The whole story —
not the part with an owner.

Prepared for[Your company]

PeriodQ2 2026

ModelPACE v1 · DDN-aligned

What the board heard last quarter

Phishing failure rate — 2%
Security training — 100% complete
Critical patch SLA — met
MFA coverage — 99%

The part with an owner.

What ACE found in your agents

Agents can exceed their granted scope
A live, exploitable vuln in an agent path
30% of agent actions not reconstructable
2 shadow agents nobody approved

The part no one owns.

Same quarter. Same company. Your board saw the left. ACE shows you the right — before a breach does.

Overall posture

Amber

Your controls do not yet hold against AI agents. Two domains need work before agents scale. Two are sound today.

Up from 4 red last quarter. Two domains moved since Q1.

Seven domains

1234567

2 fail 3 partial 2 hold

Exhibit A · the finding that wasn't in the deck

A dependency in one agent's tool path carried a vulnerability — flagged medium, parked in the backlog. Staris validated it as actually exploitable and reachable: an attacker reaching the agent could pivot to the records it queries. Your team saw it. Nobody owned the fix. Nobody had the time or the authority to force it. It ran against your agents — and seeing it was never the hard part.

Domain detail

1 · Identity & attestationamber

62% of agent actions trace to a unique credentialed identity

Bind agent identity at runtime — Watchlight (phase 2)
2 · Authorization & scopered

Scope enforced in policy, not at runtime — agents can exceed it

Runtime scope enforcement — Watchlight (phase 2)
3 · Agent integrity & exploitabilityred

Staris validated 2 of 17 scanner-flagged vulns as exploitable through the agent’s tool path — both rated medium

Remediate the validated-exploitable vulns; Staris re-validates
4 · Detection & behavioramber

Detections cover 4 of 11 known agent attack techniques (MITRE ATLAS)

Agent detection content — SRA (phase 2)
5 · Data governance at speedgreen

Bulk agent reads governed and logged; time-to-detect under target

Holding — monitor quarterly
6 · Audit & reconstructabilityamber

Full action chain reconstructable for 70% of agent transactions

Close audit gaps — Watchlight (phase 2)
7 · Lifecycle & changegreen

All known agents governed; 2 shadow agents found and onboarded

Holding — monitor quarterly