Sample Report · Anonymized · TekCapitol, Inc. · tekcapitol.com
TekCapitol · Kyklos360 KAssess · Sample Deliverable · Confidential
AI Agent Risk &
Readiness Report
Prepared for NovaChip Semiconductor · DRC Triage Agent
Sample Kyklos360 KAssess deliverable — semiconductor / EDA workflow · complimentary 1st per org.
Self-serve: tekcapitol.com/kyklos/ · B2B sample: sample-assessment-report.html
44 / 100, FAIR
52 / 100, FAIR
2 of 7
Remediate before enterprise deployment
May 2026
Custom / Proprietary · Cadence Virtuoso, Calibre, Innovus, Genus, internal tape-out tracker
Piloting
TekCapitol, Inc. · tekcapitol.com
About this deliverable
This EDA sample uses the same Kyklos360 KAssess deliverable format — first full report complimentary per org (work-email verify), then $5K/workflow for additional workflows. Implement with your chip team or TekCapitol. Tailored to a DRC triage agent across Virtuoso, Calibre, Innovus, and internal tape-out systems.
Executive Summary
Section 01
Leadership recommendation
Remediate before enterprise deployment
The workflow may run in pilot, but production readiness is 36 points below threshold and audit/compliance posture would fail most enterprise security reviews. Complete Phase 1 blocking items before customer-facing production.
Full remediation projects 79/100 production readiness.
Bottom line
NovaChip Semiconductor's DRC Triage Agent: remediate before enterprise deployment. Primary blocker, cell_name in Virtuoso DRC export does not reliably map to block_name in Innovus or tape-out tracker, entity resolution required before automated routing.
44
Production Readiness* / 100
52
Audit & Compliance Readiness** / 100
4
High-Severity Risks
* Production Readiness Score. Composite 0-100 score from the Diagnose phase. Measures whether this agent workflow is technically ready for production, data, entity resolution, business rules, connectivity, and governance across every decomposed step. 80+ is the production deployment threshold.
** Audit & Compliance Readiness. Separate 0-100 score from the Govern phase. Estimates preparedness for external scrutiny, SOC 2 audits, GDPR reviews, and enterprise AI security questionnaires, based on permissions, audit trails, kill-switch documentation, and encoded controls. Not a certification; an estimate of how defensible this agent would be in audit.

NovaChip Semiconductor has decomposed a DRC Triage Agent workflow into 7 steps. 2 of 7 steps meet production-ready thresholds. Overall readiness is 44/100 (FAIR). Primary gaps are in entity resolution and source of truth, not necessarily in the AI models themselves. Overall governance risk: HIGH.

⚠ Critical Finding 1
cell_name in Virtuoso DRC export does not reliably map to block_name in Innovus or tape-out tracker, entity resolution required before automated routing.
⚡ Critical Finding 2
Entity resolution: Virtuoso cell_name ↔ Innovus block_name ↔ tape-out tracker ID
⚡ Critical Finding 3
Preserve violation_id lineage across Calibre reruns in export schema
⚡ Critical Finding 4
Encode TAPEOUT_M3 HITL rules from governance PDF into versioned routing config
✓ Strength
Strongest dimensions: Governance (avg 72/100). Build remediation on this foundation.
Kyklos360 Readiness Scores
Section 02

Each dimension scored 0-100 across all workflow steps. 80+ is production-ready; 70+ on audit & compliance readiness supports enterprise security reviews. Scores reflect uploaded artifacts and workflow context, platform-agnostic.

Dimension
Score
Finding
Rating
Entity Resolution
32
cell_name ↔ block_name ↔ tracker ID map missing for ~18% of blocks.
Poor
Source of Truth
45
Genus design_revision may lag Virtuoso library revision by 1-2 ECOs.
Fair
Semantic Clarity
47
cell_name vs block_name semantics differ across Virtuoso and Innovus.
Fair
Connectivity
48
No validated API between DRC export and internal tape-out tracker.
Fair
Data Availability
50
DRC and timing exports exist; cross-tool block IDs incomplete.
Fair
Business Rules
50
tapeout_agent_governance.pdf defines HITL but routing rules not encoded.
Fair
Governance
72
Governance PDF confirms read-only tool access and architect HITL gates.
Good
Overall Readiness
Overall readiness: 44/100. Weakest dimensions: Entity Resolution (32), Source of Truth (45).
Agent Risk Register
Section 03

Agent risk register for DRC Triage Agent. Risk rated High / Medium / Low per dimension.

Risk Dimension
Finding
Rating
Access Risk
Ingest DRC violation export; Human gate for tape-out blockers, excessive access: Layout database write, Calibre interactive edit, Auto-close TAPEOUT_M3 blockers without architect approval. Read-only SKILL export per tapeout_agent_governance.pdf
🔴 High
Action Risk
Enforce architect HITL for error DRC and negative slack per governance PDF
🔴 High
Assessment Risk
Step 7: log Violation routing decision, run_id lineage, model confidence, architect approval ref (36 months, AU-3). Step 5: log Routing config version, block_owner assigned, cross-tool enrichment sources used (36 months, AU-12)
🔴 High
Recovery Risk
Hard kill: Immediate stop, no new DRC triage runs, in-flight terminated. Soft kill: Agent pauses, violations queued, no auto-routing. Resume: Root cause documented in tape-out incident log; mapping_block_identity freshness validated by CAD; Architect sign-off on routing config version in use.
🟡 Medium
Cost / Ops Risk
Agent routing tape-out blockers to wrong team, immediate hard kill
🟡 Medium
Approval Risk
mapping_block_identity table not yet in production HITL rules exist in PDF only, not encoded in tape-out tracker violation_id lineage not standardized across Calibre reruns
🔴 High
Overall Risk Assessment
4 of 6 dimensions rated High Risk. Tape-out decisions affect IP release and mask cost, cross-tool DRC routing requires architect HITL and read-only EDA tool access.
Prioritized Implementation Roadmap
Section 04

Recommendations prioritized by enterprise deal impact and production readiness lift. Effort: S (1-2 weeks) / M (2-4 weeks) / L (4-8 weeks).

Investment at a glance
Estimated 12-16 weeks calendar timeline · 2.3 person-months of scoped work · projects 44→79 production readiness.
1
BLOCKING
Cross-tool block identity mapping
cell_name in DRC export does not map to Innovus block_name or tracker ID
M
High Impact
2
BLOCKING
Tape-out HITL gates from governance PDF
TAPEOUT_M3 error DRC and negative slack approval exists only in PDF
S
High Impact
3
SIGNIFICANT
violation_id lineage across DRC reruns
Calibre and Virtuoso exports use different violation keys on rerun
S
Medium Impact
4
SIGNIFICANT
Genus run_id ↔ design_revision link
Simulation results not reliably tied to Virtuoso library revision
S
Medium Impact
5
MINOR
Assessment trail to tape-out tracker
Agent routing rationale not written with run_id and config version
S
Medium Impact
12
Weeks to production-ready
44→79
Score after remediation
3
Critical gaps to close
Implementation Work Scope
Section 05

What work is required and which roles typically own it. If you have these skills in-house, staff it internally, every item in this report can be executed by your team. TekCapitol is optional delivery support if you want help implementing.

Your team leads, TekCapitol optional on Phase 1
Delivery Model
~0.6 FTE-month focused SOW
Fixed-scope estimate
0% / 73%
Typical your team vs TekCapitol
EDA remediation stays with your chip team, CAD, PV, and analog expertise must remain in-house. Your team can run block-identity mapping and governance-as-config (Phase 1) internally; TekCapitol is optional if you want help on those pieces, not a replacement for Virtuoso/Calibre practitioners.
Where TekCapitol can help (optional)
  • Signoff Engineering (governance encoding)
  • Platform Engineering (assessment lake)
Your team owns
  • CAD / Data Engineering
  • Physical Verification
  • Analog CAD
Staffing is your choice: in-house employees, contractors, or TekCapitol. Percentages below are a typical split when teams ask for implementation help, not a requirement to use outside resources.
Skill Gaps Identified
Signoff Engineering
May need hire or contractor · ~6 person-days · Staff in-house, or TekCapitol can help
Platform Engineering
May need hire or contractor · ~6 person-days · Staff in-house, or TekCapitol can help
Not a 0.6 FTE hire, a focused Phase 1 SOW (~12 person-days) for governance encoding and assessment-lake setup while your CAD/PV teams own tool exports.
Staffing feasibility: Significant augmentation likely for data layer only
Effort & Estimation
Section 06

Effort in person-months and person-days - fixed-scope deliverables, not a fractional hire recommendation.

2.3
Total person-months
45
Person-days
12-16 weeks
Calendar timeline
Readiness projection: 44/100 → 79/100 after full remediation (12-16 weeks)
2.3 FTE-months ≈ 46 person-days across five work packages. EDA tool expertise (Virtuoso, Calibre, Genus) dominates the skill mix. At ~0.6 blended concurrent capacity, expect roughly 12-16 weeks, highly dependent on your CAD/PV team availability.
Internal concurrency (if staffed in-house): ~0.6 blended FTE. ~0.6 blended FTE reflects your internal CAD + signoff teams working in parallel over 12-16 weeks. TekCapitol assistance, if requested, is a separate fixed deliverable.
Estimation Assumptions
• 45 person-days total, EDA integrations are more bespoke than B2B SaaS stacks.
• 2.3 FTE-months = 45 ÷ 20; calendar 12-16 weeks at ~0.6 blended FTE across CAD and signoff.
• Assumes read-only EDA exports already exist; no live Virtuoso API integration in this phase.
• Export-control / ITAR review for LLM data paths is out of scope for this effort estimate.
Skills & deliverables
Section 07

Each row is a scoped deliverable with role, skills, and estimated effort. Staff in-house or with TekCapitol - your choice.

Person-months of effort (1.0 ≈ 20 working days). Scoped deliverables, not a headcount or hire recommendation.

Deliverable
Role
Months of work
Skills required
Cross-tool block identity mapping (Virtuoso ↔ Innovus ↔ tracker)
BLOCKING
Data Engineer
0.75 mo
PythonSQLVirtuoso exportsblock hierarchymapping tables
Tape-out HITL gates from governance PDF
BLOCKING
AI Engineer
0.3 mo
LangGraphPythonHITL workflowspolicy-as-codetape-out API
violation_id lineage across DRC reruns
SIGNIFICANT
PV Engineer
0.5 mo
Calibre DRCTclviolation taxonomybatch exports
Genus run_id ↔ design_revision link
SIGNIFICANT
CAD Engineer
0.4 mo
Genus/spectrePythonrevision linkingPDK metadata
Assessment trail to tape-out tracker + engineering data lake
MINOR
Platform Engineer
0.25 mo
PythonREST APIsassessment loggingdata lake ingestion
Role Mix & Staffing
Role
Days
Months of work
Skills
Owner
CAD / Data Engineering
33% of effort
15
0.75 mo
Virtuoso/Innovus exportsblock identity mappingPDK metadata
Your team owns
Signoff Engineering
13% of effort
6
0.3 mo
tape-out HITLgovernance PDF → configarchitect approval
Shared delivery
Physical Verification
22% of effort
10
0.5 mo
Calibre DRCviolation_id lineagererun deduplication
Your team owns
Analog CAD
18% of effort
8
0.4 mo
Genus/spectre exportsdesign_revision linkingcorner metadata
Your team owns
Platform Engineering
13% of effort
6
0.3 mo
tape-out tracker APIengineering assessment lakeIP retention
Shared delivery
Orchestration Plan
Section 08

Model routing, token estimates, and human-in-the-loop gates per workflow step. Generated from your decomposed agent workflow.

85
Est. daily runs
Trigger: Calibre or Virtuoso DRC batch completes, webhook fires DRC Triage Agent for TAPEOUT_M3
Step
Model
Tokens in/out
Rationale
01. Ingest DRC violation export
Deterministic (no LLM)
,
Deterministic parse of CSV exports, no LLM required
02. Resolve block hierarchy and owner
Deterministic (no LLM)
,
Deterministic parse of CSV exports, no LLM required
03. Check Innovus timing closure status
Deterministic (no LLM)
,
Deterministic parse of CSV exports, no LLM required
04. Cross-check Genus simulation results
Deterministic (no LLM)
,
Deterministic parse of CSV exports, no LLM required
05. Classify and route violations
claude-sonnet-4-6
2800 / 350
Routing requires cross-tool context, DRC severity, timing, simulation, and governance policy
06. Human gate for tape-out blockers
Deterministic (no LLM)
,
Deterministic parse of CSV exports, no LLM required
07. Update tracker and audit log
Deterministic (no LLM)
,
Deterministic parse of CSV exports, no LLM required
Human-in-the-loop gates
Step 6
TAPEOUT_M3 milestone AND (DRC severity=error OR Innovus slack_ns < 0): Governance policy requires architect sign-off before auto-close on tape-out blockers
Step 5
Genus pass_fail=FAIL on phase_margin for analog-owned block: Route to analog lead, not layout, per simulation cross-check
Architecture notes: Read-only Virtuoso SKILL export path, no layout database write per governance PDF Innovus timing pull via approved batch report, no ECO or netlist modification Cache block hierarchy mapping for 30 minutes to reduce tracker API load
Anti-patterns to avoid:
  • Hardcoding DRC routing rules in agent prompt instead of versioned signoff config
  • Letting agent write directly to Innovus or Virtuoso design databases
  • Routing by cell_name fuzzy match without mapping_block_identity table
Governance & Kill Switch
Section 09

Permission audit, compliance mapping, and kill-switch authority matrix, aligned to NIST AI RMF and SP 800-53.

high
Overall risk
52
Audit & Compliance Readiness** / 100
ITAR/EAR, SOC2, ISO 9001
Regulations apply
Tape-out decisions affect IP release and mask cost, cross-tool DRC routing requires architect HITL and read-only EDA tool access.
Kill switch authority matrix · MANAGE · SI-17 · CP-10
Level
Trigger & effect
Authority
Hard kill
When: Error-severity misroute rate > 5% for 15 min OR any Virtuoso/Innovus write attempt detected
Effect: Immediate stop, no new DRC triage runs, in-flight terminated
Signoff Director + CAD Platform
Soft kill
When: Block identity mapping match rate < 80% for 30 minutes
Effect: Agent pauses, violations queued, no auto-routing
Physical Verification Lead
Scope limit
When: Genus design_revision mismatch > 10% of analog blocks
Effect: Disable simulation-informed routing; DRC + timing only
Tape-out Program Manager
Resume requirements:
  • Root cause documented in tape-out incident log
  • mapping_block_identity freshness validated by CAD
  • Architect sign-off on routing config version in use
Audit trail spec: Log kill level, trigger, actor role, timestamp, affected violation count, and config version to immutable engineering assessment store
Priority access controls
Read-only Virtuoso and Innovus export service accounts per governance PDF AC
Versioned signoff routing config with architect approval before production deploy CM
Monitoring Plan
Section 10

Data quality alerts, LLM eval criteria, circuit breakers linked to kill-switch levels, ops runbook, and KPIs.

Stack: Datadog · Splunk · LangSmith · PagerDuty
Production KPIs
DRC triage automation rate
> 55% of violations auto-routed correctly
Tape-out tracker auto-routed vs total violations per run
Error-severity misroute rate
< 2%
Manual override count / error violations weekly
Mean time to enrich (DRC + timing + simulation)
< 15 seconds p95
Distributed trace from agent orchestrator
Circuit breakers → kill switch
Error-severity misroute rate
> 5% over 15 min, Agent routing tape-out blockers to wrong team, immediate hard kill
Unauthorized EDA write attempt
Any occurrence, Governance policy violation, terminate all agent runs
Ops runbook
Verify mapping_block_identity coverage for TAPEOUT_M3 blocks (daily, CAD on-call), Page data engineering if match rate below 82%
Review LangSmith routing eval on error-severity violations (weekly, Signoff Engineering), Open incident if misroute rate above threshold
Data quality alerts
Step 3
Blocks with slack_ns < 0 on TAPEOUT_M3, threshold Any new failing block without open DRC ticket (critical)
Timing Signoff
Step 2
cell_name to block_name mapping rate, threshold < 82% match on TAPEOUT_M3 blocks (warning)
CAD / Data Engineering
What to do next
Section 11

Kyklos360 is Diagnose · Fix · Protect. This KAssess report identified production gaps; KFix and KCyber are the next steps in the app — or assign the roadmap to your team.

Step 2 · Kyklos360 KFix
We found 7 gaps (4 blocking production)
Your KFix queue is pre-loaded from this assessment — 7 playbook items ready to preview, approve, and apply in staging. Projected score after fixes: 44→79. Open KFix in the app to fix now, or export this PDF for your team.
Fix gaps in KFix →7 items in queue
Step 3 · Kyklos360 KCyber
When fixes are in place, protect the live agent
This assessment includes kill-switch and gate requirements. Register the workflow, wire check_gate before each run, and audit metadata-only actions when the agent is live.
Tour KCyber / kill switch →
Draft Enterprise Security Questionnaire Answers
Section 12

Draft answers to the 5 most common enterprise AI security questions, based on this assessment. Review with legal before submitting to prospects.

Q1. What data does your AI agent access, and how is access controlled?
Our DRC Triage Agent accesses workflow data across Custom / Proprietary · Cadence Virtuoso, Calibre, Innovus, Genus, internal tape-out tracker. Required access: Virtuoso DRC read export, Calibre report CSV read. Read-only SKILL export per tapeout_agent_governance.pdf. Excessive access flagged: Layout database write, Calibre interactive edit.
Note: Valid after completing Phase 1 (BLOCKING) remediation. Current readiness score 44/100, do not submit until access controls are implemented.
Q2. Can your AI agent modify or delete customer data?
Excessive write access has been identified and must be removed. Agent actions at step 1 (Ingest DRC violation export) require: Read-only SKILL export per tapeout_agent_governance.pdf. Autonomous modifications require human approval where policy mandates HITL gates.
Note: Excessive access identified in permission assessment, remediate before submitting to enterprise prospects.
Q3. How do you assessment what your AI agent did and why?
Every agent action at step 7 is logged: Violation routing decision, run_id lineage, model confidence, architect approval ref. Retention: 36 months. Owner: Signoff Engineering. NIST control: AU-3. Logs enable decision reconstruction on demand.
Q4. What happens if your AI agent makes an error that affects our data?
Governance framework includes: hard kill (Immediate stop, no new DRC triage runs, in-flight terminated) triggered by Error-severity misroute rate > 5% for 15 min OR any Virtuoso/Innovus write attempt detected; soft kill (Agent pauses, violations queued, no auto-routing); scope limit (Disable simulation-informed routing; DRC + timing only). Agent routing tape-out blockers to wrong team, immediate hard kill Authority: Signoff Director + CAD Platform.
Review kill-switch runbook with operations before submitting.
Q5. How do you ensure your AI agent doesn't use our data to train future models?
Agents use inference-only API calls to third-party LLM providers with data processing agreements prohibiting use of customer data for model training. SOC2 access and assessment controls: Least-privilege EDA export accounts; 36-month violation_id retention per IP policy. Training opt-out parameters set on all LLM API calls.
Verify current API agreements with your LLM providers and review with legal counsel before submitting.
Workflow Governance Record
Appendix 13

Machine-readable governance contract for this workflow — for vendor risk, SOC 2, and internal audit file. Full control matrix: export Evidence Pack from the KAssess report screen (HTML + JSON).

Governance record v1.0 · 7 controls mapped · 3 gap(s) · 3 regulation(s)
Kyklos360 KAssess Workflow Governance Record for NovaChip Semiconductor — DRC Triage Agent. Audit & compliance readiness estimate: 52/100. Control matrix: 1 gap(s), 4 partial, 2 addressed in documentation. Overall risk: high. This pack documents governance design; runtime enforcement requires KCyber Live and customer IAM/catalog integration.
wgr_sample_novachip-semiconductor
Workflow ID
7
Controls mapped
3
Certification gaps
3
Regulations in scope
Edition & principal
KAssess · Principal: hybrid
Record metadata
WGR v1.0 · Updated 2026-06-26
Regulatory scope

ITAR/EAR · SOC2 · ISO 9001

Priority certification gaps
  • mapping_block_identity table not yet in production
  • HITL rules exist in PDF only, not encoded in tape-out tracker
  • violation_id lineage not standardized across Calibre reruns
KCyber Rollback — gap map

Kill switch stops forward. Rollback undoes backward. Kill switch stops future runs; rollback undoes completed writes via compensating transactions.

kill_switchKCyber Live (included in Launch)
documented
Stop future agent runs at orchestrator gate
action_ledgerKCyber Rollback (Live add-on)
partial
Log every write with object ref and reversibility
compensating_transactionsKAssess spec + KFix templates
partial
Per-system undo procedure defined before production
rollback_runbookKAssess / KCyber edition PDF
partial
Who approves rollback, SLA, kill switch + rollback sequence
rollback_queueKCyber Rollback dashboard (Live)
missing
Operator marks actions for rollback; customer worker executes
Action ledger + rollback queue on KCyber dashboard. KFix action-ledger-rollback playbook.
IAM / access notes
Step 1: Layout database write; Calibre interactive edit
Step 6: Auto-close TAPEOUT_M3 blockers without architect approval
Authorization architecture (advisory)

Hybrid — ReBAC for data access + OPA/Cedar at orchestrator + KCyber run gate · Primary engines: OpenFGA

Hybrid — ReBAC for data access + OPA/Cedar at orchestrator + KCyber run gate. Primary: OpenFGA. Principal: hybrid. KAssess specifies architecture; customer or TekCapitol deploys the PDP.

  • Before each agent run (orchestrator PEP — complements KCyber gate)
  • Before each tool or API call with side effects
  • At human approval gates (policy check + audit log)
KAssess does not run OPA, OpenFGA, Cedar, Cerbos, Oso, or Permit.io. KCyber Live gates agent runs; fine-grained authz requires customer-deployed PDP per this architecture.
Export the full evidence pack (control matrix, stewardship attestation template, compliance mapping) from tekcapitol.com/kyklos/ on the Report phase, or request from info@tekcapitol.com for Managed Audit engagements.
Recommended Next Steps
This assessment identified the gaps. NovaChip Semiconductor's team can implement the roadmap in-house if you have the skills, or TekCapitol can assist. Either path builds toward AI agent workflows your enterprise customers will trust. Request a scoping call at tekcapitol.com/book.html or run another assessment at tekcapitol.com/kyklos/.
BLOCKING
2 remediation items
Must complete before any agent work begins
SIGNIFICANT
2 remediation items
Fix before pilot on TAPEOUT_M3 blocks
MINOR
1 remediation items
Fix before full-chip production scale
TEKCAPITOL, INC. · info@tekcapitol.com · tekcapitol.com · San Jose, California