| Inventory and ownership | Which agents exist, where do they run, and who is accountable for each one? | Repositories, deployments, workflow definitions, model configurations, business owner interviews |
| Identity and delegation | Can the organization resolve the agent, initiating human, application, and delegated authority? | Identity claims, service accounts, OAuth grants, token scopes, impersonation paths |
| Tools and MCP | Which tools can be called, how are they described, and where are trust boundaries enforced? | MCP server manifests, tool schemas, transports, gateways, server code, dependency inventories |
| Data access | What sensitive data can enter context, be retrieved, transformed, disclosed, or persisted? | Data classifications, retrieval indexes, database permissions, logs, DLP rules, tenant filters |
| Action controls | Which actions are allowed, denied, constrained, rate-limited, or human-approved? | API scopes, business rules, transaction limits, workflow states, approval records |
| Observability and evidence | Can investigators connect intent, identity, policy, data, tool use, approval, and outcome? | Action logs, model references, gateway records, approval events, downstream system logs |
| Containment and recovery | Can the smallest affected component be disabled quickly and restored safely? | Runbooks, revocation controls, safe-mode procedures, evidence preservation, exercises |
| Governance and assurance | How are changes reviewed, controls tested, exceptions approved, and evidence reported? | Policies, change records, risk acceptance, security questionnaires, framework mappings |