Skip to main content

W1 UX Specification

Implementation status: Spec complete. 5 mockups produced and analyzed. 15 new UI components identified. Implementation planned — see W1 unified implementation plan.

Agentic AI Exposure Discovery & Assessment

Defines user-visible behavior for W1.

Scope: deterministic exposure discovery based on periodic refresh. No remediation workflow. No drift detection. No scoring model. No trend charts. No real-time monitoring.

W1 surfaces standing autonomous execution authority, activity magnitude, sensitive reach, external boundaries, and ownership state.

Terminology and Relationships

In W1, the primary unit of analysis and action is the Authority Path: a durable, evidence-backed execution chain showing how an automation/agent runs under standing credentials and what it can reach.

A Finding is a rule-based governance failure on an Authority Path — e.g., invalid ownership, sensitive data reach, LLM/external egress, or dormant standing authority. Findings are tracked with simple timing (first seen / last seen / active) derived from periodic refresh snapshots.

Exposure is the combined posture of an Authority Path as expressed by its currently active findings (i.e., “this path’s exposure right now”). Exposure is not a separate navigational object; it is what the product is discovering and presenting.

Risk Clusters are CISO-first prioritization groupings that collect Authority Paths whose currently active exposures match a compound governance condition (e.g., Sensitive + LLM + Active + Invalid Owner), so users triage by cluster and remediate at the path level.

1. Homepage

Purpose

Provide a 5-second control view answering:

  • Which autonomous authority paths exist (standing execution authority)
  • Whether they are actively executing
  • Whether they reach sensitive data
  • Whether they cross external or LLM boundaries
  • Whether ownership is valid

This page must feel like authority governance, not inventory.

A. Posture Summary

Autonomous Execution Visibility

Displays:

  1. Active Autonomous Authority Paths

  2. Dormant Autonomous Authority Paths

  • Smaller text label: "No execution in Last 30d"

Since Last Refresh

A single delta line:

Since Last Refresh:

  • +X new autonomous authority paths
  • +Y new ownership invalidations

No charts. No time series. Just discrete delta indicators.

B. Top 5 Risk Clusters

Homepage displays:

Top 5 Risk Clusters

Clusters are prioritized by compound governance condition, not single signals.

Example priority order:

  1. Sensitive + LLM + Active + Invalid Owner
  2. Sensitive + External + Active
  3. Sensitive + External + Dormant Authority
  4. External + Active
  5. Internal + Active + Invalid Owner

Each cluster card displays:

  • Cluster title (compound condition)
  • Number of authority paths
  • Total executions (30d, aggregated across paths)
  • Sensitive domains involved
  • Counter displaying the change in the count of paths in the last 30 days

This shifts the narrative from exposure inventory to authority control.

2. Authority Paths (Filtered)

Grouped by selected Risk Cluster or opened directly from the Authority Paths navigation entry.

Each row represents one Authority Path. Findings are displayed as attributes on the path.
Collectively, these findings represent the path’s current Exposure.

Page title format: "Risk Clusters: "

Example: Auto-GPT Instance #42 → OpenAI

Each Authority Path has a stable identifier: PATH-### (or canonical path_id) and its name in the "" format.

A. Authority Path Row (Collapsed State)

Each row displays exactly:

  • Path ID
  • Path Name (Automation → Destination)
  • Autonomous Execution indicator: must display "Autonomous Execution"
  • Last Execution
  • Executions (30d)
  • Ownership Status
  • Data Domains
  • Egress Category
  • Findings (pill group)

Findings (pill group) uses the same taxonomy as clusters, e.g.:

  • Invalid Owner (Active; since )
  • Sensitive Reach (Active; since )
  • LLM Egress (Active; since )
  • External Egress (Active; since )
  • Dormant Standing Authority (Active; since )

Nothing else structural.

No hop count. No trust depth. No credential posture.

B. Inline Expand

Expanding a row reveals the full Authority Context Panel.

The expanded layout contains three horizontal zones:

  • Authority Path Diagram (top)
  • Standing Authority + Ownership + Evidence (middle)
  • Verification line + Detail link (bottom)

Findings Summary (Expanded)

Shows the same findings as the row pills, with timing:

For each finding:

  • Status: Active / Resolved
  • First Seen:
  • Last Seen:

This is the minimum required to make exposure operationally credible over time.

Ownership Breakdown

Displays explicitly:

  • Primary Owner: active / departed / disabled / none
  • Secondary Owner: active / none
  • Inherited Owner: present / none

Ownership status in the collapsed row is derived from this breakdown.

Evidence Completeness Strip

Compact visual indicator for:

  • Current Roles
  • Role History
  • Execution Evidence
  • Ownership Records

Each marked:

available / partial / unavailable

Hover shows explanation.

Verification Line

Displayed at the bottom of the expanded Path panel.

Shows:

  • Evidence verified:
  • Cross-system identity linkage verified

This confirms that authority mapping and evidence correlation succeeded.

3. Authority Path Detail View

Authority Path Detail Navigation

The Authority Path Detail screen is accessed from: View Full Detail → inside an expanded Authority Path row.

This screen is not a primary navigation item. It is a drill-down investigation surface.

Breadcrumb examples:

  • Risk Clusters > > PATH-021
  • Authority Paths > PATH-021

Users must be able to return directly to the prior list.

Purpose

Provide full deterministic authority explanation for the path and its findings (i.e., the path’s exposure drivers).

A. Authority Path Diagram

Displayed as a linear execution lineage: Automation → Identity → Destination → Data Domain

Workload → Identity → Destination → Data Domain

No hop count displayed. No numeric trust-chain metrics.

B. Standing Authority Section

Fields:

  • Execution Model
  • Authentication Type
  • Human Session Required

Example:

  • Execution Model: Autonomous
  • Auth Type: Client Credentials
  • Human Session Required: No

C. Findings Panel

For each finding:

  • Finding type (Invalid Owner, Sensitive Reach, LLM Egress, External Egress, Dormant, etc.)
  • Status: Active / Resolved
  • First Seen / Last Seen
  • Evidence pointers used to assert it (references into Structured Evidence Panel)

D. Structured Evidence Panel

Sections:

1. Automation Metadata

  • Source system
  • Artifact identifier
  • Last refreshed

2. Identity Binding

  • RUNS_AS relationship
  • Authentication protocol
  • Target system

3. Execution Evidence

  • Last Execution timestamp
  • Executions (30d)
  • Last action
  • Target resource
  • Outcome
  • Last Used Authentication timestamp

No execution trend analysis. No charts.

4. Egress Configuration

  • Destination boundary
  • Target endpoint (if external)
  • Egress category

E. Linkage Proof Card

Displays deterministic cross-system matching proof:

  • Issuing Tenant
  • Target Instance
  • Matching Field
  • Matching Value

Confirms cross-plane authority mapping.

F. Sensitive Domain Summary

Displays:

Sensitive Domains Reached:

  • HR (confidential)
  • Finance (restricted)
  • Customer

Or:

Confidential / Restricted Resources Reachable: [count]

G. Remediation Placeholder

Disabled button:

Create Ticket (Future Capability)

No remediation workflow in W1.

4. Primary Investigation Flow

  1. Start on Homepage.
  2. Review Top 5 Risk Clusters.
  3. Click a cluster.
  4. Review execution magnitude, ownership status, and active findings in the path row.
  5. Expand row for authority context + findings timing summary.
  6. Open detail to inspect standing authority, findings timing, and linkage proof.

No alternate navigation. No graph browsing mode.

5. Interaction Rules

  • Click Risk Cluster → Authority Paths (Filtered)
  • Click row → expand inline
  • Click View Detail → Authority Path Detail
  • Click node in diagram → metadata side panel

One expanded path at a time.

6. Refresh Behavior

All data reflects periodic refresh only.

UI displays:

Last Refreshed: [timestamp]

Since Last Refresh delta line shown on Homepage.

Finding timing (first seen / last seen / active) is derived from refresh snapshots.

No streaming. No alerting. No continuous monitoring.

Communication Scope

W1 communicates:

  • Active non-human execution authority (standing authority paths)
  • Execution magnitude (30d count)
  • Sensitive data reach
  • External / LLM boundary crossing
  • Ownership decay (invalid ownership)

It answers:

  • Which autonomous paths exist
  • How active they are
  • What they can reach
  • Whether anyone is accountable

Nothing beyond that scope.