AI Posture Assessment  · 
Developing 52/100
Executive Summary // roll-up
AI Posture Assessment

Enterprise AI posture, scored

Structured visibility across every enterprise AI surface — credentials, connectivity, and configuration.

Live assessment   Scope  3 surfaces · 113 apps · 13 agents Assessed  Jun 15, 2026
P1Fix First
Top Remediation Priority — Credentials & Authorization

Excessive write-scope OAuth on connected AI apps

ChatGPT holds 12 write scopes across 17 third-party apps (Dropbox, SharePoint, HubSpot) for 7 users — and a shadow app carries Mail.ReadWrite. This is the single largest exfiltration blast radius in the org.

View Roadmap
Domain Assessments // 3 pillars
PILLAR 01

Credentials & Authorization

Who holds credentials across every AI surface — and what access those identities and tokens are actually authorized to use.

42/100
Critical

Identities & credentials

Real distinct humans
~17
89 raw records
Apps with write OAuth
4
12 write grants
Shadow apps with write
1
Mail.ReadWrite
Least-privilege
1
compliant

Identity hygiene findings

Duplicate identities across domains
Same humans appear under @classie.ai and @classieaiinc.onmicrosoft.com.
De-duplicate
19 synthetic / test accounts
Agent test users with IDs in the millions inflate the population.
Purge
26 bare usernames, no email
Unmapped identities can't be tied to a real person or risk owner.
Map

Authorization register · observed vs. authorized

App / agentCredentialHighest granted scopeEntitlement risk
ChatGPT
User OAuth · 7 users12 write scopes across 17 appsExcessive
CrewAI
User OAuth · 2 usersFiles.ReadWrite.All · Sites.ReadWrite.AllExcessive
Mistral shadow
User OAuth · 1 userMail.ReadWrite — unsanctionedCritical
Endpoint MCP :8002
Bearer token · invalidUnknown — auth rejected (565 accesses)Unverified
dev-financial-agent
Service credentialSupabase read-only (scoped)Compliant
PILLAR 02

Connectivity

What systems AI can reach — MCP servers, tools, connected APIs and data repositories.

47/100
At Risk

Reach & blast radius

AI app / agentConnected systemsBlast radius
ChatGPT
Browser · 7 users
17 third-parties — Dropbox, SharePoint, HubSpot, Google Drive, Figma, ClayHigh
CrewAI
Agent framework
8 doc stores, read-write — Box, OneDrive, Notion, Excel, WordHigh
Endpoint harnesses
Claude Code, Cowork…
Local filesystem write + shell · server-filesystem MCP · 127.0.0.1:8002High
dev-financial-agent
Hosted
mcp.supabase.com — Supabase project, read-only (scoped)Moderate
Unverified tool surface on developer endpoints
Local agent MCP 127.0.0.1:8002 logged 565 accesses against an invalid / expired bearer token — the connected tools cannot be inventoried or governed.

Sensitive data reaching AI surfaces · 30-day detections

PII388
Business ops186
Social Security #39
Credentials7
PILLAR 03

Configuration

How autonomous agents and their harnesses are configured — system prompts, model pinning, tool grants, and guardrails.

54/100
At Risk

Agent harness coverage

Hosted agents assessed
13
across 2 frameworks
Agents with pinned models
8/13
5 on floating aliases
Agents with egress guardrail
2/13
11 unguarded
Max harness drift
v2100
dev-financial-agent

Agentic findings

Autonomous financial agent has no egress guardrail
dev-financial-agent runs a 7-node loop with write-capable tools over financial data — no output filter sits between the agent and its sinks.
Add guardrail
System-prompt drift with no review gate
Per-node instructions mutate across 2,100 revisions with no approval checkpoint — behavior changes ship unverified.
Pin & gate
5 agent nodes on floating model aliases
The underlying model can change beneath the harness, silently shifting reasoning and tool-use behavior.
Pin versions
Untrusted input feeds the tool-calling loop
Agents ingest web_search & external content, then call write tools with no isolation step — a live prompt-injection path.
Isolate
Remediation Roadmap // prioritized
P1 · Critical2 items
Excessive write-scope OAuth

ChatGPT holds 12 write scopes across 17 apps; a shadow app carries Mail.ReadWrite. Revoke and re-scope to least privilege.

Credentials & Auth→ IAM / Identity
SSN & credentials in AI traffic

39 Social Security Number and 7 credential findings (30d); 388 PII total. Verify egress DLP on sanctioned apps.

Connectivity→ Security / DLP
P2 · Drift / Exposure2 items
Failing local MCP auth

127.0.0.1:8002 — 565 accesses with an invalid bearer token; unverified tool surface on developer laptops.

Connectivity→ Endpoint Security
Hosted-agent config drift

dev-financial-agent at revision v2100 — pin harness config & system prompts, review MCP tool grants.

Configuration→ AI Platform
P3 · Shadow / Process2 items
Shadow AI in the browser

5 unsanctioned apps (Grok, Mistral, Vanta, Copilot…) in active use. NotebookLM already drives 254 blocks — formalize policy.

Configuration→ IT Ops
Identity duplication cleanup

89 user records for ~17 humans. Collapse domain dupes and purge test accounts so per-user risk is trustworthy.

Credentials & Auth→ Platform / Data
How This Is Scored // methodology

Each pillar scored from observed evidence

Per-pillar scores roll up controls coverage, exposure and authorization signals collected across all three AI surfaces — endpoint, browser SaaS, and hosted cloud. Priority of any finding is a product of two dimensions:

priority = blast_radius × velocity  (1–25)

Blast radius — sensitivity of reachable data and breadth of connected systems. Velocity — how autonomously a surface can act without a human checkpoint.

Maturity bands

Matureleast-privilege, enforced70–100
Developingpartial coverage, drift40–69
Criticalexcessive access, gaps0–39

This org sits at 52 — Developing, dragged down by Credentials & Authorization (42). Closing the two P1 items lifts the projected score above 60.