Engagement 01 — The Wedge

Autonomy Authority Audit

In two weeks, you know exactly what agents are running in your organization, what authority each one has actually accumulated, and — prioritized and priced — what it takes to govern them. Fixed fee. Named deliverables. Board-ready.

Book a scoping call $18,000 FIXED · 2 WEEKS
Why Start Here

You can't govern a fleet you can't see.

Most agent risk isn't in the pilot your security team reviewed. It's in everything that grew around it: the workflow automations with production credentials, the copilots wired to internal APIs, the agents a team stood up last quarter without telling anyone. 94% of enterprises report exactly this kind of AI sprawl (IBM) V — and shadow-AI incidents carry a materially higher average cost than ordinary ones — $670,000 in excess cost, per industry breach-cost research V.

Meanwhile only 14.4% of organizations have full security approval for their agent fleet (CSA/Token Security) V. The audit closes that gap the only way it can be closed: inventory first, authority map second, remediation plan third.

Priced to be an easy first yes.

We're a new firm and we price like one: $18,000, fixed, with a named deliverable you can put in front of your board and your security team — comparable mid-market security assessments run $15–50k, and purchases at this level frequently clear on a single budget owner's signature.

The audit is also how we earn the right to the bigger engagement. If the findings justify a Production Autonomy Deployment, the audit output becomes its first milestone. If they don't, you keep the map and build internally — most of the value survives either path.

Deliverables

What you receive on day 14

  • Agent fleet inventory — every deployed agent, including shadow agents: owner, platform, credentials, data touched, actions available.
  • Authority-boundary map — what each agent can actually do versus what anyone believes it can do, tiered by consequence.
  • Execution-layer risk assessment — your actuation surface assessed against the OWASP Agentic Top 10, with findings ranked by exploitability and blast radius.
  • Incident-readiness score — detection, containment, termination, and recovery capability, scored dimension by dimension.
  • Prioritized remediation architecture — the authority model your fleet needs, sequenced by risk reduction per unit of effort.
  • Two artifacts, two audiences — a board-ready findings document, and a technical authority model your platform team implements against.

Findings are evidence-tagged throughout — verified, inferred, or assumed — the same claim-integrity discipline we apply to our own public governance.

Timeline

Two weeks, fixed

  1. Days 1–2 — Access & scoping

    Read-only access to agent platforms, identity provider, and logging. A one-hour kickoff with your platform owner and security lead. No production changes at any point in the engagement.

  2. Days 3–7 — Inventory & authority mapping

    Fleet discovery across sanctioned and unsanctioned surfaces; credential and permission tracing; construction of the authority-boundary map. Mid-point checkpoint: you see the raw inventory before we assess it.

  3. Days 8–12 — Risk assessment & remediation design

    Execution-layer assessment against the OWASP Agentic Top 10, incident-readiness scoring, and the prioritized remediation architecture — what to gate, what to kill, what to formalize, in what order.

  4. Days 13–14 — Readout

    A working session with your CTO and CISO, the board-ready document, and the technical authority model. Every finding traceable to evidence; every recommendation priced in effort and sequenced by risk.

Questions We Get

FAQ

Why not wait for Microsoft, Google, or ServiceNow to cover this?

Their control planes govern their own ecosystems and assume a large platform team. Most real fleets are cross-framework — 94% of enterprises report AI sprawl (IBM) V — and the incidents are happening now, at an 88% rate (CSA/Token Security) V. The audit makes you governable in weeks, portably, across whatever platforms you actually run.

Our agent platform vendor says governance is included.

It includes controls for agents built on that platform. The audit inventories what's running around it — and shadow agents are where the incidents concentrate. Industry breach-cost research puts the average excess cost of shadow-AI incidents at $670,000 V. The most valuable line in most audit reports is the list of agents nobody knew existed.

Can't we build this assessment internally?

You can — and governed organizations ship 12× more AI projects to production (Databricks) V, so you should build governance either way. The audit gives your team the map, the method, and the authority model to build on. Most clients keep building internally on top of it; the deliverable is designed to be handed to your own engineers, not to create dependency on us.

You're small and new. Why should we trust you with this?

Correct — so we priced the first step at $18k, fixed, with a named deliverable, and we run our own operations under the same governance we audit, publicly. Judge the report, not the logo. If the readout doesn't stand on its own in front of your security team, you've spent two weeks and a small assessment budget finding that out.

Will the audit disrupt production or require code changes?

No. The engagement is read-only: platform access, identity and permission review, log analysis, and interviews. Remediation is designed in the report and executed later — by your team, or by ours in a deployment engagement, under change control you approve.

Your company is run by AI agents. Isn't that exactly the risk you're warning about?

It's the point. Ungoverned agents are the risk; ours run inside the authority architecture we sell — tiered approvals, fail-closed sensitive domains, a hash-chained decision ledger, and a human founder holding material authority. That's why we can publish our governance page. Would you rather buy governance from a firm that doesn't govern itself?

What do you need from us to start?

A 30-minute scoping call to confirm fit and access paths, a signed agreement, and two named contacts (platform owner, security lead). Kickoff typically follows within two weeks of signature.

Next Step

Thirty minutes to scope. Two weeks to a map.

Tell us what's running and what's stalled. We'll tell you — honestly — whether the audit will pay for itself. If it won't, we'll say so on the call.