W1 — Agentic AI Exposure Discovery & Assessment (Definition)
Implementation status: Spec complete. Implementation planned — see W1 unified implementation plan. Entity type renamed to
workload(ADR-010).
W1 Positioning
W1 is the first wedge for SecurityV0: make autonomous execution risk visible, fast, and evidence-backed.
W1 = Land.
It answers, with proof: “Where does autonomous execution exist, what can it touch, and where can it send data?”
W1 is designed to work even when programs are immature: unclear ownership, fragmented tooling, incomplete documentation, and “green dashboards” that don’t translate into confidence.
One-paragraph definition
Agentic AI Exposure Discovery & Assessment is the deterministic identification and evidence-backed explanation of autonomous execution surfaces (automations and AI agent actions), the identities they run as, the data domains they can reach, and the egress destinations they can transmit to — so a CISO can rapidly understand unknown execution paths, prioritize the highest-risk cases, and communicate the risk clearly to leadership.
What problem it solves for CISOs
CISOs are facing a new class of risk: autonomous execution expands blast radius faster than traditional identity and access reviews can keep up with.
W1 solves four practical problems:
- Unknowns: “I don’t know what automations and AI-connected workflows exist.”
- So-what: “I can’t tie execution to sensitive business data in a way I trust.”
- Boundary loss: “I can’t tell what is leaving the enterprise boundary or going to LLMs.”
- Leadership gap: “I can’t explain the risk and priority of fixes without credible evidence.”
Target persona
Primary buyer / sponsor: Enterprise CISO
Primary daily user: Security Operations / GRC leader tasked with assessment and reporting
Environment focus: Enterprises with enterprise workflow automation + enterprise identity + AI agent surfaces (e.g., ServiceNow + Entra + AI agents), where ownership and governance are distributed.
What they are worried about
- Autonomous workflows running under powerful identities without clear accountability
- Sensitive data reachability through indirect execution paths (not obvious in app-level dashboards)
- LLM or external egress that turns a local compromise into broad data exposure
- “Shadow automation” created by teams outside centralized security review
- Orphaned / decaying ownership where no one reviews changes or intent
Core jobs (6)
1) Discover autonomous execution
Customer pain:
“I don’t know what automations exist, which ones are AI-connected, and what identities they run as.”
What W1 delivers (business level):
- A deterministic inventory of autonomous execution units in the environment (automations and AI-connected execution)
- Clear identification of the execution identity (human or non-human) responsible for the action
- Ability to filter and focus on AI-connected and/or high-authority execution
2) Understand data reachability
Customer pain:
“So what? I can’t connect ‘automation exists’ to ‘it can reach sensitive data’ with evidence.”
What W1 delivers (business level):
- For each automation, an evidence-backed view of reachable data domains (e.g., HR, Finance, Customer, Identity)
- A deterministic path explanation in plain language: automation → identity → reachable system/data domain
- A risk-first list view that allows CISOs to start from “what matters” rather than raw inventories
3) Classify egress (LLM / external / internal / unknown)
Customer pain:
“I can’t tell which automations can send data to LLMs or outside the enterprise boundary.”
What W1 delivers (business level):
- Deterministic identification of egress destinations at the endpoint/host level (not payload)
- Simple classification labels per automation / finding: LLM, External, Internal, Unknown
- Filters and views that isolate LLM and external egress quickly for review
4) Detect ownership decay
Customer pain:
“Owners leave. Automations persist. No one is accountable, and reviews don’t happen.”
What W1 delivers (business level):
- Visibility into ownership health at the automation level (known owner vs orphaned/unclear)
- Evidence surfaced alongside exposure so CISOs can justify why a case is risky even before remediation exists
- Ability to filter for orphaned/low-confidence ownership to drive governance conversations
5) Surface high-risk cases
Customer pain:
“Even if you show me everything, I still don’t know what to look at first.”
What W1 delivers (business level):
- A “Top Risks” view that highlights the small set of cases most likely to matter to the CISO
- Prioritization based on deterministic factors (execution + reachable data domains + egress + ownership health), not opaque scoring
- Each high-risk case is backed by a deterministic path explanation and evidence snapshot
6) Communicate risk
Customer pain:
“I can’t explain this to leadership in a credible, concise way.”
What W1 delivers (business level):
- A concise executive-ready summary of exposure: what exists, what reaches sensitive domains, what has LLM/external egress, what is orphaned
- Evidence-backed artifacts (per-finding snapshots) that make the risk defensible and repeatable
- Language and structure that supports a CISO narrative: unknown execution → proven reachability → proven boundary risk
What counts as “Exposure” in W1
In W1, Exposure means:
A deterministic, evidence-backed instance where an automation (or AI-connected execution) can:
- execute under a specific identity, and
- reach a defined sensitive data domain, and/or
- send data to an identified egress destination (LLM/external/internal/unknown),
with enough evidence that a security leader can trust the conclusion without “best guesses.”
Exposure is not suspicion.
Exposure is execution + reachable data + egress, backed by evidence. Exposure is a presentation of findings, not a separate entity.
Demo moment definition (“wow” moment)
A design-partner CISO:
- opens the W1 view,
- clicks an automation they did not previously recognize (or assumed was low-risk),
- and immediately sees a deterministic path that shows:
- it runs as an unexpected identity or under unclear ownership, and
- it can reach a sensitive data domain they care about, and/or
- it has LLM or external egress,
leading to: “I didn’t know this existed” or “That can reach THAT?”
Explicitly out of scope (W1 does NOT include)
W1 is discovery and assessment, not enforcement or operations.
Not included:
- Policy engine or approval gates
- Drift detection / change monitoring over time (continuous or periodic)
- Continuous monitoring
- Real-time alerts
- Remediation workflows (ticketing, auto-fix, playbooks)
- ML-based scoring or probabilistic ranking
- Exploit simulation or attack emulation
- Payload inspection (no content/header/body inspection)
- Cross-system blast radius expansion beyond the first deterministic boundary (W1 shows the proven execution path to reachable domains and identified egress; it does not recursively map all downstream consequences across the enterprise)
Pilot success criteria (paid pilot)
W1 is successful if, within the pilot window, the design partner can:
- Discover unknown autonomous execution: identify meaningful automations/AI-connected execution previously not visible to the CISO team.
- Prove reachability with evidence: for at least a small set of priority cases, show deterministic reachability to sensitive domains that the customer acknowledges as real.
- Isolate boundary risk: clearly identify and classify LLM/external/internal/unknown egress for the priority set (without payload inspection).
- Identify ownership decay: surface orphaned or unclear ownership cases that the customer accepts as actionable governance problems.
- Produce CISO-ready output: generate an executive-ready summary and evidence snapshots that the CISO is willing to reuse internally.
- Create at least one “wow” moment: the CISO explicitly states a discovery that changes their understanding of risk (“I didn’t know” / “That can reach THAT?”).
Reliability bar:
- The system must be consistent and repeatable across runs in the same environment.
- Findings must be explainable with evidence; “trust us” is not acceptable.
Boundary statement
W1 exists to create deterministic clarity about autonomous execution risk. It is intentionally narrow: it earns trust through proof, not breadth.
If W1 delivers the above reliably and deterministically, it earns the right to build W2.