Skip to main content

W1 — Agentic AI Exposure Discovery & Assessment (Scope)

Implementation status: Spec complete. Graph dependency contract verified — all required entity types and relationships exist in platform code (entity type rename automationworkload is planned but not yet applied in code). Implementation planned — see W1 unified implementation plan.

Scope Summary

W1 is a deterministic discovery and assessment capability operating on the normalized execution/authority graph.

It identifies:

  • Autonomous execution units,
  • The identities they execute as,
  • The data domains they can reach (bounded to the first deterministically provable boundary),
  • The outbound boundary they can transmit to,
  • The health of ownership accountability,

and produces evidence-backed findings suitable for CISO review.

W1 consumes graph entities and relationships as defined in the Data Model. It does not require execution chain versioning, fingerprinting, or drift tracking.

1. Graph Dependency Contract

W1 operates on the normalized 9-entity model.

Required entity types

  • authority path - durable, evidence-backed execution chain (workload/agent → identity → destination/data domain) shown as PATH-### in UX
  • workload (deprecated alias: automation)
  • identity
  • role
  • permission
  • resource
  • owner
  • execution_evidence

Optional but supported:

  • connection
  • credential

Required relationships

  • RUNS_AS
  • HAS_ROLE
  • GRANTS
  • APPLIES_TO
  • OWNED_BY
  • INVOKES
  • USES
  • AUTHENTICATES_AS
  • AUTHENTICATES_TO (when cross-system linkage exists)

W1 does not require:

  • execution_chains persistence
  • Chain fingerprinting
  • Drift detection
  • Temporal versioning
  • Full blast radius traversal

Derived relationships (e.g., identity → resource reachability) may be computed ephemerally during evaluation but are not required to be stored.

2. In Scope — W1 Capabilities

2.1 Inventory of Autonomous Authority Paths

  • Deterministic inventory of execution-capable workload entities.
  • Limited to constructs capable of executing without an active human session.
  • Human-triggered interactive sessions are excluded.

2.2 Identity binding (standing authority)

For each workload:

  • Resolve RUNS_ASidentity deterministically.
  • Identity must be uniquely identifiable.
  • If linkage fails, status = unknown.

Standing authority means execution does not require interactive approval at runtime.

2.3 Execution validation (proof of execution)

Execution is proven only when:

  • A first-party execution_evidence record exists,
  • It can be deterministically joined to the workload or identity,
  • No heuristic matching is required.

If linkage cannot be established, execution status = unproven.

2.4 Data reachability classification (bounded)

Reachability is determined via bounded traversal:

  1. workload → RUNS_AS → identity
  2. identity → HAS_ROLE → GRANTS → APPLIES_TO → resource

When authorization edges are unavailable, first-party table/module references may be used if deterministically exposed.

Output is:

  • Domain-level classification only.
  • First observable boundary only.
  • No recursive downstream traversal.
  • No effective access computation.
  • No inference.

If reachability cannot be proven, classification = unknown.

2.5 Egress classification (first outbound boundary)

Egress is determined via:

workload → INVOKES → connection → USES → credential → AUTHENTICATES_AS → identity

or first observable outbound endpoint metadata.

Classification:

  • LLM
  • External
  • Internal
  • Unknown
  • None observed

Constraints:

  • Endpoint-level only (host/base URL).
  • No payload inspection.
  • No multi-hop recursive expansion beyond first boundary.

2.6 Ownership validation

Ownership status is derived from OWNED_BY relationships and owner state.

Outcomes:

  • valid
  • invalid
  • ambiguous
  • unknown

Ownership interpretation is deterministic and evidence-backed.

2.7 Deterministic findings

W1 produces deterministic findings derived from graph state.

Examples (non-exhaustive):

  • unproven_execution
  • unknown_identity_binding
  • reachable_sensitive_domain
  • llm_egress
  • external_egress
  • ownership_invalid
  • ownership_ambiguous
  • ownership_unknown

Risk grouping for triage is a deterministic aggregation of active findings. It is not a scoring system and does not replace canonical findings.

W1 findings are stored using the platform’s canonical Finding model. W1 defines which exposure conditions trigger findings but does not redefine finding schema, lifecycle semantics, or storage mechanics.

All W1 findings are persisted using the platform Finding schema (including evidence_completeness), with a W1-restricted finding_type allowlist.

2.8 Periodic reassessment

W1 supports polling-based refresh.

Outputs are “as of last refresh.”

W1 does not include event-driven monitoring or real-time guarantees.

3. Explicitly Out of Scope

  • Drift detection
  • Permission history analysis
  • Effective access computation
  • RBAC inheritance expansion beyond explicitly recorded edges
  • Multi-hop blast radius modeling
  • Execution chain versioning or fingerprinting
  • Policy enforcement or remediation
  • ML-based ranking or probabilistic inference
  • Payload inspection

4. Boundary Statement

W1 is a bounded, deterministic evaluator over the execution/authority graph.

It is intentionally constrained to:

  • First provable execution binding,
  • First provable data boundary,
  • First provable outbound boundary.

It does not attempt to model the full enterprise blast radius.