Oscar scans your live cloud environment and surfaces every AI agent, its IAM scope, production system access, and blast radius. In days, not weeks. No credentials leave your perimeter. No changes made to your environment.
When developers adopt Claude Code, Cursor, GitHub Copilot, or custom LangChain workflows, those tools leave a real footprint. IAM roles get created. Lambda functions get deployed. MCP server connections get established. CI/CD pipelines get write access. Nobody files a ticket.
Engineers deploy agents using AI tools without a formal provisioning process. Six months later, the agent is still running, still touching production systems, and nobody knows who built it.
Agents get deployed with PowerUser or AdministratorAccess because it was faster at the time. The permissions are never right-sized. The blast radius grows quietly alongside your environment.
Token costs accumulate across agents nobody budgeted for. Finance sees a growing API bill. Nobody can attribute it to a team, a workflow, or a business purpose.
Agents reading PII S3 buckets, writing to payment databases, or deploying to production ECS clusters with no approval gate and no documentation of who authorized the access.
SOC 2, PCI DSS, SR 11-7, and the EU AI Act all require provable governance of AI systems in production. If you cannot name the agents, you cannot govern them. If you cannot govern them, you cannot attest to them.
A Big Four consulting engagement to build this picture takes 8 to 16 weeks and costs $75K to $300K. By the time the report lands, the environment has already changed. And none of it updates automatically.
These are not hypothetical questions from a future auditor. They are questions your CISO, your board, and your cyber insurer are already asking.
A recent assessment of a mid-market financial services firm found 34 AI agents running across 11 AWS accounts. Here is what was inside.
Oscar identified 6 Lambda functions in the payments-prod account making direct API calls to core banking services. These functions matched the signature of AI agent workflows -- no IaC lineage, broad IAM scope, irregular call patterns in CloudTrail -- but did not appear in the approved AI tools inventory. A cost-optimization agent with EC2 termination rights across 3 accounts had no environment tag filter. CloudTrail confirmed it terminated 4 production instances the same night a 3-hour outage was logged. Causal connection flagged for investigation.
Oscar builds the Context Graph from your live environment automatically. No tagging required. No credentials leave your perimeter. No changes made to your infrastructure.
Oscar connects to your AWS accounts using existing IAM read-only credentials. Setup takes under 30 minutes. Nothing is stored centrally. No new permissions are required beyond what Oscar needs to observe your environment.
Agent discovery requires correlating data across IAM role patterns, CloudTrail behavioral signatures, Lambda deployment history, MCP server process detection, and CI/CD pipeline inspection at the same time. Oscar does this automatically. A consulting team doing this manually takes 8 to 16 weeks. Oscar completes the scan in hours.
Every finding is reviewed against your stated AI governance policies and tool inventory before it enters the report. Oscar surfaces blockers and gaps as named items requiring human resolution. Nothing advances on assumed evidence.
Full agent inventory, blast radius map for each high-risk agent, token cost attribution by agent and team, governance gap analysis against your compliance framework, and a prioritized remediation plan with ownership mapped to the right teams. Delivered in 5 to 10 business days.
Every deliverable is grounded in what Oscar actually observed in your environment. Not assembled from interviews. Not inferred from documentation. Not stale by the time it reaches you.
Every AI agent and automated workflow running across your cloud accounts, verified from live infrastructure. Includes agent type, deployment method, IAM scope, account location, and documentation status.
For each high-risk agent: what production systems are reachable from its current IAM scope, whether it can modify IAM, what accounts it can affect, and how reversible its actions are. What it could affect, not just what it does.
Monthly token spend broken down by agent and team, including unbudgeted shadow spend. Correlated from CloudWatch logs, Lambda invocation records, and API gateway telemetry. Budget gaps called out explicitly.
Where your current agent posture diverges from SOC 2, PCI DSS, SR 11-7, or your own stated AI governance policies. Each gap includes affected resources, the applicable compliance control, and the specific remediation step.
Specific steps, with ownership mapped to the right teams, and the IaC or CLI command to execute each one. Not a consultant's deck of recommendations. Actionable steps your team can execute immediately.
The assessment is your starting point. Monitoring keeps the inventory current. New agent detected, alert fires. Permission scope change, alert fires. Spend crosses budget threshold, alert fires. Stay current without running another engagement.
Manual discovery requires correlating data across IAM configurations, CI/CD pipelines, CloudTrail logs, deployment history, and running resource inventories simultaneously. Doing this by hand takes weeks and produces a snapshot that is already partially stale the moment it lands.
Most organizations attempting this today are either working with consultants who charge $75K to $300K for 8 to 16 weeks of work, or they are not doing it at all.
OpsCanvas delivers this in days because the Context Graph does the discovery automatically. The data that would take a consulting team weeks to assemble is available to Oscar in hours.
An assessment tells you where you stand today. Agents get deployed every week. OpsCanvas Monitoring keeps the inventory current, automatically.
You have a verified inventory, blast radius map, and remediation plan from the initial engagement.
An engineer ships a new LangChain workflow on a Tuesday. No ticket filed. No inventory updated.
Monitoring picks up the new IAM role, Lambda function, and CloudTrail signature. Alert fires within hours.
The agent is added to the live inventory. Scope and blast radius are assessed. Owner is routed for confirmation.
Oscar scans all AWS accounts you connect using read-only credentials. Multi-account environments with AWS Organizations are supported. You can scope the scan to specific accounts or run it across your entire organization. Region coverage is configurable.
The AI Agent Inventory Assessment currently focuses on AWS, where the majority of enterprise AI agent footprint lives today. Multi-cloud coverage is on the roadmap. If your environment is primarily Azure or GCP, talk to us -- we can discuss what is feasible for your situation.
Oscar uses a combination of signals: IAM role naming patterns consistent with AI tool provisioning, environment variable inspection for LLM API keys and model references, CloudTrail behavioral signatures showing irregular invocation patterns, MCP server process detection, and CI/CD pipeline inspection for AI-specific deployment signatures. Oscar does not rely on any single signal. An agent flagged as high-confidence has been identified via multiple corroborating evidence sources.
Blast radius reflects what could be affected by a misconfiguration, prompt injection, or compromised credential -- not what the agent is designed to do. For each high-risk agent, Oscar maps the production systems reachable from its current IAM scope, whether it can modify IAM itself, which accounts it can reach, and how reversible its actions are. This gives you the true risk exposure, not just the intended function.
The assessment is a scoped engagement that gives you a complete picture as of a specific date. The monitoring add-on keeps that picture current on an ongoing basis. It detects new agent deployments, flags IAM scope changes, tracks token spend against budgets, and alerts on governance drift. The two are designed to work together: start with the assessment to establish a baseline, add monitoring to ensure you never fall back into the dark.
The governance gap report maps findings against SOC 2, PCI DSS, SR 11-7 (Model Risk Management), and CCPA by default. If your organization operates under HIPAA, the EU AI Act, or sector-specific frameworks, let us know during scoping and we will configure the gap analysis accordingly.
Oscar scans your live environment with read-only credentials. No changes made. No credentials stored centrally. Setup under 30 minutes. Findings in 5 to 10 business days.
Read-only access | No changes to your environment | Setup under 30 minutes