AI Risk & Governance

Somewhere in your cloud, an agent is acting without approval.

The Agent Risk Assessment discovers every AI agent running in your environment, including the ones no one registered. Each agent is mapped with its blast radius, access scope, and autonomy classification, so you know which ones are governed, which ones are supervised, and which ones are one bad instruction away from an incident.

Read-only, approval-gated scan
Findings in days, not months
No credentials stored centrally
No agent registry required to start
82%
Of orgs found AI agents they didn't know about (CSA, 2026)
9
Agents unknown to leadership in a recent sample engagement
7
High-risk agents with prod write access and no HITL gate
Days
From connection to a board-ready deliverable

The Problem

Agents ship faster than governance.

Every team is deploying agents. Almost no organization has a process for registering, reviewing, or retiring them. The result is a population of autonomous software with production access that appears in no inventory, no runbook, and no risk register.

Agents nobody registered

Agents deployed outside any formal process, discovered only when something breaks or a scan like this one runs. They are usually the least governed and the fastest growing.

Production write access

Agents with unrestricted write access to production data stores and business systems, capable of modifying records or calling external APIs without approval.

Blast radius nobody measured

Identities scoped at the subscription or account level mean an agent's effective reach is everything, even when its intended job is narrow.

Autonomy without gates

Fully autonomous agents executing consequential actions, including financial ones, with no human-in-the-loop checkpoint anywhere in the path.

No security telemetry

Agent calls to external systems that never reach the SIEM. A compromised credential would be invisible until the damage surfaced.

Nothing to show the auditor

SOC 2, the EU AI Act, and cyber insurers all now ask the same question: what AI is running and who governs it? An empty inventory is the wrong answer.

What the Assessment Finds

This is what the deliverable looks like.

Sample findings below are drawn from an illustrative assessment of a fictional industrial enterprise, Astro Mining International, with six AWS accounts and two Azure subscriptions. The structure is exactly what you receive for your environment.

Sample finding. Illustrative environment.

23 agents discovered across the environment. 9 were unknown to leadership before the scan. 7 held write access to production with no human approval gate and no token cap. One procurement agent had autonomously submitted $1.1M in purchase orders in a single month.

One exploration agent held unrestricted read and write access to all production geology databases with no token budget, approval gate, or timeout, and was invoked autonomously. A supply chain agent had direct API access to three external supplier systems with none of its external calls logged to the SIEM. Two managed identities associated with agents carried Contributor scope at the subscription level, making their effective blast radius every resource in both subscriptions. None of the critical remediations required architectural change.

23
Agents discovered across all accounts
9
Unknown to leadership before the scan
7
High-risk: prod write access, no HITL, no token cap
0
Agents with enforced token budgets

How It Works

Two scoped phases. Deterministic results. Human approval at every gate.

The assessment runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors, then deterministic policy checks against that inventory. Oscar never performs open-ended network scanning, and no action executes without explicit human sign-off.

  1. 1

    Connect with read-only credentials

    Oscar connects through approved connectors using read-only access and the permissions your engineers already hold. Setup takes under 30 minutes. No credentials are stored centrally and no changes are made to your environment.

  2. 2

    Oscar discovers the agent population

    IAM role patterns, runtime signatures, deployment history, and identity linkages are correlated in the Cloud Intelligence Graph. Agents are identified from multiple corroborating signals, not a single heuristic, and each one is resolved to an owner where the evidence supports it.

  3. 3

    Deterministic checks profile every agent

    Each agent is classified by autonomy level: fully autonomous, supervised, or human-in-the-loop. Blast radius is mapped from effective IAM scope. Governance controls such as token caps, timeouts, approval gates, and SIEM coverage are checked deterministically, with findings labeled Live, Inferred, or Gap.

  4. 4

    You receive the report and remediation roadmap

    Complete inventory, per-agent risk profiles, and a prioritized roadmap where every item is an Oscar-ready task with an owner and time horizon. Items marked NOW require no architectural change.

What You Get

Five deliverables, all from live infrastructure.

Every finding is verified against live configuration and labeled with its evidence basis. Nothing is assembled from interviews or self-reported inventories.

Complete Agent Inventory

Every AI agent in the environment with its deployment method, identity, account location, owner, and documentation status, including agents in no existing register.

Blast Radius Map

For each agent: what is reachable from its effective access scope, whether it can modify identity and access itself, and how reversible its actions are. What it could affect, not just what it does.

Autonomy Classification

Each agent classified as fully autonomous, supervised, or human-in-the-loop, so governance effort lands first on the agents acting with the least oversight.

Governance Gap Report

Token budgets, timeouts, approval gates, SIEM coverage, and registration status checked per agent, with a security oversight score and the specific control missing in each case.

Prioritized Remediation Roadmap

Findings ranked by risk with owner and horizon attached. Each item is an Oscar-ready task, so the path from finding to fix is a handoff, not another project.

Add-on

Ongoing Agent Monitoring

New agent detected, alert fires. Scope expands or a control disappears, alert fires. The inventory stays current as teams keep shipping.

Why OpsCanvas

You cannot govern what you have not discovered.

Agent risk work fails at step one: the inventory.

Governance frameworks, policies, and review boards all presume you know what agents exist. In practice the inventory is the hard part, because agents leave their footprint across IAM, runtime logs, deployment pipelines, and identity systems simultaneously, and no one of those sources tells the whole story.

The Cloud Intelligence Graph correlates all of them at once. That is why the assessment routinely surfaces agents leadership did not know existed, and why every finding arrives with the evidence that makes remediation defensible rather than debatable.

Discovery from multiple corroborating signals, not self-reporting
Blast radius from effective scope, not intended function
Autonomy classification across the full agent population
Findings labeled Live, Inferred, or Gap with evidence attached
Every recommendation is an Oscar-ready remediation task
Capability
OpsCanvas
Discovery method
Live APIs via approved connectors
Agent registry required
No
Autonomy classification
Autonomous, supervised, HITL
Blast radius analysis
Per agent, from effective scope
Governance controls checked
Budgets, timeouts, gates, SIEM, registration
Continuous monitoring
Available as add-on

Common Questions

Frequently asked.

How does Oscar tell an AI agent apart from ordinary automation?

From multiple corroborating signals: identity and role patterns consistent with agent provisioning, model API usage observable in runtime logs, deployment signatures, and behavioral patterns. No single signal is trusted alone. An agent flagged high-confidence has been identified through several independent evidence sources.

Does Oscar scan our network to find agents?

No. Oscar performs no open-ended or autonomous network scanning. The assessment runs as two scoped, deterministic, approval-gated phases: inventory discovery through approved connectors using existing permissions, then deterministic policy checks against that inventory.

What does blast radius mean in the report?

What could be affected by a misconfiguration, prompt injection, or compromised credential, not what the agent is designed to do. It is mapped from the agent's effective access scope: the systems reachable, whether it can modify identity and access itself, and how reversible its actions are.

We already have an AI governance policy. Is this still useful?

Especially then. The assessment checks your actual agent population against the controls your policy assumes exist. The most common finding is not a missing policy but a gap between the policy and what is running, and that gap is exactly what auditors and insurers probe.

How does this relate to the AI Agent Governance solution?

The assessment is the evidence-gathering engagement that most governance programs start with. The broader solution covers the ongoing program: monitoring, scoped agent identities, and approval workflows. See the AI Agent Governance solution page for the full picture.

What happens after the report is delivered?

Every finding arrives as an Oscar-ready task with owner and priority attached. You can execute the roadmap yourself, or run Oscar in co-pilot mode where Oscar proposes each action, an engineer approves it, and every change is logged with a full audit trail.

Get Started

Find every agent before one of them finds you a headline.

Read-only connection through approved connectors. Complete agent inventory with blast radius and autonomy classification. Board-ready findings in days.

Read-only access | No changes to your environment | Setup under 30 minutes