Skip to main content

What this is for

The Agents workspace is where you inspect every AI agent Guardway has discovered in your cloud accounts. For each agent you see models, tools, MCP servers, routing posture against your gateways, linked Entra ID identities when configured, and OWASP Top 10 for Agentic Applications findings. It lives at Agents in the dashboard sidebar (between Playground and Logs). The workspace has two tabs — Inventory and Findings — plus a per-agent detail view when you click a row. Org-wide totals, routing percentages, and finding breakdowns live on Dashboard → Agents — use Open Agents workspace from that tab to jump here.
Discovery is configured under Settings → Integrations. You will not see agents until at least one cloud AI integration is connected and the first sync completes.

Connectors

Azure AI Foundry and Amazon Bedrock populate the inventory. Each connector discovers agents for its cloud; the Provider column distinguishes them. Microsoft Entra ID does not add agents. It hydrates each discovered agent with execution identity (Service Principal or Managed Identity), owners, credential lifecycle, OAuth grants, and directory roles for ASI03 rules. Identity sync runs after a successful Resync on the Azure AI Foundry card (or after Test Microsoft Graph access on the Entra card). The Azure AI Foundry connector discovers both prompt agents (default in the New Foundry experience) and legacy Assistants-API agents.

Inventory

The default tab when you open Agents (URL omits tab or uses ?tab=inventory).

Toolbar

Columns

Pagination: Rows per page (default 25), Showing X–Y of Z agents.
Agents inventory table

Agents → Inventory

Findings

Switch to the Findings tab (?tab=findings) for the org-wide OWASP list.

Toolbar

Columns

Sorted by severity (highest first), then category, then rule id. Empty state: No OWASP findings detected. with a green shield icon.
OWASP findings table

Agents → Findings

Agent detail

Opens when you click an inventory row. Back control: Agents. Agent name, provider · project · account label, Routing unknown / gateway badge, optional worst-severity chip and N ASI finding(s) anchor to the findings card, Open in console when raw_url is present.

Sections (in order)

Footer: last discovered timestamp.
Agent detail with OWASP findings and Identities

Agent detail

OWASP Top 10 categories

Guardway maps findings to the OWASP Top 10 for Agentic Applications 2026 framework. Five categories are evaluated in this release from passive cloud metadata; the rest are deferred (Limits).

Rule reference

Rules below no_managed_identity_hint require Microsoft Entra ID and a resolved agent → principal link.

Severity meanings

Lifecycle

Findings are created on first rule match, updated on each sync when the rule still fires, and pruned automatically when the rule stops firing. Deleting an agent in the provider removes its findings.

Gateway routing detection

Hostname of the model endpoint is compared to registered gateway URLs.

Limits

  • One subscription (Azure) or account+region (Bedrock) per provider per organization in v1.
  • Refresh is on-demand via integration Resync; no continuous background poll yet.
  • OWASP evaluation is passive — Guardway never sends prompts to discovered agents.
  • Five ASI categories evaluated (ASI02, ASI03, ASI04, ASI05, ASI07).
  • ASI04 allowlist: until seeded, MCP hosts may all trigger asi04.mcp_server_unpinned_url.