Agents nobody registered
Agents deployed outside any formal process, discovered only when something breaks or a scan like this one runs. They are usually the least governed and the fastest growing.
AI Risk & Governance
The Agent Risk Assessment discovers every AI agent running in your environment, including the ones no one registered. Each agent is mapped with its blast radius, access scope, and autonomy classification, so you know which ones are governed, which ones are supervised, and which ones are one bad instruction away from an incident.
The Problem
Every team is deploying agents. Almost no organization has a process for registering, reviewing, or retiring them. The result is a population of autonomous software with production access that appears in no inventory, no runbook, and no risk register.
Agents deployed outside any formal process, discovered only when something breaks or a scan like this one runs. They are usually the least governed and the fastest growing.
Agents with unrestricted write access to production data stores and business systems, capable of modifying records or calling external APIs without approval.
Identities scoped at the subscription or account level mean an agent's effective reach is everything, even when its intended job is narrow.
Fully autonomous agents executing consequential actions, including financial ones, with no human-in-the-loop checkpoint anywhere in the path.
Agent calls to external systems that never reach the SIEM. A compromised credential would be invisible until the damage surfaced.
SOC 2, the EU AI Act, and cyber insurers all now ask the same question: what AI is running and who governs it? An empty inventory is the wrong answer.
What the Assessment Finds
Sample findings below are drawn from an illustrative assessment of a fictional industrial enterprise, Astro Mining International, with six AWS accounts and two Azure subscriptions. The structure is exactly what you receive for your environment.
Sample finding. Illustrative environment.
One exploration agent held unrestricted read and write access to all production geology databases with no token budget, approval gate, or timeout, and was invoked autonomously. A supply chain agent had direct API access to three external supplier systems with none of its external calls logged to the SIEM. Two managed identities associated with agents carried Contributor scope at the subscription level, making their effective blast radius every resource in both subscriptions. None of the critical remediations required architectural change.
How It Works
The assessment runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors, then deterministic policy checks against that inventory. Oscar never performs open-ended network scanning, and no action executes without explicit human sign-off.
Oscar connects through approved connectors using read-only access and the permissions your engineers already hold. Setup takes under 30 minutes. No credentials are stored centrally and no changes are made to your environment.
IAM role patterns, runtime signatures, deployment history, and identity linkages are correlated in the Cloud Intelligence Graph. Agents are identified from multiple corroborating signals, not a single heuristic, and each one is resolved to an owner where the evidence supports it.
Each agent is classified by autonomy level: fully autonomous, supervised, or human-in-the-loop. Blast radius is mapped from effective IAM scope. Governance controls such as token caps, timeouts, approval gates, and SIEM coverage are checked deterministically, with findings labeled Live, Inferred, or Gap.
Complete inventory, per-agent risk profiles, and a prioritized roadmap where every item is an Oscar-ready task with an owner and time horizon. Items marked NOW require no architectural change.
What You Get
Every finding is verified against live configuration and labeled with its evidence basis. Nothing is assembled from interviews or self-reported inventories.
Every AI agent in the environment with its deployment method, identity, account location, owner, and documentation status, including agents in no existing register.
For each agent: what is reachable from its effective access scope, whether it can modify identity and access itself, and how reversible its actions are. What it could affect, not just what it does.
Each agent classified as fully autonomous, supervised, or human-in-the-loop, so governance effort lands first on the agents acting with the least oversight.
Token budgets, timeouts, approval gates, SIEM coverage, and registration status checked per agent, with a security oversight score and the specific control missing in each case.
Findings ranked by risk with owner and horizon attached. Each item is an Oscar-ready task, so the path from finding to fix is a handoff, not another project.
New agent detected, alert fires. Scope expands or a control disappears, alert fires. The inventory stays current as teams keep shipping.
Why OpsCanvas
Governance frameworks, policies, and review boards all presume you know what agents exist. In practice the inventory is the hard part, because agents leave their footprint across IAM, runtime logs, deployment pipelines, and identity systems simultaneously, and no one of those sources tells the whole story.
The Cloud Intelligence Graph correlates all of them at once. That is why the assessment routinely surfaces agents leadership did not know existed, and why every finding arrives with the evidence that makes remediation defensible rather than debatable.
Common Questions
From multiple corroborating signals: identity and role patterns consistent with agent provisioning, model API usage observable in runtime logs, deployment signatures, and behavioral patterns. No single signal is trusted alone. An agent flagged high-confidence has been identified through several independent evidence sources.
No. Oscar performs no open-ended or autonomous network scanning. The assessment runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors using existing permissions, then deterministic policy checks against that inventory.
What could be affected by a misconfiguration, prompt injection, or compromised credential, not what the agent is designed to do. It is mapped from the agent's effective access scope: the systems reachable, whether it can modify identity and access itself, and how reversible its actions are.
Especially then. The assessment checks your actual agent population against the controls your policy assumes exist. The most common finding is not a missing policy but a gap between the policy and what is running, and that gap is exactly what auditors and insurers probe.
The assessment is the evidence-gathering engagement that most governance programs start with. The broader solution covers the ongoing program: monitoring, scoped agent identities, and approval workflows. See the AI Agent Governance solution page for the full picture.
Every finding arrives as an Oscar-ready task with owner and priority attached. You can execute the roadmap yourself, or run Oscar in co-pilot mode where Oscar proposes each action, an engineer approves it, and every change is logged with a full audit trail.
Get Started
Read-only connection through approved connectors. Complete agent inventory with blast radius and autonomy classification. Board-ready findings in days.
Read-only access | No changes to your environment | Setup under 30 minutes