Top Remediation Priority — Credentials & Authorization
Excessive write-scope OAuth on connected AI apps
ChatGPT holds 12 write scopes across 17 third-party apps (Dropbox, SharePoint, HubSpot) for 7 users — and a shadow app carries Mail.ReadWrite. This is the single largest exfiltration blast radius in the org.
Local agent MCP 127.0.0.1:8002 logged 565 accesses against an invalid / expired bearer token — the connected tools cannot be inventoried or governed.
Sensitive data reaching AI surfaces · 30-day detections
PII388
Business ops186
Social Security #39
Credentials7
PILLAR 03
Configuration
How autonomous agents and their harnesses are configured — system prompts, model pinning, tool grants, and guardrails.
54/100
At Risk
Agent harness coverage
Hosted agents assessed
13
across 2 frameworks
Agents with pinned models
8/13
5 on floating aliases
Agents with egress guardrail
2/13
11 unguarded
Max harness drift
v2100
dev-financial-agent
Agentic findings
Autonomous financial agent has no egress guardrail
dev-financial-agent runs a 7-node loop with write-capable tools over financial data — no output filter sits between the agent and its sinks.
Add guardrail
System-prompt drift with no review gate
Per-node instructions mutate across 2,100 revisions with no approval checkpoint — behavior changes ship unverified.
Pin & gate
5 agent nodes on floating model aliases
The underlying model can change beneath the harness, silently shifting reasoning and tool-use behavior.
Pin versions
Untrusted input feeds the tool-calling loop
Agents ingest web_search & external content, then call write tools with no isolation step — a live prompt-injection path.
Isolate
Remediation Roadmap // prioritized
P1 · Critical2 items
Excessive write-scope OAuth
ChatGPT holds 12 write scopes across 17 apps; a shadow app carries Mail.ReadWrite. Revoke and re-scope to least privilege.
Credentials & Auth→ IAM / Identity
SSN & credentials in AI traffic
39 Social Security Number and 7 credential findings (30d); 388 PII total. Verify egress DLP on sanctioned apps.
Connectivity→ Security / DLP
P2 · Drift / Exposure2 items
Failing local MCP auth
127.0.0.1:8002 — 565 accesses with an invalid bearer token; unverified tool surface on developer laptops.
Connectivity→ Endpoint Security
Hosted-agent config drift
dev-financial-agent at revision v2100 — pin harness config & system prompts, review MCP tool grants.
Configuration→ AI Platform
P3 · Shadow / Process2 items
Shadow AI in the browser
5 unsanctioned apps (Grok, Mistral, Vanta, Copilot…) in active use. NotebookLM already drives 254 blocks — formalize policy.
Configuration→ IT Ops
Identity duplication cleanup
89 user records for ~17 humans. Collapse domain dupes and purge test accounts so per-user risk is trustworthy.
Credentials & Auth→ Platform / Data
How This Is Scored // methodology
Each pillar scored from observed evidence
Per-pillar scores roll up controls coverage, exposure and authorization signals collected across all three AI surfaces — endpoint, browser SaaS, and hosted cloud. Priority of any finding is a product of two dimensions:
priority = blast_radius × velocity (1–25)
Blast radius — sensitivity of reachable data and breadth of connected systems. Velocity — how autonomously a surface can act without a human checkpoint.
Maturity bands
Matureleast-privilege, enforced70–100
Developingpartial coverage, drift40–69
Criticalexcessive access, gaps0–39
This org sits at 52 — Developing, dragged down by Credentials & Authorization (42). Closing the two P1 items lifts the projected score above 60.