Sample Report · Anonymized · TekCapitol, Inc. · tekcapitol.com
TekCapitol · Kyklos360 KAssess · KCyber edition · Sample Deliverable · Confidential
AI Agent Risk &
Readiness Report
Prepared for Vertex Global · Password Reset Agent
Kyklos360 KCyber edition sample - security readiness + kill switch policy spec.
Run live: tekcapitol.com/kyklos/?start=assessment&edition=kcyber
51 / 100, FAIR
58 / 100, FAIR
2 of 7
Remediate before enterprise deployment
May 2026
ServiceNow · Okta · Workday · Snowflake · Custom / Proprietary · Splunk SIEM risk export
Piloting
TekCapitol, Inc. · tekcapitol.com
About this deliverable
This is a sample Kyklos360 KCyber edition assessment - same engine as KAssess, with security-native deliverables: agent risk register, access boundaries, kill switch policy spec, IR playbook template, and draft security questionnaire answers. KFix queue included; KCyber Live Launch optional after go-live.
Executive Summary
Leadership recommendation
Remediate before enterprise deployment
The workflow may run in pilot, but production readiness is 29 points below threshold and audit/compliance posture would fail most enterprise security reviews. Complete Phase 1 blocking items before customer-facing production.
Full remediation projects 81/100 production readiness.
Bottom line
Vertex Global's Password Reset Agent: remediate before enterprise deployment. Primary blocker, Workday employee_id maps to Okta user_id for only ~88% of users, during this week's 3× login-failure spike, misrouted resets and manual rework are overwhelming Identity Ops.
51
Production Readiness* / 100
58
Audit & Compliance Readiness** / 100
3
High-Severity Risks
* Production Readiness Score. Composite 0-100 score from the Diagnose phase. Measures whether this agent workflow is technically ready for production, data, entity resolution, business rules, connectivity, and governance across every decomposed step. 80+ is the production deployment threshold.
** Audit & Compliance Readiness. Separate 0-100 score from the Govern phase. Estimates preparedness for external scrutiny, SOC 2 audits, GDPR reviews, and enterprise AI security questionnaires, based on permissions, audit trails, kill-switch documentation, and encoded controls. Not a certification; an estimate of how defensible this agent would be in audit.

Vertex Global has decomposed a Password Reset Agent workflow into 7 steps. 2 of 7 steps meet production-ready thresholds. Overall readiness is 51/100 (FAIR). Primary gaps are in entity resolution and source of truth, not necessarily in the AI models themselves. Overall governance risk: HIGH.

⚠ Critical Finding 1
Workday employee_id maps to Okta user_id for only ~88% of users, during this week's 3× login-failure spike, misrouted resets and manual rework are overwhelming Identity Ops.
⚡ Critical Finding 2
Entity resolution: Workday employee_id ↔ Okta user_id ↔ ServiceNow caller_id
⚡ Critical Finding 3
Encode volume throttle and loop-detection rules from policy PDF into versioned config
⚡ Critical Finding 4
Reduce IDENTITY_MART refresh lag vs Okta during login-spike windows
⚡ Compliance Gap
Policy throttle not enforced in code
Kyklos360 Readiness Scores

Each dimension scored 0-100 across all workflow steps. 80+ is production-ready; 70+ on audit & compliance readiness supports enterprise security reviews. Scores reflect uploaded artifacts and workflow context, platform-agnostic.

Dimension
Score
Finding
Rating
Entity Resolution
36
~12% contractors missing employee_id ↔ okta_user_id map.
Poor
Source of Truth
42
IDENTITY_MART lags Okta by up to 45 min during spike.
Fair
Business Rules
45
Policy PDF defines throttle + HITL but rules not encoded in config.
Fair
Semantic Clarity
49
failed_login vs reset_loop semantics differ across SN and Okta.
Fair
Connectivity
50
SN→Okta lookup manual; no validated join in mart.
Fair
Data Availability
54
Exports exist; cross-system identity keys incomplete.
Fair
Governance
68
Policy confirms scoped Okta app and service-account HITL.
Good
Overall Readiness
Overall readiness: 51/100. Weakest dimensions: Entity Resolution (36), Source of Truth (42).
Agent Risk Register

Agent risk register for Password Reset Agent. Risk rated High / Medium / Low per dimension.

Risk Dimension
Finding
Rating
Access Risk
Execute reset and write audit trail, excessive access: Okta Super Admin, Bulk password reset without per-incident audit. Use OKTA_KYKLOS_RESET scoped app per password_reset_agent_policy.pdf
🔴 High
Assessment Risk
No agent decision audit trail defined. Cannot reconstruct agent decisions on demand, blocks enterprise procurement in regulated industries.
🔴 High
Recovery Risk
Hard kill: Terminate all agent reset actions immediately. Soft kill: not defined. Resume: Root cause of spike identified and documented; Mapping table freshness validated above 95%; Identity Ops sign-off on resume checklist.
🟡 Medium
Cost / Ops Risk
Wrong-user reset detected, hard kill all automated resets
🟡 Medium
Approval Risk
Policy throttle not enforced in code Identity mapping incomplete for contractors
🔴 High
Overall Risk Assessment
3 of 5 dimensions rated High Risk. Automated password reset during a login-failure spike is high-risk, incorrect reset on compromised or privileged accounts amplifies breach impact.
Prioritized Implementation Roadmap

Recommendations prioritized by enterprise deal impact and production readiness lift. Effort: S (1-2 weeks) / M (2-4 weeks) / L (4-8 weeks).

Investment at a glance
Estimated 8-12 weeks calendar timeline · 1.3 person-months of scoped work · projects 51→81 production readiness.
1
BLOCKING
Cross-system identity mapping
employee_id ↔ okta_user_id ↔ ServiceNow caller incomplete for contractors
M
High Impact
2
BLOCKING
Encode spike throttle and loop detection
3× baseline throttle exists only in PDF, not in agent config
S
High Impact
8
Weeks to production-ready
51→81
Score after remediation
3
Critical gaps to close
Implementation Work Scope

What work is required and which roles typically own it. If you have these skills in-house, staff it internally, every item in this report can be executed by your team. TekCapitol is optional delivery support if you want help implementing.

Hybrid delivery
Delivery Model
Where TekCapitol can help (optional)
  • Complete Transform phase for scope detail
Your team owns
  • Domain operations and day-to-day policy judgment
Staffing is your choice: in-house employees, contractors, or TekCapitol. Percentages below are a typical split when teams ask for implementation help, not a requirement to use outside resources.
Effort & Estimation

Effort in person-months and person-days - fixed-scope deliverables, not a fractional hire recommendation.

1.3
Total person-months
32
Person-days
8-12 weeks
Calendar timeline
Readiness projection: 51/100 → 81/100 after full remediation (8-12 weeks)
1.3 person-months ≈ 26 person-days of work. Calendar time (8-12 weeks) depends on how many of these skills run in parallel, roughly 1.3 ÷ 0.5 people working concurrently ≈ 11 weeks if staffed steadily. Phased dependencies may extend that.
Internal concurrency (if staffed in-house): ~0.5 blended FTE.
Skills & deliverables

Each row is a scoped deliverable with role, skills, and estimated effort. Staff in-house or with TekCapitol - your choice.

Person-months of effort (1.0 ≈ 20 working days). Scoped deliverables, not a headcount or hire recommendation.

Deliverable
Role
Months of work
Skills required
Identity mapping (Workday ↔ Okta ↔ ServiceNow)
BLOCKING
Data Engineer
0.55 mo
dbtSQLentity resolutionidentity graphs
Policy-as-code: throttle, loop detection, privileged HITL
BLOCKING
Identity Engineer
0.35 mo
Okta WorkflowsYAML policyServiceNow integration
IDENTITY_MART freshness during login spikes
SIGNIFICANT
Data Engineer
0.35 mo
Snowflakestreaming ingestSLA alerts
Orchestration Plan

Model routing, token estimates, and human-in-the-loop gates per workflow step. Generated from your decomposed agent workflow.

680
Est. daily runs
Trigger: ServiceNow incident created/updated in Access category or SIEM failed-login spike webhook
Step
Model
Tokens in/out
Rationale
01. Ingest and classify reset request
claude-sonnet-4-6
2200 / 320
Policy routing during login spike requires multi-system context and risk reasoning
02. Resolve user in Okta
Deterministic (no LLM)
,
Deterministic API fetch from Okta/Workday/Snowflake
03. Verify employment and account type
Deterministic (no LLM)
,
Deterministic API fetch from Okta/Workday/Snowflake
04. Load SIEM risk and login spike context
Deterministic (no LLM)
,
Deterministic API fetch from Okta/Workday/Snowflake
05. Apply reset policy and routing decision
claude-sonnet-4-6
2200 / 320
Policy routing during login spike requires multi-system context and risk reasoning
06. Human gate for privileged and high-risk paths
Deterministic (no LLM)
,
Deterministic API fetch from Okta/Workday/Snowflake
07. Execute reset and write audit trail
Deterministic (no LLM)
,
Deterministic API fetch from Okta/Workday/Snowflake
Human-in-the-loop gates
Step 6
worker_type = Service Account AND failed_login_24h > 20: Policy requires Security Ops review, no auto-reset on service accounts during spike
Step 6
geo_anomaly_flag = true AND siem_risk_score > 75: Step-up verification required per policy, deny automated reset
Architecture notes: Okta reset via OKTA_KYKLOS_RESET scoped OAuth app, no Super Admin role Throttle auto-resets to 50/hour when enterprise failed_login aggregate > 3× baseline Cache Workday employment_status for 10 minutes, not real-time during HR batch windows
Anti-patterns to avoid:
  • Auto-resetting without employee_id ↔ okta_user_id validation
  • Bypassing loop detection when user requested reset twice in 24h
  • Embedding throttle rules in LLM prompt instead of versioned config
Governance & Kill Switch

Permission audit, compliance mapping, and kill-switch authority matrix, aligned to NIST AI RMF and SP 800-53.

high
Overall risk
58
Audit & Compliance Readiness** / 100
SOC2, ISO 27001
Regulations apply
Automated password reset during a login-failure spike is high-risk, incorrect reset on compromised or privileged accounts amplifies breach impact.
Kill switch authority matrix
Level
Trigger & effect
Authority
Hard kill
When: Any reset on account with siem_risk_score > 90 without HITL approval
Effect: Terminate all agent reset actions immediately
Security Operations Lead
Resume requirements:
  • Root cause of spike identified and documented
  • Mapping table freshness validated above 95%
  • Identity Ops sign-off on resume checklist
Monitoring Plan

Data quality alerts, LLM eval criteria, circuit breakers linked to kill-switch levels, ops runbook, and KPIs.

Stack: Datadog · Splunk · Snowflake alerts · PagerDuty
Production KPIs
Auto-reset success rate (non-privileged)
> 70% during spike
ServiceNow incidents closed by agent vs total password-reset queue
False reset / wrong-user rate
< 0.5%
Identity Ops rollback count weekly
Mean time to reset (p95)
< 5 minutes for standard employees
Trace from incident open to Okta status ACTIVE
Circuit breakers → kill switch
False reset rate
> 2% over 15 min, Wrong-user reset detected, hard kill all automated resets
Data quality alerts
Step 4
IDENTITY_MART lag vs Okta failed_login counter, threshold > 30 min during spike window (critical)
Identity Engineering
What to do next

Kyklos360 is Diagnose · Fix · Protect. This KAssess report identified production gaps; KFix and KCyber are the next steps in the app - or assign the roadmap to your team.

Step 2 · Kyklos360 KFix
We found 4 gaps blocking production readiness
Your KFix queue is pre-loaded from this assessment - 4 playbook items ready to preview, approve, and apply in staging. Projected score after fixes: 51→81. Open KFix in the app to fix now, or export this PDF for your team.
Fix gaps in KFix →4 items in queue
Step 3 · Kyklos360 KCyber
When fixes are in place, protect the live agent
This assessment includes kill-switch and gate requirements. Register the workflow, wire check_gate before each run, and audit metadata-only actions when the agent is live.
Draft Enterprise Security Questionnaire Answers

Draft answers to the 5 most common enterprise AI security questions, based on this assessment. Review with legal before submitting to prospects.

Q1. What data does your AI agent access, and how is access controlled?
Our Password Reset Agent accesses workflow data across ServiceNow · Okta · Workday · Snowflake · Custom / Proprietary · Splunk SIEM risk export. Required access: Okta Users API read, Okta reset scoped app, ServiceNow work notes. Use OKTA_KYKLOS_RESET scoped app per password_reset_agent_policy.pdf. Excessive access flagged: Okta Super Admin, Bulk password reset without per-incident audit.
Note: Valid after completing Phase 1 (BLOCKING) remediation. Current readiness score 51/100, do not submit until access controls are implemented.
Q2. Can your AI agent modify or delete customer data?
Excessive write access has been identified and must be removed. Agent actions at step 7 (Execute reset and write audit trail) require: Use OKTA_KYKLOS_RESET scoped app per password_reset_agent_policy.pdf. Autonomous modifications require human approval where policy mandates HITL gates.
Note: Excessive access identified in permission assessment, remediate before submitting to enterprise prospects.
Q3. How do you audit what your AI agent did and why?
Assessment trail specification not yet implemented. Roadmap includes immutable agent decision logging with input snapshot, rationale, output, and model used.
Note: No audit trail exists today, complete audit trail remediation before enterprise security review.
Q4. What happens if your AI agent makes an error that affects our data?
Governance framework includes: hard kill (Terminate all agent reset actions immediately) triggered by Any reset on account with siem_risk_score > 90 without HITL approval; soft kill (pause new runs); scope limit (restrict autonomous scope). Wrong-user reset detected, hard kill all automated resets Authority: Security Operations Lead.
Review kill-switch runbook with operations before submitting.
Q5. How do you ensure your AI agent doesn't use our data to train future models?
Agents use inference-only API calls to third-party LLM providers with data processing agreements prohibiting use of customer data for model training. SOC2 access and audit controls: Least-privilege Okta app; 24-month retention on reset audit trail. Training opt-out parameters set on all LLM API calls.
Verify current API agreements with your LLM providers and review with legal counsel before submitting.
Workflow Governance Record

Machine-readable governance contract for this workflow - for vendor risk, SOC 2, and internal audit file. Full control matrix: export Evidence Pack from the KAssess report screen (HTML + JSON).

Governance record v1.0 · 8 controls mapped · 2 gap(s) · 2 regulation(s)
Kyklos360 KAssess (KCyber edition) Workflow Governance Record for Vertex Global - Password Reset Agent. Audit & compliance readiness estimate: 58/100. Control matrix: 2 gap(s), 4 partial, 2 addressed in documentation. Overall risk: high. This pack documents governance design; runtime enforcement requires KCyber Live and customer IAM/catalog integration.
wgr_sample_vertex-global
Workflow ID
8
Controls mapped
2
Certification gaps
2
Regulations in scope
Edition & principal
KCyber edition · Principal: hybrid
Record metadata
WGR v1.0 · Updated 2026-06-26
Regulatory scope

SOC2 · ISO 27001

Priority certification gaps
  • Policy throttle not enforced in code
  • Identity mapping incomplete for contractors
KCyber Rollback - gap map

Kill switch stops forward. Rollback undoes backward. Kill switch stops future runs; rollback undoes completed writes via compensating transactions.

kill_switchKCyber Live (included in Launch)
documented
Stop future agent runs at orchestrator gate
action_ledgerKCyber Rollback (Live add-on)
missing
Log every write with object ref and reversibility
compensating_transactionsKAssess spec + KFix templates
missing
Per-system undo procedure defined before production
rollback_runbookKAssess / KCyber edition PDF
partial
Who approves rollback, SLA, kill switch + rollback sequence
rollback_queueKCyber Rollback dashboard (Live)
missing
Operator marks actions for rollback; customer worker executes
Action ledger + rollback queue on KCyber dashboard. KFix action-ledger-rollback playbook.
IAM / access notes
Step 7: Okta Super Admin; Bulk password reset without per-incident audit
Authorization architecture (advisory)

Hybrid - ReBAC for data access + OPA/Cedar at orchestrator + KCyber run gate · Primary engines: OpenFGA

Hybrid - ReBAC for data access + OPA/Cedar at orchestrator + KCyber run gate. Primary: OpenFGA. Principal: hybrid. KAssess specifies architecture; customer or TekCapitol deploys the PDP.

  • Before each agent run (orchestrator PEP - complements KCyber gate)
  • Before each tool or API call with side effects
  • At human approval gates (policy check + audit log)
KAssess does not run OPA, OpenFGA, Cedar, Cerbos, Oso, or Permit.io. KCyber Live gates agent runs; fine-grained authz requires customer-deployed PDP per this architecture.
Export the full evidence pack (control matrix, stewardship attestation template, compliance mapping) from tekcapitol.com/kyklos/ on the Report phase, or request from info@tekcapitol.com for Managed Audit engagements.
Recommended Next Steps
This assessment identified the gaps. Vertex Global's team can implement the roadmap in-house if you have the skills, or TekCapitol can assist. Either path builds toward AI agent workflows your enterprise customers will trust. Request a scoping call at tekcapitol.com/book.html or run another assessment at tekcapitol.com/kyklos/.
BLOCKING
2 remediation items
Required before automating resets during volume spike