SECENG WORKBENCH

Agent Authority & Approval-Path Analysis

Map agent authority, tool permissions, and approval paths.

Map agent authority, tool permissions, and delegated-action risk. Import workflows, MCP servers, and tool schemas — SecEng Authority Graph builds a permission map that shows what agents can read, write, send, execute, and administer, then flags dangerous compositions before they reach production.

Analyze an Agent Workflow →See It in Action

WHAT CAN AGENTS ACTUALLY DO?

Authority Mapping

Classify every tool: read, write, send, execute, admin — with scopes.

Workflow Graphs

Visual authority graph from user input through agents to external effects.

Risk Detection

Detect dangerous compositions: read sensitive data + send externally.

Approval Control

Verify approval gates and flag missing, bypassed, or optional controls.

Agent Workflow & Authority Analyzer

ACME Corp fixture · graph preview driven by the real analysis bundle

Fixture

High-risk workflows

Composition report scorecard

Tools discovered

Authority register total

Approval coverage

68%

Approval boundary coverage

Approval bypassed

Bypass boundaries

Webhook

User Request

Agent

Assistant Agent

Retriever

Retrieve Documents

Crm

Read CRM

Llm

Draft Email with LLM

Agent Workflow & Authority Analyzer

ACME Corp fixture · graph preview driven by the real analysis bundle

Fixture

High-risk workflows

Composition report scorecard

Tools discovered

Authority register total

Approval coverage

68%

Approval boundary coverage

Approval bypassed

Bypass boundaries

Webhook

User Request

Agent

Assistant Agent

Retriever

Retrieve Documents

Crm

Read CRM

Llm

Draft Email with LLM

High-risk workflows

Tools discovered

68%

Approval coverage

Approval boundaries bypassed

Core capabilities

What SecEng Authority Graph does.

Tool & MCP Server Inventory

Inventory every agent tool, MCP server, plugin, workflow node, browser action, and API capability. Build a complete authority register before the first abuse case reaches production.

Authority Classification

Classify each tool by capability: Read, Write, Send, Execute, Admin, External, Irreversible. Analyze what the integration actually enables — not just what the label claims.

Dangerous Composition Detection

Detect combinations that create real risk: Read CRM Data + Send Email Externally, Retrieve Documents + Update Records, Filesystem Access + External API Call, Code Execution + Network Access, Admin API + LLM-controlled Arguments.

Workflow Authority Graph

Build a visual authority graph showing how user input flows through agents, prompts, tools, retrievers, APIs, approval gates, and external effects.

Blast Radius Scoring

Score blast radius per workflow: Low, Medium, High, Critical. Highlight irreversible actions, external sends, admin scope, and cross-system reach.

Approval Gate Verification

Verify approval boundaries: Enforced, Missing, Bypassed, Optional. Identify where human approval can be skipped through instruction injection or workflow manipulation.

Evidence & signals

What you get out of the box.

Tool Authority Breakdown

Read: 18
Write: 12
Send: 7
Execute: 4
Admin: 2

Approval Boundaries

Enforced: 14
Missing: 5
Bypassed: 3
Optional: 4

Dangerous Compositions

Read CRM Data + Send Email Externally — High
Retrieve Documents + Update Records — High
Access Files + External API Call — Medium

Red team + Blue team

Built for both sides of the security equation.

Red Team Use

Discover abuse chains created by individually reasonable tools composed dangerously
Simulate misuse paths: user prompt → retrieve CRM → draft email → send externally
Find approval gates that can be bypassed through alternate workflow branches or prompt injection
Identify high-blast-radius tools exposed to LLM-controlled arguments

Blue Team Use

Export workflow reports, authority maps, risk registers, and evidence packs
Generate least-privilege recommendations and approval-gate requirements per workflow
Map agent authority findings to ISO 42001, NIST AI RMF, OWASP LLM, and internal governance controls
Build regression checks for workflow changes and newly added tools

AI SECURITY ENGINEERING WORKBENCH

Ready to put SecEng Authority Graph to work?

Scope a Workbench-backed review — we’ll import a workflow, map agent authority, identify dangerous compositions, and give you a concrete approval-boundary plan.

Scope a Review See the full Workbench

Pricing & access →

Also in the Workbench

WHAT AI DO WE HAVE?

SecEng Surface Scanner

Browser, Repo & IDE AI Discovery

Explore

WHAT DID IT ACTUALLY DO?

SecEng Runtime Proxy

MITM Capture, Replay & Runtime Evidence

Explore

HOW CAN IT FAIL UNDER ATTACK?

SecEng Adversarial Range

AI Red-Team Scenario Harness

Explore

WAS RETRIEVAL AUTHORIZED?

SecEng RAG Test Harness

Retrieval & Context Security Test Harness

Explore

See full Workbench

SecEng Map · instrument

Authority graph analysis inside the SecEng Workbench.

The fixture below stands in for an ACME Corp workflow import and shows how the Tauri sidecar surface operates with shared components, consistent theming, and release-ready evidence language.

ACME fixture

SecEng Workflows / Dashboard

Agent Workflow & Authority Analyzer

Analysis bundle

Map what your agents can actually do. Find dangerous compositions. Enforce approval boundaries.

Jump to graph Jump to evidence Open Runtime Proxy

High-risk workflows

Derived from composition risks

Tools discovered

Authority register total

Approval coverage

68%

Approval boundary coverage

Approval bypassed

Blocked or bypassed steps

Dangerous compositions

Risk-report compositions

External effects

Send / write / external sinks

Workflow Authority Graph

The graph is organized around approval control, bypass detection, and the points where safe components become dangerous together.

Focus path: Reviewed outbound path

InputReasoningData AccessGovernanceExternal ActionBypass / High Risk

Intake

Governance

Retrieval

Reasoning

Action

Bypass

User Request

Webhook

not_requirednetwork

request_payload

apps/web/app/api/assistant/outbound/route.ts

Assistant Agent

Agent

optionalreadexecute

customer_profileconversation_state

packages/ai/agents/outbound-assistant.ts

Retrieve Documents

Retriever

not_requiredreadsensitive

knowledge_basecustomer_context

packages/rag/retrieve-context.ts

Read CRM

Crm

optionalreadexternal

accountopportunity

packages/ai/tools/read-crm.ts

Draft Email with LLM

Llm

not_requiredreadsensitive

draft_textcustomer_context

packages/ai/prompts/outbound-email.md

Policy Check

enforcedread

policy_decision

packages/governance/policies/workflow-policy.ts

Human Approval Gate

Approval Gate

enforcedread

approval_record

packages/governance/approvals/review.ts

Send Email via Outlook

enforcedsendexternal

message_bodyrecipient

packages/ai/tools/send-outlook.ts

Update CRM Record

Api

enforcedwriteexternal

crm_recordstatus_update

packages/ai/tools/update-crm.ts

Bypass Send Branch

External Sink

bypassedsendexternal

external_actionbypass_path

packages/ai/flows/bypass-send.ts

Policy Check

Human Approval Gate

Nodes

Edges

Platform

n8n

Importer

explicit_graph

Focus path

Reviewed outbound path

high

The branch from the draft step reaches the CRM update without passing through the human approval gate.

enforcedhigh blast radius

User RequestAssistant AgentRetrieve DocumentsDraft Email with LLMHuman Approval GateSend Email via Outlook

Connected control map

RAG Boundary Lens for workflow authority

The same lens now shows how approval coverage, bypass paths, and external effects line up inside the workflow graph.

Workflow control map

SecEng Workflows

RAG Boundary Lens

Approval boundaries, bypass paths, and external effects rendered against the agent workflow graph.

RAG detectedClaim-ready preview

Boundary score

45/100

RAG detected

Yes

Affected paths

Top tests

AuthZ pass

Watch

amber

Approval coverage still needs hardening.

Context leaks

amber

External effect nodes stand in for potential leakage surfaces.

Policy violations

red

Bypassed approvals need follow-up.

Pipeline snapshot

Import graphMap authorityCheck approvalsScore blast radiusExport control map

Suggested tests

Bypass branch blocked before CRM updateApproval gate required before external sendAuthority chain fails closed on missing policy check

Controls found

Outbound send requires human reviewBypass branch skips human approvalPolicy check is enforced before the review gate

Affected paths

packages/rag/retrieve-context.tspackages/ai/tools/read-crm.ts

Missing boundaries

Priority gaps

Approval gate coverageBypass path quarantineExternal effect boundary

Top tests

Harness checks

1Approval gate can be bypassed before the CRM update

2Outbound send requires human review

• seceng-rag/seceng-rag.config.json

• seceng-rag/identities.json

• seceng-rag/documents.json

• seceng-rag/tests.json

The lens is public-safe and directional. It uses job-description intelligence and trace fixture signals to show where RAG boundaries need reinforcement, without exposing raw documents or private payloads.

Workflow Authority Register

Capabilities are derived from the actual authority booleans on each node.

38 tools

read · 14write · 8send · 6execute · 4admin · 2external · 4

Update CRM Record

Api · enforced

criticalenforced

writeexternalirreversiblesensitivenetwork

crm_recordstatus_updatecrm.write

Evidence: crm write scope · irreversible external update

Bypass Send Branch

External Sink · bypassed

criticalbypassed

sendexternalirreversiblenetwork

external_actionbypass_pathworkflow.bypass

Evidence: approval bypass · external sink path

Read CRM

Crm · optional

highoptional

readexternalsensitivenetwork

accountopportunitycontactcrm.read

Evidence: salesforce read scope · external sensitive lookup

Send Email via Outlook

Email · enforced

highenforced

sendexternalirreversiblenetwork

message_bodyrecipientmail.send

Evidence: mail send scope · external delivery

Assistant Agent

Agent · optional

mediumoptional

readexecutesensitivenetwork

customer_profileconversation_stateassistant.orchestrate

Evidence: orchestration code · decision boundary

Retrieve Documents

Retriever · not_required

mediumnot_required

readsensitivenetwork

knowledge_basecustomer_contextrag.read

Evidence: vector-store fetch · sensitive context

Draft Email with LLM

Llm · not_required

mediumnot_required

readsensitivenetwork

draft_textcustomer_contextllm.generate

Evidence: prompt assembly · customer context used

User Request

Webhook · not_required

lownot_required

network

request_payloadpublic_ingress

Evidence: POST ingress · request payload observed

Policy Check

Policy Check · enforced

lowenforced

read

policy_decisionpolicy.evaluate

Evidence: policy predicate · guarded branch

Human Approval Gate

Approval Gate · enforced

lowenforced

read

approval_recordapproval.review

Evidence: review gate · approval record

Composition Risk Stack

Abuse paths

Scorecard

High risk workflows

Dangerous compositions

External effects

Approval bypasses

Approval Coverage

Coverage

68%

17 enforced · 5 missing · 3 bypassed · 0 optional

Outbound send requires human review

The primary send path is gated by a human approval step.

enforced

Severity: low

Remediation: Keep the approval record attached to the outbound message before delivery.

node_approvalnode_email

Bypass branch skips human approval

A secondary branch can route from the draft directly to the CRM update.

bypassed

Severity: critical

Remediation: Block the bypass sink until it passes through the same approval gate.

node_llmnode_bypassnode_api

Policy check is enforced before the review gate

Policy evaluation exists and is wired into the reviewed path.

enforced

Severity: low

Remediation: Keep the policy decision attached to the approval record for audit.

node_policynode_approval

CRM lookup remains unaudited in the draft path

The lookup step contributes context but does not have its own approval event.

missing

Severity: high

Remediation: Log the lookup scope and require explicit approval when sensitive account data is accessed.

node_crmnode_llm

Blast Radius

Overall: high · Score 84

high

Bypass Send Branch

node_bypass

approval_bypassedexternal_sinkirreversibleno_guardrail

Update CRM Record

node_api

writeexternalirreversiblecustomer_state

Send Email via Outlook

node_email

sendexternalcustomer_contactdelivery

Draft Email with LLM

node_llm

prompt_contextsensitive_inputsgeneration

Read CRM

node_crm

sensitiveexternalreadcustomer_profile

Retrieve Documents

node_retriever

sensitiveretrievalcontext_spill

Assistant Agent

node_agent

decisioningtool_orchestrationmulti_step_path

Policy Check

node_policy

read_onlyguardraildecision_filter

Human Approval Gate

node_approval

enforcedreview_recordhuman_in_loop

User Request

node_webhook

ingressno_actionentry_point

Threat Model

ACME outbound assistant workflow

Assets

• Customer Data · sensitive_data
• Prompt Context · context
• Approval Record · control_evidence
• Outbound Actions · external_effect

Actors

• End User · human
• Assistant Agent · workflow_agent
• Human Reviewer · human

Trust Boundaries

• Public Ingress · external_to_internal
• Sensitive Context Boundary · internal_sensitive
• Outbound Effect Boundary · external_effect

Mitigations

• Split outbound send and CRM update into separate approvals · recommended
• Guard the bypass sink with explicit policy enforcement · in_progress
• Tag source context before draft generation · recommended
• Persist the approval record alongside external effects · planned

Prompt injection steers outbound draft

Retrieved content or CRM text can alter the draft email instructions.

high

policy_checkapproval_gatecontent_normalization

Approval bypass reaches CRM update

The bypass sink reaches the CRM write path without human review.

critical

approval_gatepolicy_checkaudit_log

Outbound send exceeds intended scope

The same workflow can compose email send and CRM update, widening the blast radius.

high

least_privilegescoped_approvalboundary_split

Policy check does not cover the bypass branch

The policy gate protects the reviewed path but does not currently stop the bypass sink.

medium

policy_enforcementbranch_blockingpath_diffing

Evidence

graph_snapshot

Normalized graph snapshot for ACME outbound assistant workflow.

sha256:cc9a6b6e0a9f3c8f4baf1a2b90c1b1c7d8f3f0f8c83c8f70b06d8fef2c28a1f4

approval_record

Human review attached to the primary send path.

sha256:5f7b4f3f0a7dbeed5d68e0d3f8b9d6b4de2ccaf6f6c0c1f3f5a7c5b6d8e2c1a9

abuse_path

Bypass branch observed from draft step to CRM update.

sha256:9b1e0d4cf8d2cde2c1d0f3f0a7b1e5d7c2f8c0e1d6b5a8c9f4e3d2c1b0a9f8e7

Export Artifacts

Copy or download the bundle outputs without leaving the page.

graph_json

acme-outbound-assistant-graph.json

application/json

{
  "graph": {
    "graph_id": "acme-outbound-assistant-graph-v1",
    "name": "ACME outbound assistant workflow",
    "source": {
      "platform": "n8n",
      "source_uri": "https://n8n.acme.local/workflows/outbound-assistant",
      "importer": "workflow-import-normalizer"
    }
  },
  "scorecard": {
    "high_risk_workflows": 7,
    "dangerous_compositions": 4,
    "external_effects": 5,
    "irreversible_actions": 3,
    "approval_bypasses": 3
  }
}

authority_register_json

acme-workflow-authority-register.json

application/json

{
  "graph_id": "acme-outbound-assistant-graph-v1",
  "tools_discovered": 38
}

threat_model_json

acme-workflow-threat-model.json

application/json

{
  "graph_id": "acme-outbound-assistant-graph-v1",
  "title": "ACME outbound assistant workflow"
}

export_manifest_md

acme-workflow-analysis.md

text/markdown

# ACME outbound assistant workflow

- High-risk workflows: 7
- Tools discovered: 38
- Approval coverage: 68%
- Approval bypasses: 3