We inspect authority, escalation, evidence, and rollback across 1 to 3 agent workflows.
The assessment is built for agents touching code, data, tools, or production. It turns an unclear agent risk picture into architecture findings your team can act on.
The question is simple: what happens when the agent hits a boundary?
Two to three weeks. Narrow scope. Concrete findings.
Scope the workflows
We choose workflows where agent authority already matters: code changes, customer actions, internal data, workflow triggers, approvals, or external messages.
Map trust boundaries
The map shows where authority enters the system, where it can expand, and where governance relies on assumptions instead of controls.
Test escalation and bypass paths
We look for the failure pattern: does the agent defer, escalate, stop, retry, delegate, or route around the control?
Build the finding record
Findings name the control gap and the architectural source. They avoid vague warnings like "AI risk" unless the risk is tied to a specific authority path.
Brief leadership and engineering
The final briefing gives security, engineering, and leadership the same map. That is the point.
Designed as a front-door offer, not a transformation program.
| Element | Typical assessment scope |
|---|---|
| Duration | 2 to 3 weeks. |
| Workflows | 1 to 3 agent workflows touching code, data, tools, or production. |
| Stakeholders | CISO or security lead, CTO or platform lead, product owner, governance or compliance owner. |
| Commercial starting point | Starting at $75k. Scope changes if workflows, vendors, or environments expand. |
| Primary output | Authority map, AICL-style findings, Remediation architecture, Executive briefing. |