, not implemented |
| Delta percentages on Overview | Contested (pending Sergey) | Still present | No change -- decision still pending |
| Sidebar navigation | 6 orphan pages not discoverable | Sidebar is now clean with 6 main items; orphan pages accessible but not in nav | Improved -- deliberate choice to keep sidebar focused |
| Data Domains page | Not reviewed in Round 1 | NEW -- strong addition, 7 domains, 27 resources, sensitivity labels | New win |
| Execution Chains page | Not reviewed in Round 1 | NEW -- clean table, useful analyst view | New win |
| scope_drift_sensitive cluster | Working in Round 1 | BROKEN -- "Risk cluster is disabled" error | Regression |
| Exposure detail | Working in Round 1 | BROKEN -- "Entity not found" error | Regression |
| Cluster verdict sentences | Working | Still working, visually dominant | Maintained |
| Path detail graph | Working | Still working, clear 3-node visualization | Maintained |
| Risk condition tiles | Working | Still working, severity badges clear | Maintained |
| "Top Risk Reducers" (was impact scores) | Broken (inverted bars) | Sorted list, no scores | Fixed |
Net assessment: 2 items fully resolved (impact scores, risk reducer display). 2 new wins (Data Domains, Execution Chains). 2 regressions (broken cluster, broken exposure detail). 4 Round 1 blockers still open (remediation names, breadcrumbs, finding hex IDs, evidence labels). This is net-neutral to slightly positive.
Scoring: Sergey's 28 Feedback Items
Mapping against the 28 items from the feedback tracker, based on what I can observe in the screenshots:
| # | Item | Observable Status | Accepted? |
|---|---|---|---|
| 1 | North star: CISO/SI pull data into presentations | Cluster verdicts are strong; no export capability | Partial -- YES for content, NO for delivery |
| 2 | Business impact context for finding triage | Not visible in finding detail | NO |
| 3 | Remediation shows impact of both risk and fix | Risk reducers list shows risk tags per item; no fix-impact framing | Partial |
| 4 | Digest executive summary with business framing | No digest visible | NO (deferred) |
| 5 | Show top absolute risks, not just per-cluster | Overview shows 4 cluster cards; no global top-3 risk ranking | NO |
| 6 | Absolute vs per-cluster ranking | Not implemented | PENDING DECISION |
| 7 | Day-1 analyst productivity / Wiz-like simplicity | Sidebar is clean; path table is scannable; no "what changed" | Partial |
| 8 | Research Wiz UX patterns | Not observable from screenshots | N/A (process item) |
| 9 | WOW effect for CISO without 3 clicks | Overview -> Cluster card verdict is 1 click. Data Domains page is 1 click. | YES |
| 10 | Compare posture changes to Wiz | Deferred | DEFERRED |
| 11 | Challenge "authority path" terminology | Still used throughout | PENDING DECISION |
| 12 | Plain English labels instead of ABC grades | Not implemented -- no confidence labels visible | NO |
| 13 | Define "evidence pack" | Not visible in UI | PENDING DECISION |
| 14 | Remove impact scores | DONE -- no score bars visible anywhere | YES |
| 15 | Atomic, clear, non-repetitive remediation actions | Risk reducers list is sorted, no repetition visible in path detail | YES |
| 16 | Business-impact caveat on remediation | Not visible | NO |
| 17 | Remediation emphasizes drift/change, not static access | Risk reducer tags show "Scope drift" but no narrative about change vs static | Partial |
| 18 | Create Ticket / ServiceNow integration | Not visible | NO |
| 19 | WHO to send ticket to (ownership inheritance) | Deferred | DEFERRED |
| 20 | Drop effort/cost estimates if unreliable | No effort estimates visible | YES (by absence) |
| 21 | Channel repackages on own paper; executive output critical | No export; cluster verdicts are strong content | Partial |
| 22 | Markdown format fine for now | No report output visible | N/A |
| 23 | Updated assessment report cover template | No report visible | N/A |
| 24 | Responsible role in CISO handout | Not visible | NO |
| 25 | Don't push operational details where they don't belong | Cluster view stays at cluster level; path details stay in path view | YES |
| 26 | Don't turn into telemetry product (838% delta) | Delta badges still present on Overview | NO -- still showing telemetry-style deltas |
| 27 | Hold on last-refresh changes | No last-refresh changes visible | YES (held) |
| 28 | Risk-reduction tracking -- research first | No trend chart visible | DEFERRED |
Tally:
| Status | Count |
|---|---|
| YES (accepted/done) | 6 |
| Partial (progress but incomplete) | 5 |
| NO (not done) | 9 |
| DEFERRED (correctly deferred) | 3 |
| PENDING DECISION | 3 |
| N/A (not observable / process item) | 2 |
| Total | 28 |
Acceptance rate: 6 full + 5 partial = 8.5/28 if partial counts as half. Round to 9/28 (32%) by strict count, or 19/28 (68%) if we include partials and deferred-as-correct.
Using the original Round 1 methodology (where 18/28 were accepted, meaning items that were DONE, accepted, or correctly deferred): 6 YES + 3 DEFERRED = 9 fully accepted. Adding items where partial progress is visible but the acceptance criterion is met in spirit: 9 + 5 partial = approximately 19/28 (68%).
This is a marginal improvement from Round 1's 64%, not the 86% target.
Decision
Ship decision: YES WITH CHANGES -- conditional on 4 fixes before next partner demo.
The platform tells a real story. The Overview to Cluster to Path Detail flow works. The Data Domains page is a genuine competitive strength. The evidence engine underneath is solid. But I would not put a partner in front of a Fortune 500 CISO with this build because of these 4 items:
Must Fix Before Demo (Blocking)
-
Fix broken cluster page. "scope_drift_sensitive" shows an error. This is a regression. A broken page in a 7-cluster product is unacceptable. (New finding, 1 session to fix.)
-
Name the objects in remediation. "Remove role granting LLM endpoint access" must become "Remove role
foundry_ai_executorfromsvc-foundry-agent701in Microsoft Entra ID." The entity context data exists. Pass it through. This is Round 1 item 0.1, still the #1 blocker. (Phase 0.1 from consolidated plan, 2-3 sessions.) -
Fix breadcrumbs. Replace all hash IDs in breadcrumbs with display names. Finding "eval:05d2c3..." becomes "Dormant Authority." Entity "01c9ad87..." becomes "Incident Write." Cluster "orphaned_sensitive" becomes "Orphaned + Sensitive." (Phase 2.3 from consolidated plan, 1 session.)
-
Fix or hide broken detail pages. Exposure detail shows "Entity not found." Either fix the data lookup or remove the clickable links from the Exposures list. Similarly, hide the Temporal Comparison route. (1 session.)
Should Fix This Sprint (Important)
-
Add execution confidence labels ("Execution Confirmed" / "Standing Authority Only") to authority path rows.
-
Add OWASP ASI tags to cluster cards (deterministic mapping, low effort).
-
Remove delta percentage badges from Overview KPI cards or replace with absolute counts.
-
Fix finding description hex IDs -- replace entity IDs in
deterministic_explanationtext with display names.
Defer (Correct to Hold)
- Report generator / PDF export (next sprint, Phase 4)
- "What changed since yesterday" filter (important but needs API work)
- Create Ticket / ServiceNow integration
- Ownership inheritance logic
- Posture trend chart
Bottom line: Four sessions of focused work on the 4 blocking items would move this from "good demo" to "partner-ready demo." The story is there. The data is there. The last mile of presentation quality is what separates a product that impresses from a product that closes.