What this is for
The Agents workspace is where you inspect every AI agent Guardway has discovered in your cloud accounts. For each agent you see models, tools, MCP servers, routing posture against your gateways, linked Entra ID identities when configured, and OWASP Top 10 for Agentic Applications findings. It lives at Agents in the dashboard sidebar (between Playground and Logs). The workspace has two tabs — Inventory and Findings — plus a per-agent detail view when you click a row. Org-wide totals, routing percentages, and finding breakdowns live on Dashboard → Agents — use Open Agents workspace from that tab to jump here.Discovery is configured under Settings → Integrations. You will not see agents until at least one cloud AI integration is connected and the first sync completes.
Connectors
| Provider | Status | Set up under |
|---|---|---|
| Azure AI Foundry | Available | Settings → Integrations → Azure AI Foundry |
| Amazon Bedrock | Available | Settings → Integrations → Amazon Bedrock |
| Microsoft Entra ID | Available — identity hydration only | Settings → Integrations → Microsoft Entra ID |
| GCP Vertex Agents | Coming soon | — |
Inventory
The default tab when you open Agents (URL omitstab or uses ?tab=inventory).
Toolbar
| Element | Notes |
|---|---|
| Search agents… | Filters the table client-side by agent name. |
| Refresh | Reloads agent and finding data from the discovery service. |
Columns
| Column | Notes |
|---|---|
| Agent | Click to open the agent detail view. |
| Provider | Connector that discovered the agent (e.g. Azure AI Foundry). |
| Project | Provider-side container (Foundry project, Bedrock environment, etc.). |
| Models | Up to two deployment names; +N when more. |
| Tools | Count of registered tools. |
| MCP | Count of attached MCP servers; red N risky when any are high risk. |
| Risk | Worst open OWASP severity chip plus total finding count (e.g. MEDIUM (1)). Empty when no open findings. |
| Routing | Gateway: <name>, Bypassing gateway, or Routing unknown. |
| Last seen | Date last observed; link icon opens the provider console when a deep link exists. |
Findings
Switch to the Findings tab (?tab=findings) for the org-wide OWASP list.
Toolbar
| Element | Notes |
|---|---|
| Search findings… | Filters by finding title, description, rule id, or agent name. |
| All categories | Default, or filter to one ASI code (ASI01 … ASI10). The dropdown lists full names; the table Category column shows the short code only (ASI03, ASI02, …). |
| All severities | Default, or Critical, High, Medium, Low, Info. |
| Refresh | Reloads findings. |
Columns
Sorted by severity (highest first), then category, then rule id.| Column | Notes |
|---|---|
| Severity | Color-coded chip. |
| Category | ASI code chip (short form in the grid). |
| Agent | Links to agent detail. Shows a monospaced row id if the agent was removed. |
| Finding | Rule title above, description below. |
| Rule | Stable id (e.g. asi03.shared_identity_across_agents). |
| Last seen | Date the finding was last observed. |
Agent detail
Opens when you click an inventory row. Back control: Agents.Header
Agent name, provider · project · account label, Routing unknown / gateway badge, optional worst-severity chip andN ASI finding(s) anchor to the findings card, Open in console when raw_url is present.
Sections (in order)
| Section | Notes |
|---|---|
| OWASP Top 10 findings (N) | Grouped by ASI category. Remediation and Evidence collapsibles per finding; Evidence shows JSON from the rule evaluator. |
| Identities (N) | One row per Entra principal. Display name, type chip (ServicePrincipal, ManagedIdentity, Application), link source (Foundry account managed identity, Declared in agent metadata, Assistant owner). Object id, Attached to for Managed Identities, owner count (suppressed for MIs with an attached resource), credential badges (N expired, N expiring <30d), N risky scope(s). Hidden when no identity resolved. |
| Models (N) | Deployment name, provider kind, deployment alias, endpoint URL. |
| Tools (N) | Name, description, kind chip. |
| MCP servers (N) | Name, URL, transport, risk badge. |
OWASP Top 10 categories
Guardway maps findings to the OWASP Top 10 for Agentic Applications 2026 framework. Five categories are evaluated in this release from passive cloud metadata; the rest are deferred (Limits).| Category | Title | Evaluated |
|---|---|---|
| ASI01 | Agent Goal Hijack | No |
| ASI02 | Tool Misuse & Exploitation | Yes |
| ASI03 | Identity & Privilege Abuse | Yes |
| ASI04 | Agentic Supply Chain Vulnerabilities | Yes |
| ASI05 | Unexpected Code Execution (RCE) | Yes |
| ASI06 | Memory & Context Poisoning | No |
| ASI07 | Insecure Inter-Agent Communication | Yes |
| ASI08 | Cascading Failures | No |
| ASI09 | Human-Agent Trust Exploitation | No |
| ASI10 | Rogue Agents | No |
Rule reference
ASI02 · Tool Misuse & Exploitation
ASI02 · Tool Misuse & Exploitation
| Rule | Severity | Triggers when |
|---|---|---|
asi02.code_interpreter_present | Medium | The agent has a code_interpreter tool registered. |
asi02.high_tool_count | Low | More than 10 tools. |
asi02.unknown_kind_tool | Info | A tool kind could not be classified. |
ASI03 · Identity & Privilege Abuse
ASI03 · Identity & Privilege Abuse
Rules below
no_managed_identity_hint require Microsoft Entra ID and a resolved agent → principal link.| Rule | Severity | Triggers when |
|---|---|---|
asi03.no_managed_identity_hint | Medium | Privileged-looking tools, no Entra principal linked, no identity in metadata. |
asi03.shared_identity_across_agents | Medium | Same Entra principal across multiple agents. |
asi03.expired_credential | High | Expired client secret or certificate on the identity. |
asi03.credential_expiring_soon | Medium | Credential expiring within 30 days. |
asi03.long_lived_secret | Medium | Client secret lifetime greater than one year. |
asi03.overprivileged_consent | High | High-risk Microsoft Graph permissions on the identity. |
asi03.privileged_directory_role | Critical | Global Administrator, Privileged Role Administrator, Application Administrator, or Cloud Application Administrator. |
asi03.orphaned_principal | Medium | Service Principal or Application with no owners (MIs exempt). |
asi03.disabled_owner | Medium | All user owners disabled. |
asi03.unverified_principal | Low | Metadata principal id does not match any tenant principal. |
asi03.dormant_principal | Low | No sign-in for 90+ days (AuditLog.Read.All + AAD Premium required). |
ASI04 · Agentic Supply Chain Vulnerabilities
ASI04 · Agentic Supply Chain Vulnerabilities
| Rule | Severity | Triggers when |
|---|---|---|
asi04.mcp_server_unpinned_url | High | MCP host outside trusted allowlist. |
asi04.openapi_external_spec | Medium | OpenAPI spec URL outside allowlist. |
asi04.mcp_server_no_url | Low | MCP server has no URL recorded. |
ASI05 · Unexpected Code Execution (RCE)
ASI05 · Unexpected Code Execution (RCE)
| Rule | Severity | Triggers when |
|---|---|---|
asi05.code_interpreter_present | High | code_interpreter tool present. |
asi05.shell_like_function_tool | High | Function tool matches shell/eval patterns. |
ASI07 · Insecure Inter-Agent Communication
ASI07 · Insecure Inter-Agent Communication
| Rule | Severity | Triggers when |
|---|---|---|
asi07.mcp_http_transport | High | MCP uses http transport or http:// URL. |
asi07.mcp_unknown_transport | Medium | Transport unknown from discovery. |
Severity meanings
| Severity | Typical impact |
|---|---|
| Critical | Direct path to compromise without further conditions. |
| High | Material risk under common attack paths. |
| Medium | Increased attack surface or reduced visibility. |
| Low | Hygiene issue. |
| Info | Diagnostic / connector visibility gap. |
Lifecycle
Findings are created on first rule match, updated on each sync when the rule still fires, and pruned automatically when the rule stops firing. Deleting an agent in the provider removes its findings.Gateway routing detection
Hostname of the model endpoint is compared to registered gateway URLs.| State | Meaning |
|---|---|
| Gateway: <name> | Endpoint matches a registered gateway. |
| Bypassing gateway | Direct to upstream provider. |
| Routing unknown | Endpoint URL not resolved (common for Foundry prompt agents). |
Limits
- One subscription (Azure) or account+region (Bedrock) per provider per organization in v1.
- Refresh is on-demand via integration Resync; no continuous background poll yet.
- OWASP evaluation is passive — Guardway never sends prompts to discovered agents.
- Five ASI categories evaluated (ASI02, ASI03, ASI04, ASI05, ASI07).
- ASI04 allowlist: until seeded, MCP hosts may all trigger
asi04.mcp_server_unpinned_url.
Related
- Dashboard → Agents — org-wide metrics and breakdowns.
- Topology — graph of gateways → providers → models → agents.
- Settings → Integrations — connect providers.
- Logs — request history for gateway-routed traffic.