> ## Documentation Index
> Fetch the complete documentation index at: https://docs.guardway.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Agents

> Inventory of AI agents in your connected cloud providers — tools, MCP servers, models, gateway routing, Entra identities, and OWASP Agentic Top 10 findings.

## What this is for

The **Agents** workspace is where you inspect every AI agent Guardway has discovered in your cloud accounts. For each agent you see models, tools, MCP servers, routing posture against your gateways, linked **Entra ID** identities when configured, and **OWASP Top 10 for Agentic Applications** findings.

It lives at **Agents** in the dashboard sidebar (between **Playground** and **Logs**). The workspace has two tabs — **Inventory** and **Findings** — plus a per-agent detail view when you click a row.

Org-wide totals, routing percentages, and finding breakdowns live on **[Dashboard → Agents](/platform/dashboard/agents)** — use **Open Agents workspace** from that tab to jump here.

<Note>
  Discovery is configured under [Settings → Integrations](/platform/settings/integrations). You will not see agents until at least one cloud AI integration is connected and the first sync completes.
</Note>

## Connectors

| Provider               | Status                              | Set up under                                                                                       |
| ---------------------- | ----------------------------------- | -------------------------------------------------------------------------------------------------- |
| **Azure AI Foundry**   | Available                           | [Settings → Integrations → Azure AI Foundry](/platform/settings/integrations#azure-ai-foundry)     |
| **Amazon Bedrock**     | Available                           | [Settings → Integrations → Amazon Bedrock](/platform/settings/integrations#amazon-bedrock)         |
| **Microsoft Entra ID** | Available — identity hydration only | [Settings → Integrations → Microsoft Entra ID](/platform/settings/integrations#microsoft-entra-id) |
| GCP Vertex Agents      | Coming soon                         | —                                                                                                  |

**Azure AI Foundry** and **Amazon Bedrock** populate the inventory. Each connector discovers agents for its cloud; the **Provider** column distinguishes them.

**Microsoft Entra ID** does not add agents. It hydrates each discovered agent with execution identity (Service Principal or Managed Identity), owners, credential lifecycle, OAuth grants, and directory roles for **ASI03** rules. Identity sync runs after a successful **Resync** on the Azure AI Foundry card (or after **Test Microsoft Graph access** on the Entra card).

The Azure AI Foundry connector discovers **both** **prompt agents** (default in the *New Foundry* experience) and legacy **Assistants-API** agents.

## Inventory

The default tab when you open **Agents** (URL omits `tab` or uses `?tab=inventory`).

### Toolbar

| Element            | Notes                                                      |
| ------------------ | ---------------------------------------------------------- |
| **Search agents…** | Filters the table client-side by agent name.               |
| **Refresh**        | Reloads agent and finding data from the discovery service. |

### Columns

| Column        | Notes                                                                                                     |
| ------------- | --------------------------------------------------------------------------------------------------------- |
| **Agent**     | Click to open the agent detail view.                                                                      |
| **Provider**  | Connector that discovered the agent (e.g. `Azure AI Foundry`).                                            |
| **Project**   | Provider-side container (Foundry project, Bedrock environment, etc.).                                     |
| **Models**    | Up to two deployment names; `+N` when more.                                                               |
| **Tools**     | Count of registered tools.                                                                                |
| **MCP**       | Count of attached MCP servers; red **`N risky`** when any are `high` risk.                                |
| **Risk**      | Worst open OWASP severity chip plus total finding count (e.g. `MEDIUM (1)`). Empty when no open findings. |
| **Routing**   | `Gateway: <name>`, `Bypassing gateway`, or `Routing unknown`.                                             |
| **Last seen** | Date last observed; link icon opens the provider console when a deep link exists.                         |

Pagination: **Rows per page** (default 25), **Showing X–Y of Z agents**.

<Frame caption="Agents → Inventory">
  <img src="https://mintcdn.com/fcguardwayai/rJTQ_bXDRs9Cgazf/images/screenshots/platform/agents/inventory.png?fit=max&auto=format&n=rJTQ_bXDRs9Cgazf&q=85&s=d5a1bdd01f99cd932ed0eda96e78324d" alt="Agents inventory table" width="1024" height="592" data-path="images/screenshots/platform/agents/inventory.png" />
</Frame>

## Findings

Switch to the **Findings** tab (`?tab=findings`) for the org-wide OWASP list.

### Toolbar

| Element              | Notes                                                                                                                                                                 |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Search findings…** | Filters by finding title, description, rule id, or agent name.                                                                                                        |
| **All categories**   | Default, or filter to one ASI code (`ASI01` … `ASI10`). The dropdown lists full names; the table **Category** column shows the short code only (`ASI03`, `ASI02`, …). |
| **All severities**   | Default, or `Critical`, `High`, `Medium`, `Low`, `Info`.                                                                                                              |
| **Refresh**          | Reloads findings.                                                                                                                                                     |

### Columns

Sorted by severity (highest first), then category, then rule id.

| Column        | Notes                                                                      |
| ------------- | -------------------------------------------------------------------------- |
| **Severity**  | Color-coded chip.                                                          |
| **Category**  | ASI code chip (short form in the grid).                                    |
| **Agent**     | Links to agent detail. Shows a monospaced row id if the agent was removed. |
| **Finding**   | Rule title above, description below.                                       |
| **Rule**      | Stable id (e.g. `asi03.shared_identity_across_agents`).                    |
| **Last seen** | Date the finding was last observed.                                        |

Empty state: **No OWASP findings detected.** with a green shield icon.

<Frame caption="Agents → Findings">
  <img src="https://mintcdn.com/fcguardwayai/rJTQ_bXDRs9Cgazf/images/screenshots/platform/agents/findings.png?fit=max&auto=format&n=rJTQ_bXDRs9Cgazf&q=85&s=bda35119ee38dc7c6b53deaf39bafe60" alt="OWASP findings table" width="1024" height="592" data-path="images/screenshots/platform/agents/findings.png" />
</Frame>

## Agent detail

Opens when you click an inventory row. Back control: **Agents**.

### Header

Agent name, provider · project · account label, **Routing unknown** / gateway badge, optional worst-severity chip and **`N ASI finding(s)`** anchor to the findings card, **Open in console** when `raw_url` is present.

### Sections (in order)

| Section                       | Notes                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **OWASP Top 10 findings (N)** | Grouped by ASI category. **Remediation** and **Evidence** collapsibles per finding; Evidence shows JSON from the rule evaluator.                                                                                                                                                                                                                                                                                                                |
| **Identities (N)**            | One row per Entra principal. Display name, type chip (`ServicePrincipal`, `ManagedIdentity`, `Application`), link source (`Foundry account managed identity`, `Declared in agent metadata`, `Assistant owner`). Object id, **Attached to** for Managed Identities, owner count (suppressed for MIs with an attached resource), credential badges (**N expired**, **N expiring \<30d**), **N risky scope(s)**. Hidden when no identity resolved. |
| **Models (N)**                | Deployment name, provider kind, deployment alias, endpoint URL.                                                                                                                                                                                                                                                                                                                                                                                 |
| **Tools (N)**                 | Name, description, kind chip.                                                                                                                                                                                                                                                                                                                                                                                                                   |
| **MCP servers (N)**           | Name, URL, transport, risk badge.                                                                                                                                                                                                                                                                                                                                                                                                               |

Footer: last discovered timestamp.

<Frame caption="Agent detail">
  <img src="https://mintcdn.com/fcguardwayai/rJTQ_bXDRs9Cgazf/images/screenshots/platform/agents/detail-overview.png?fit=max&auto=format&n=rJTQ_bXDRs9Cgazf&q=85&s=bbd2642d65cba7a7727072a480b39f32" alt="Agent detail with OWASP findings and Identities" width="1024" height="594" data-path="images/screenshots/platform/agents/detail-overview.png" />
</Frame>

## OWASP Top 10 categories

Guardway maps findings to the [OWASP Top 10 for Agentic Applications 2026](https://genai.owasp.org/initiatives/agentic-security-initiative/) framework. Five categories are evaluated in this release from passive cloud metadata; the rest are deferred ([Limits](#limits)).

| Category  | Title                                | Evaluated |
| --------- | ------------------------------------ | --------- |
| **ASI01** | Agent Goal Hijack                    | No        |
| **ASI02** | Tool Misuse & Exploitation           | Yes       |
| **ASI03** | Identity & Privilege Abuse           | Yes       |
| **ASI04** | Agentic Supply Chain Vulnerabilities | Yes       |
| **ASI05** | Unexpected Code Execution (RCE)      | Yes       |
| **ASI06** | Memory & Context Poisoning           | No        |
| **ASI07** | Insecure Inter-Agent Communication   | Yes       |
| **ASI08** | Cascading Failures                   | No        |
| **ASI09** | Human-Agent Trust Exploitation       | No        |
| **ASI10** | Rogue Agents                         | No        |

### Rule reference

<AccordionGroup>
  <Accordion title="ASI02 · Tool Misuse & Exploitation">
    | Rule                             | Severity | Triggers when                                       |
    | -------------------------------- | -------- | --------------------------------------------------- |
    | `asi02.code_interpreter_present` | Medium   | The agent has a `code_interpreter` tool registered. |
    | `asi02.high_tool_count`          | Low      | More than 10 tools.                                 |
    | `asi02.unknown_kind_tool`        | Info     | A tool kind could not be classified.                |
  </Accordion>

  <Accordion title="ASI03 · Identity & Privilege Abuse">
    Rules below **`no_managed_identity_hint`** require [Microsoft Entra ID](/platform/settings/integrations#microsoft-entra-id) and a resolved agent → principal link.

    | Rule                                  | Severity | Triggers when                                                                                                       |
    | ------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------- |
    | `asi03.no_managed_identity_hint`      | Medium   | Privileged-looking tools, no Entra principal linked, no identity in metadata.                                       |
    | `asi03.shared_identity_across_agents` | Medium   | Same Entra principal across multiple agents.                                                                        |
    | `asi03.expired_credential`            | High     | Expired client secret or certificate on the identity.                                                               |
    | `asi03.credential_expiring_soon`      | Medium   | Credential expiring within 30 days.                                                                                 |
    | `asi03.long_lived_secret`             | Medium   | Client secret lifetime greater than one year.                                                                       |
    | `asi03.overprivileged_consent`        | High     | High-risk Microsoft Graph permissions on the identity.                                                              |
    | `asi03.privileged_directory_role`     | Critical | Global Administrator, Privileged Role Administrator, Application Administrator, or Cloud Application Administrator. |
    | `asi03.orphaned_principal`            | Medium   | Service Principal or Application with no owners (MIs exempt).                                                       |
    | `asi03.disabled_owner`                | Medium   | All user owners disabled.                                                                                           |
    | `asi03.unverified_principal`          | Low      | Metadata principal id does not match any tenant principal.                                                          |
    | `asi03.dormant_principal`             | Low      | No sign-in for 90+ days (`AuditLog.Read.All` + AAD Premium required).                                               |
  </Accordion>

  <Accordion title="ASI04 · Agentic Supply Chain Vulnerabilities">
    | Rule                            | Severity | Triggers when                       |
    | ------------------------------- | -------- | ----------------------------------- |
    | `asi04.mcp_server_unpinned_url` | High     | MCP host outside trusted allowlist. |
    | `asi04.openapi_external_spec`   | Medium   | OpenAPI spec URL outside allowlist. |
    | `asi04.mcp_server_no_url`       | Low      | MCP server has no URL recorded.     |
  </Accordion>

  <Accordion title="ASI05 · Unexpected Code Execution (RCE)">
    | Rule                             | Severity | Triggers when                              |
    | -------------------------------- | -------- | ------------------------------------------ |
    | `asi05.code_interpreter_present` | High     | `code_interpreter` tool present.           |
    | `asi05.shell_like_function_tool` | High     | Function tool matches shell/eval patterns. |
  </Accordion>

  <Accordion title="ASI07 · Insecure Inter-Agent Communication">
    | Rule                          | Severity | Triggers when                               |
    | ----------------------------- | -------- | ------------------------------------------- |
    | `asi07.mcp_http_transport`    | High     | MCP uses `http` transport or `http://` URL. |
    | `asi07.mcp_unknown_transport` | Medium   | Transport unknown from discovery.           |
  </Accordion>
</AccordionGroup>

### Severity meanings

| Severity     | Typical impact                                        |
| ------------ | ----------------------------------------------------- |
| **Critical** | Direct path to compromise without further conditions. |
| **High**     | Material risk under common attack paths.              |
| **Medium**   | Increased attack surface or reduced visibility.       |
| **Low**      | Hygiene issue.                                        |
| **Info**     | Diagnostic / connector visibility gap.                |

### Lifecycle

Findings are created on first rule match, updated on each sync when the rule still fires, and **pruned** automatically when the rule stops firing. Deleting an agent in the provider removes its findings.

## Gateway routing detection

Hostname of the model endpoint is compared to registered gateway URLs.

| State                 | Meaning                                                       |
| --------------------- | ------------------------------------------------------------- |
| **Gateway: \<name>**  | Endpoint matches a registered gateway.                        |
| **Bypassing gateway** | Direct to upstream provider.                                  |
| **Routing unknown**   | Endpoint URL not resolved (common for Foundry prompt agents). |

## Limits

* One subscription (Azure) or account+region (Bedrock) per provider per organization in v1.
* Refresh is on-demand via integration **Resync**; no continuous background poll yet.
* OWASP evaluation is **passive** — Guardway never sends prompts to discovered agents.
* Five ASI categories evaluated (ASI02, ASI03, ASI04, ASI05, ASI07).
* ASI04 allowlist: until seeded, MCP hosts may all trigger `asi04.mcp_server_unpinned_url`.

## Related

* [Dashboard → Agents](/platform/dashboard/agents) — org-wide metrics and breakdowns.
* [Topology](/platform/topology) — graph of gateways → providers → models → agents.
* [Settings → Integrations](/platform/settings/integrations) — connect providers.
* [Logs](/platform/logs) — request history for gateway-routed traffic.
