UX & Information Architecture Review — Round 2
Overall Grade: B
Incremental improvement from B- (Round 1). The platform has gained a seventh risk cluster, the cluster detail pages now show a cleaner table-first layout with expanded path rows, and several navigation improvements are visible (breadcrumbs now show "Risk Clusters" instead of raw URL segments on cluster pages, the Findings page is now accessible in the sidebar area). However, three critical regressions have appeared: the Exposure Detail page returns "Entity not found" (completely broken), one cluster detail page (scope_drift_sensitive) shows "Risk cluster is disabled" with a raw internal key, and the Finding Detail breadcrumb still shows a raw eval:05d2c303... hash. The target of A- with 5 or fewer jargon terms is not met.
Information Hierarchy
| Page | Primary Message | Clear? | Issues |
|---|---|---|---|
| Overview | "Here is your observed autonomous execution activity and where the risk clusters are" | PARTIALLY | Title "Observed Autonomous Execution (30d)" is good. Two hero KPI cards (769 executions, 29 paths) remain dominant. Four secondary stat cards still compete: "5 Active Autonomous", "2 Dormant Authority", "7 Autonomous", "3 Operator-Assisted" — these are still inventory counts, not business metrics. Delta badges still present (green/red arrows visible on KPIs). Top Risk Clusters section shows 4 cards below the fold. |
| Risk Clusters List | "These are your risk clusters ranked by priority" | YES | 7 cluster cards with priority badges (critical/high). Verdict sentences visible as secondary text. Cards have "view paths" links. Improved from Round 1 — now 7 clusters versus 6. |
| Risk Cluster Detail (all 7) | "This cluster's paths, findings, and governance conditions" | PARTIALLY | Layout has changed significantly from Round 1. The Sections A-D Exposure Brief structure from Round 1 is GONE. Cluster detail now shows a header with cluster label + description + badge pills (finding types, ownership status), followed directly by an authority paths table. No narrative Section A, no Governance Checklist Section C, no Remediation Guidance Section D. This is a regression from the best CISO page in Round 1 to a flat analyst table. |
| Authority Paths List | "All authority paths with filtering" | YES | Clean table with filters (All ownership, All Findings, All egress). Columns: Authority Path, Data, Sensitivity, Last Exec, Cost Days, Findings. Path labels show chain (workload -> identity -> destination). Well-structured analyst page. |
| Authority Path Detail | "This specific path's execution evidence, risk conditions, and remediation" | YES | Graph-first layout preserved. Execution-derived authority path visualization at top. Active risk conditions displayed as colored tiles below. "Top Risk Reducers" section with actionable remediation items. Ownership section shows actual names ("Maria Lopez" as departed owner). Automation metadata and Identity binding sections visible on scroll. Strong page. |
| Exposures List | "Workloads with active findings" | PARTIALLY | Now shows a table with Workload, Findings, Severity, Sources columns. Some rows have finding count badges. The "Binding" column from Round 1 appears removed — improvement. But still no summary bar or severity distribution at top. |
| Exposure Detail | N/A — BROKEN | NO | Returns "Entity not found" error with a Retry button. The breadcrumb shows Overview > Exposures > EXP-322c2c81 — a synthetic ID, not a display name. This page is completely non-functional. |
| Findings List | "All findings in a flat table" | PARTIALLY | Now shows filters (severity, type, workload, source). Table has Severity, Type, Workload, Description, Source columns. Descriptions contain actual entity names (e.g., "Authority path from workload 'Compliance Audit Exporter' to '811....'"). Still a flat table with no summary strip — no severity distribution chart or grouping. Some descriptions still contain raw hex IDs. |
| Finding Detail | "Deep dive on a single finding" | PARTIALLY | Shows finding type "Dormant Authority" with severity/status badges. Explanation text uses actual workload names but still references a raw hex destination ID ("811083c85861f79d0f25d96b"). Recommended Actions section with prioritized items (Immediate/Short-term/Ongoing). Evidence Completeness section. But breadcrumb shows raw eval:05d2c303428d60df3a7c9e9d61f8fae9 — unreadable. |
| Data Domains | "Business data classification and resources" | YES | Best CISO-intuitive page — unchanged and still strong. 7 domain cards (Finance, Customer, HR, IT Operations, Engineering, Security, Identity) with sensitivity badges (restricted/confidential), resource counts, and resource names listed. 27 total resources. Color-coded cards create natural visual grouping. |
| Identities | "Service identities in the environment" | YES | Clean table with 10 identities. Columns: Name, Type, Source, Status, Sensitive Domains, Last Updated. Source badges (ServiceNow, Entra) are clear. "Sensitive Domains" column shows which domains each identity touches — this is a new and useful addition. |
| Execution Chains List | "Cross-system execution chains" | PARTIALLY | 6 chains shown. Columns: Name, Destination, Egress, Ownership, Max Sensitivity, Sensitive Domains, Entities, Last Seen. Egress badges (external, internal, llm) use color coding. "Ownership" column shows "owned", "ambiguous", "orphaned" — still uses mixed terminology. |
| Execution Chain Detail | "A single chain's structure and entities" | YES | Shows "Compliance Audit Exporter" with chain summary (target, egress category, source), a "Cross-Source & Permission" section, and Chain Entities table with entity types, names, and "View Details" links. Clean progressive disclosure. |
| Graph Explorer | "Visual graph of all entities and relationships" | NO (for CISO) | Analyst tool. Shows a left sidebar with Presets ("Risk Paths" visible) and Entity Types filters. Main canvas renders a large node graph. All entity types visible: Identity, Workload, Role, Permission, Resource, Connection, Execution Evidence. Still appears overwhelming at default zoom — all ~100+ nodes rendered simultaneously. |
| Entities List | "All entities in the environment" | YES | Table with Name, Type, Source, Relationships, Synced At columns. Type badges color-coded (Resource, Permission, Workload, etc.). Good analyst reference page. |
| Settings | "Tenant configuration" | YES | Clean. Shows Tenant ID, API Key, Recent Syncs (3 completed entra_servicenow syncs), and Platform info (v0.2 W1, 12 Evaluator Rules, 9 Entity Types). |
| Syncs | "Sync history" | YES | Clean table: Connector, Status, Started, Duration, Entities, Events. All 3 syncs show "completed" with entity/event counts. |
| Temporal Comparison | "Compare entity snapshots over time" | NO | Nearly empty page. Just an "Entity" search box with no pre-populated data. Provides no value without user interaction, and no guidance on what entities to compare or why. |
Navigation & Wayfinding
Mental model alignment: WEAK (unchanged from Round 1)
Sidebar navigation items (6 items, same as Round 1):
- Overview
- Risk Clusters
- Authority Paths
- Identities
- Data Domains
- Graph Explorer
Still missing from sidebar but accessible via routes (6 orphan pages, same as Round 1):
- Findings (
/findings) - Exposures (
/exposures) - Entities (
/entities) - Execution Chains (
/chains) - Syncs (
/syncs) - Temporal Compare (
/temporal)
The consolidated action plan placed "Navigation Orphans" in Phase 5.3 (Following Sprint). This means 6 pages remain discoverable only by direct URL or by links within other pages. This was the #5 priority recommendation in Round 1 and has not been addressed.
Dead ends found:
-
Exposure Detail is completely broken. Navigating to
/exposures/EXP-322c2c81shows "Entity not found" with a Retry button. This is a data regression — the page route exists but the entity cannot be resolved. A user clicking into any exposure from the Exposures list would hit a dead end. -
Scope Drift Sensitive cluster is disabled. Navigating to
/clusters/scope_drift_sensitiveshows a red error: "Risk cluster is disabled: scope_drift_sensitive" with a Retry button. The raw internal keyscope_drift_sensitiveis exposed in the error message instead of a human-readable label. Yet this cluster still appears on the Risk Clusters list page (visible as a card) — so a user can click a card that leads to an error. -
Finding Detail breadcrumb shows raw hash. The breadcrumb reads
Overview > Findings > eval:05d2c303428d60df3a7c9e9d61f8fae9— completely unreadable. Round 1 flagged this exact issue for entity details; it persists and also affects finding details. -
Entity Detail breadcrumb still shows truncated hash. The breadcrumb reads
Overview > Entities > 01c9ad87...— the same hash truncation problem flagged in Round 1. The page title shows "Incident Write" (the display name), proving the data is available but the breadcrumb does not use it. -
No return path from Path Detail to parent cluster. Still no breadcrumb trail connecting a path detail page to the cluster(s) it belongs to. The breadcrumb shows
Overview > Authority Paths > {backstack}— the word "backstack" is visible as literal text in one breadcrumb, which appears to be a bug (placeholder text rendered). -
Findings, Exposures, Chains, Entities pages have no sidebar highlight. When viewing these pages, no sidebar item is highlighted/active, leaving the user without a "you are here" indicator.
Breadcrumb assessment:
| Page | Breadcrumb Shown | Correct? | Issue |
|---|---|---|---|
| Settings | Overview > Settings | YES | Clean |
| Syncs | Overview > Syncs | YES | Clean |
| Temporal | Overview > Temporal Compare | YES | Clean |
| Cluster Detail (orphaned_sensitive) | Overview > Risk Clusters > orphaned_sensitive | PARTIAL | Shows internal key, not label "Orphaned + Sensitive" |
| Cluster Detail (scope_drift_sensitive) | Overview > Risk Clusters > scope_drift_sensitive | NO | Shows internal key + error page |
| Finding Detail | Overview > Findings > eval:05d2c303428d60df3a7c9e9d61f8fae9 | NO | Full raw eval hash visible |
| Entity Detail | Overview > Entities > 01c9ad87... | NO | Truncated hash instead of display name |
| Exposure Detail | Overview > Exposures > EXP-322c2c81 | NO | Synthetic ID + page is broken |
| Chain Detail | Overview > Execution Chains > faf220d6... | PARTIAL | Truncated hash, but page title shows "Compliance Audit Exporter" |
| Authority Path Detail | Overview > Authority Paths > {hash/backstack} | NO | Appears to show "backstack" text or hash |
Missing cross-links (same as Round 1, none addressed):
- Data Domains -> Authority Paths: no link showing which paths reach a domain
- Identities -> Authority Paths: no link showing which paths use an identity
- Cluster Detail -> related clusters: no cross-links between overlapping clusters
Label Audit
Jargon count: 19 terms requiring domain knowledge
Improved from 23 (Round 1) to 19. The reduction comes primarily from the removal of the Exposure Brief's governance checklist (which had multiple jargon terms) and the simplification of cluster detail pages. However, the core terminology issues remain.
| # | Term | Where Visible | Problem | Suggested Replacement |
|---|---|---|---|---|
| 1 | Authority Path | Sidebar, Overview, cluster pages, path pages | Core concept, never defined for new users | Keep but add tooltip on first encounter |
| 2 | Risk Cluster | Sidebar, Overview, cluster pages | Acceptable for security audience | Keep |
| 3 | Egress / egress category | Cluster cards, chain table, badges ("external", "internal", "llm") | Network jargon — "egress" means nothing to a CISO | "Data destination type" |
| 4 | Dormant Authority | Overview stat card, finding type | What timeframe makes something "dormant"? | "Unused access (90+ days)" |
| 5 | Scope Drift | Finding type badge, cluster name | Security jargon | "Permission expansion" |
| 6 | Orphaned (ownership) | Cluster names, badges, finding types | Used interchangeably with "no active owner" | Standardize to "No active owner" |
| 7 | identity_binding | Finding type, path detail | Deep IAM jargon | "Authentication method" |
| 8 | Operator-Assisted | Overview stat card | Unclear contrast with "Autonomous" | "Requires human session" |
| 9 | Active Autonomous | Overview stat card | The tiny "Identities" subtext is the only context | "Active Autonomous Identities" |
| 10 | execution_mode | Path detail metadata | Technical field name exposed | "How it runs" |
| 11 | evidence_completeness | Finding detail section | What does "completeness" mean here? | "Evidence coverage" |
| 12 | normalized action | Entity detail property | Internal data model term exposed to UI | "Action type" |
| 13 | perm-incident-write | Entity detail subtitle | Raw source ID visible next to display name | Hide or label as "Source ID" |
| 14 | eval: prefix | Finding detail breadcrumb, finding IDs | Internal namespace prefix exposed | Strip from display |
| 15 | entra_servicenow | Settings, Syncs pages | Connector ID, not human-readable | "Microsoft Entra + ServiceNow" |
| 16 | Unbound | Exposures badges (if still present), cluster names | IAM jargon | "No linked identity" |
| 17 | reachable_sensitive_domain | Finding types in filter | Snake_case internal type exposed | "Accesses sensitive data" |
| 18 | blast_radius_domains | Not visible in UI (correctly mapped to "Sensitive Domains") | N/A — good label | Keep current UI label |
| 19 | Ambiguous (ownership) | Chains table | What makes ownership "ambiguous"? | "Multiple or conflicting owners" |
Improvement from Round 1:
Removed from jargon list (no longer visible or resolved):
- RG1/RG2/RG3/RG4/RG5 (legacy Dashboard appears removed from routes)
- ownership_degraded (not visible in current screenshots)
- privilege_justification_gap (not visible)
- unproven_execution (not visible)
Inconsistencies (same concept, different names — still present):
| Concept | Name in Place A | Name in Place B | Name in Place C |
|---|---|---|---|
| Ownership "invalid" | "orphaned" (cluster badge) | "No active owner" (cluster description) | "orphaned" (chains table) |
| Execution count timeframe | "Observed Executions (30d)" (Overview) | "Last Exec" (authority paths table) | "Cost Days" (authority paths column — unclear what this measures) |
| Person who built automation | "Maria Lopez" (path detail Ownership) | "Owner" (generic) | Not shown on cluster cards |
| Finding severity scale | "critical/high" (cluster badges) | "high/active" (finding detail badges) | Severity column in findings table uses icons only |
New inconsistency found:
"Cost Days" column on the Authority Paths table is a new term not seen in Round 1. It appears alongside "Last Exec" but its meaning is unexplained. Is it "days since last execution"? "Cost in compute-days"? "Days the authority has been active"? This is a significant jargon addition.
Worst offenders:
-
eval:05d2c303428d60df3a7c9e9d61f8fae9in Finding Detail breadcrumb. This is the single worst user-facing string in the platform. A 40-character hex hash with an "eval:" prefix in the navigation bar. The consolidated action plan (Phase 2.3) flagged breadcrumbs — still unfixed. -
"Cost Days" column. Completely opaque new term with no tooltip, no explanation, and no correspondence to any concept in the product specs or the consolidated action plan.
-
"scope_drift_sensitive" as error message text. The disabled cluster error shows the raw internal key. This is an internal identifier leaking into user-facing text.
Data Presentation Issues
[UX1] Cluster Detail Pages Lost the Exposure Brief Structure
- Page: All Risk Cluster Detail pages (
/clusters/{key}) - Problem: Round 1's strongest CISO page — the Sections A-D Exposure Brief with narrative (A), Exposure Grid (B), Governance Checklist (C), and Remediation Guidance (D) — has been replaced by a flat table layout. The cluster detail now shows a header with cluster label, description, finding type pills, and a stat line ("13 paths, 681 executions / 30d, 13 lack valid ownership"), followed directly by an authority paths table. There is no narrative synthesis, no governance checklist, no remediation section.
- Impact: This is the most significant regression from Round 1. The Exposure Brief was the single best implementation of the "So what?" principle — a CISO could understand the cluster's business risk in 5 seconds. The current table-first layout forces the CISO to mentally aggregate path data to understand the risk. The verdict sentences that were the highlight of Round 1 are reduced to a one-line description under the cluster name.
- Fix: Restore the Sections A-D structure. The current table can serve as Section B (the expanded paths view). Add back Section A (narrative with verdict sentence as headline), Section C (governance conditions), and Section D (top remediation actions). The consolidated action plan's Phase 1.4 (Fix Governance Checklist) and Phase 0.1 (Remediation names) both depend on this structure existing.
[UX2] Exposure Detail Page Returns "Entity not found"
- Page: Exposure Detail (
/exposures/EXP-322c2c81) - Problem: The page shows "Entity not found" with a Retry button. This is either a data seed issue (the entity ID does not resolve) or a routing issue (the EXP- prefix format is not handled by the API). The breadcrumb shows the synthetic ID, not a workload name.
- Impact: Every link from the Exposures list to a detail page is broken. The Exposures feature is effectively non-functional for drill-down. A user who reaches this page has no information and no recovery path except the browser back button.
- Fix: Fix the entity resolution for EXP- prefixed IDs, or if the Exposures model has changed, update the list page to link to the correct entity detail route. At minimum, the error should say "This exposure could not be loaded" with a link back to the Exposures list — not just "Entity not found" with a Retry that will fail again.
[UX3] Disabled Cluster Exposes Internal Key in Error
- Page: Risk Cluster Detail (
/clusters/scope_drift_sensitive) - Problem: The page shows "Risk cluster is disabled: scope_drift_sensitive" in a red error banner. The internal cluster key is exposed as-is. The cluster is still listed on the Risk Clusters index page — there is no indication it is disabled until the user clicks through.
- Impact: A user sees a cluster card on the list, clicks it, and hits an error. The error text uses a snake_case internal identifier that means nothing to them. This breaks the progressive disclosure flow and erodes trust.
- Fix: Either (a) hide disabled clusters from the list page entirely, or (b) show them with a "disabled" badge on the list and display a user-friendly explanation on the detail page: "This risk pattern is not currently assessed for your environment." Never expose internal keys in user-facing error messages.
[UX4] Finding Detail Still Contains Raw Hex IDs in Description Text
- Page: Finding Detail (
/findings/eval:...) - Problem: The explanation text reads: "Authority path from workload 'Compliance Audit Exporter' to '811083c85861f79d0f25d96b' has been active for 120 days..." The destination is a raw hex entity ID instead of its display name. The consolidated action plan flagged this as Phase 2.4 — still unfixed.
- Impact: The workload name is resolved ("Compliance Audit Exporter") but the destination is not. This inconsistency is jarring — half the sentence is human-readable, half is not. A CISO cannot assess the risk without knowing what "811083c..." refers to.
- Fix: Resolve the destination entity ID to its display name in the finding description text. The entity display name exists in the system (it resolves on entity detail pages) — it just is not being used in the finding description template.
[UX5] Overview Secondary Stat Cards Still Show Inventory Counts
- Page: Overview
- Problem: The four secondary stat cards still read "5 Active Autonomous", "2 Dormant Authority", "7 Autonomous", "3 Operator-Assisted" with tiny subtext for "Identities" and "Workloads". This is the same issue flagged in Round 1 (UX9). The consolidated action plan Phase 1.6 prescribed replacing these with business metrics: "Sensitive Domains Reached: 6", "Departed Owners Unresolved: 2", "LLM Endpoints Invoked: 3." Not implemented.
- Impact: These cards dilute the hero message. The distinction between "Active Autonomous" identities (5) and "Autonomous" workloads (7) requires understanding the identity vs. workload data model — this is not a CISO metric.
- Fix: Replace with the business metrics from Phase 1.6, or collapse into a single subordinate "Environment Summary" row.
[UX6] Delta Badges Still Present on Overview KPIs
- Page: Overview
- Problem: The two hero KPI cards still show delta badges (green/red arrows with percentage change visible). Round 1 flagged this as UX1 and Priority Recommendation #2. The consolidated action plan listed it as Pending Decision #1 (Sergey). It appears no decision has been made or implemented.
- Impact: Without baseline context, the deltas are noise. If the +838% execution increase from Round 1 is still showing, it remains visually alarming and uninterpretable.
- Fix: Pending Sergey's decision. If deltas stay, they need baseline context ("vs. previous 30d window"). If removed, remove the DeltaBadge component from Overview KPIs.
[UX7] Findings Page Still Has No Summary Strip
- Page: Findings List
- Problem: Still a flat table with filters but no severity distribution chart, no grouping by type, no summary sentence. Same issue as Round 1 (UX6). Consolidated action plan placed this in Phase 5.1 — dependent on Phase 3.4 (fix meta.bySeverity scoping). Not yet addressed.
- Impact: A CISO landing on this page must mentally count: how many critical findings? What types dominate? The filters help narrow results but do not provide an at-a-glance summary.
- Fix: Add a summary strip above the table: severity distribution bar + type count chips. Blocked by Phase 3.4 per the action plan.
[UX8] "Backstack" Text Appears in Path Detail Breadcrumb
- Page: Authority Path Detail (visible in path-active and path-edge screenshots)
- Problem: The breadcrumb area shows what appears to be the literal word "backstack" as a breadcrumb segment, likely a placeholder or debug text that was not removed.
- Impact: Low severity but damages polish perception. Any non-placeholder text in navigation harms trust.
- Fix: Replace with the path's display chain or a "Back to Authority Paths" link.
What Works
These patterns are well-executed and should be preserved:
-
Authority Path Detail page remains the strongest page. The graph-first layout with the execution-derived authority path visualization (workload -> identity -> destination with via_roles labeled on the edges) is immediately comprehensible. Risk condition tiles below the graph (Scope drift, Invalid owner, Sensitive data, LLM egress) use color-coded severity and show "Since Xd" for urgency. The "Top Risk Reducers" section provides prioritized, actionable remediation items. Ownership now shows actual names ("Maria Lopez" as departed owner, "Not assigned" with clear status).
-
Data Domains page is consistently the best CISO page. The card layout with sensitivity badges (restricted in red, confidential in yellow), resource counts as large numbers, and resource names listed below creates an intuitive mental model. A CISO can scan 7 cards and immediately understand what data categories exist and their classification levels. 27 resources across 7 domains is the right density.
-
Identities table gained a "Sensitive Domains" column. This is a new improvement — each identity row now shows which sensitive domains it touches (e.g., "engineering, identity, it_operations" for svc-foundry-agent701). This addresses the Round 1 recommendation for cross-linking identities to domains, albeit in column form rather than as clickable links. It answers "which identities touch sensitive data?" at a glance.
-
Risk Clusters list page cards with verdict sentences. The cluster cards show cluster label (e.g., "Orphaned + Sensitive"), a path count ("13 Paths"), and a one-line verdict sentence describing the cluster's risk. Priority badges (critical/high) provide clear severity ordering. The "view paths" link provides a clear call to action.
-
Execution Chains page is well-structured. Clean table with meaningful columns (Name, Destination, Egress, Ownership, Max Sensitivity, Sensitive Domains, Entities, Last Seen). The chain detail page shows a logical progressive disclosure: chain summary at top, then cross-source permissions, then entity list with "View Details" links.
-
Settings page is clean and informative. Shows platform version (v0.2 W1), evaluator rule count (12), entity type count (9), recent sync history. No jargon, no unnecessary complexity.
-
Authority Paths table shows expanded path labels. Each row displays the full chain (workload -> identity -> destination) with source system badges inline. Sensitivity and finding type badges provide at-a-glance risk assessment. The filter controls (All ownership, All Findings, All egress) are standard and intuitive.
-
Path Detail Remediation uses real entity names. The "Top Risk Reducers" section shows actions like "Assign owner and revitalize expanded scope" with entity references. The Ownership section shows "Maria Lopez" as the actual departed owner name — this was a Phase 0.1 improvement from the action plan.
Priority Recommendations
1. Restore Cluster Detail Exposure Brief structure (Sections A-D) — affects CISO comprehension
The most impactful regression from Round 1. The Exposure Brief was the single best CISO page. The current flat table layout forces analysts to do the synthesis that the product should provide. This is not a "nice to have" — it is the core value proposition for the CISO audience. The narrative (Section A), governance checklist (Section C), and remediation guidance (Section D) must be restored around the existing paths table (which can serve as Section B). Without this structure, the platform fails the "So what?" test for its primary audience on the most important page.
2. Fix broken Exposure Detail and disabled Cluster Detail — affects all user workflows
Two pages return errors that a demo user will encounter. The Exposure Detail "Entity not found" breaks the Exposures feature entirely. The scope_drift_sensitive "Risk cluster is disabled" exposes an internal key and breaks the cluster drill-down flow. These are demo blockers that erode trust in data quality. Fix the entity resolution for exposures and either hide disabled clusters from the list or show a human-readable explanation.
3. Fix breadcrumbs on Finding Detail and Entity Detail pages — affects wayfinding
The eval:05d2c303428d60df3a7c9e9d61f8fae9 breadcrumb on Finding Detail is the worst user-facing string in the platform. The 01c9ad87... truncated hash on Entity Detail was flagged in Round 1. Both pages have display names available (the page titles resolve correctly) but the breadcrumb component does not use them. This is Phase 2.3 in the consolidated action plan and should be low effort — the data is already loaded.
Delta vs Round 1
Improvements (Round 1 -> Round 2):
| Area | Round 1 | Round 2 | Status |
|---|---|---|---|
| Risk cluster count | 6 clusters | 7 clusters (scope_drift_sensitive added but disabled) | Partial |
| Identities: Sensitive Domains column | Missing | Present — shows which domains each identity touches | FIXED |
| Legacy Dashboard | Existed at /dashboard with RG1-RG5 jargon | Not visible in sidebar or screenshots — appears removed | FIXED |
| Path Detail ownership | Generic placeholder text | Shows actual names ("Maria Lopez"), real departed owner status | FIXED |
| Impact scores | Visible with 0-value bars | Removed (PR #89 per action plan Phase 0.3) — not visible anywhere | FIXED |
| Cluster card labels | Functional labels existed | Still present, consistent ("Orphaned + Sensitive", "LLM Egress", etc.) | Maintained |
| Execution Chains | Table existed but sparse | Richer with Egress/Ownership/Max Sensitivity columns | Improved |
Regressions (Round 1 -> Round 2):
| Area | Round 1 | Round 2 | Severity |
|---|---|---|---|
| Cluster Detail: Exposure Brief (A/B/C/D) | Full Sections A-D with narrative, governance, remediation | Flat table only — no narrative, no governance checklist, no remediation | CRITICAL |
| Exposure Detail page | Functional (described as "strong evidence presentation" in R1) | Completely broken — "Entity not found" | CRITICAL |
| scope_drift_sensitive cluster | Did not exist | Exists but disabled, showing raw internal key in error | HIGH |
| "Backstack" in breadcrumb | Not present | Placeholder text visible in path detail breadcrumb | MEDIUM |
Unchanged from Round 1 (not yet addressed):
| Issue | Round 1 Reference | Action Plan Reference | Status |
|---|---|---|---|
| 6 orphan pages not in sidebar | Nav finding #5 | Phase 5.3 | NOT STARTED |
| Breadcrumbs show hash IDs | Nav finding #4 | Phase 2.3 | NOT STARTED |
| Findings page no summary strip | UX6 | Phase 5.1 (blocked by 3.4) | NOT STARTED |
| Secondary stat cards: inventory not business metrics | UX9 | Phase 1.6 | NOT STARTED |
| Delta badges on Overview KPIs | UX1 | Pending Decision #1 | NOT STARTED |
| Data Domains -> Authority Paths cross-link | Missing cross-link | Not in plan | NOT STARTED |
| Finding descriptions contain hex IDs | Phase 2.4 | Phase 2.4 | NOT STARTED |
| Cluster breadcrumbs show internal keys | Nav finding | Phase 2.3 | NOT STARTED |
| OWASP/business relevance tags | UX8 | Phase 1.3 | NOT STARTED |
| "Cost Days" column unexplained | NEW | Not in plan | NEW ISSUE |
Score tracking:
| Metric | Round 1 Baseline | Round 2 Actual | Target |
|---|---|---|---|
| Overall Grade | B- | B | A- |
| Jargon terms | 23 | 19 | 5 or fewer |
| Broken pages | 0 | 2 (Exposure Detail, scope_drift_sensitive cluster) | 0 |
| Orphan pages (not in sidebar) | 6 | 6 | 0 |
| Breadcrumbs with hash IDs | Entity Detail noted | Finding Detail + Entity Detail + Chain Detail confirmed | 0 |
Summary Assessment:
The grade moves from B- to B, reflecting the legitimate improvements (legacy Dashboard removed, impact scores removed, path detail ownership resolved, identities enriched with sensitive domains). However, the loss of the Exposure Brief structure on cluster detail pages is a significant regression that prevents further progress toward A-. The two broken pages (Exposure Detail, disabled cluster) are demo blockers. The jargon count improved from 23 to 19 but remains far from the target of 5 or fewer — the core terminology standardization work (Phase 5.6 in the action plan) has not started.
The path from B to A- requires: (1) restore the Exposure Brief sections on cluster detail, (2) fix the two broken pages, (3) fix breadcrumbs across all detail pages, and (4) complete the terminology standardization. Items 1-3 are achievable in a focused sprint. Item 4 is a longer effort but could reach the target of 5 or fewer jargon terms if the worst offenders (egress, dormant authority, scope drift, identity binding, operator-assisted) are replaced with plain-English equivalents.