{"generated_at":"2026-04-28T08:23:33.884001+00:00","org_key":"default","period":"last_30_days","posture_score":50.0,"risk_level":"HIGH","trend_delta":-22.6,"trend_direction":"down","narrative":"ThreatVec has assessed your organization's AI security posture at 50 out of 100, placing you in HIGH risk territory following a sharp 23-point decline — a trajectory that demands immediate board attention. Your environment currently has zero registered AI agents, zero monitored AI services, and zero active alert rules, meaning there is no visibility into how AI is being used across the business and no controls in place to detect or stop harmful activity. Seven unresolved critical vulnerabilities have been identified in your technology stack, each representing a potential entry point for attackers to compromise business operations, customer data, or financial systems. The complete absence of monitoring infrastructure means your organization would have no warning of an AI-related breach or misuse event as it occurred. We recommend an urgent remediation sprint targeting the seven critical vulnerabilities alongside an immediate effort to inventory and register all AI tools in use, establishing baseline controls before your risk exposure widens further.","inventory":{"agents":0,"mcp_servers":0,"unregistered_ai":0},"monitoring":{"active_alert_rules":0,"alerts_fired_30d":0,"signal_sources":[],"enforcement_calls_30d":0,"enforcement_blocked_30d":0},"cve_stats":{"total_30d":45,"critical":7,"high":34,"stack_relevant":8,"patched_30d":0,"open_critical":7},"red_team":{"probes_run_30d":0,"bypasses_found":0,"bypass_rate_pct":0,"attack_classes_tested":0,"last_run_at":null},"model_trust":{"models_tracked":30,"avg_trust_score":45.9,"models_flagged":24,"live_tested":0},"component_scores":{"agent":0,"mcp":0,"shadow":50},"findings":{"problem_agents":[],"integrity_violations":[]},"framework":{"owasp":{"score":20,"controls":[{"id":"LLM01","name":"Prompt Injection","status":"gap","finding":"Not yet tested"},{"id":"LLM02","name":"Insecure Output Handling","status":"gap","finding":"LLM proxy not connected"},{"id":"LLM03","name":"Training Data Poisoning","status":"gap","finding":"Not yet assessed"},{"id":"LLM04","name":"Model Denial of Service","status":"assessed","finding":"CVE feed active"},{"id":"LLM05","name":"Supply Chain Vuln","status":"tested","finding":"45 CVEs tracked (30d)"},{"id":"LLM06","name":"Sensitive Info Disclosure","status":"gap","finding":"No signal sources active"},{"id":"LLM07","name":"Insecure Plugin Design","status":"gap","finding":"No agents registered"},{"id":"LLM08","name":"Excessive Agency","status":"gap","finding":"No enforcement connected"},{"id":"LLM09","name":"Overreliance","status":"assessed","finding":"Model Trust Registry active"},{"id":"LLM10","name":"Model Theft","status":"gap","finding":"Not yet assessed"}]},"nist":{"score":52,"functions":[{"name":"GOVERN","score":30,"evidence":"0 agents registered, 0 alert rules active"},{"name":"MAP","score":70,"evidence":"Tech stack declared, threat path computed"},{"name":"MEASURE","score":70,"evidence":"Posture score 50/100, 0 red team probes (30d)"},{"name":"MANAGE","score":40,"evidence":"No enforcement policy layer connected — gap"}]},"eu_ai_act":{"score":38,"articles":[{"ref":"Art. 9","topic":"Risk Management System","status":"met","evidence":"Posture score + CVE monitoring active"},{"ref":"Art. 13","topic":"Transparency & Logging","status":"gap","evidence":"No signal sources active"},{"ref":"Art. 14","topic":"Human Oversight","status":"gap","evidence":"Enforcement not yet configured"},{"ref":"Art. 17","topic":"Quality Management System","status":"partial","evidence":"Run continuous red team to build evidence"}]},"mitre_atlas":{"score":0,"techniques_covered":0,"techniques_total":14,"top_findings":["AML.T0048 Supply Chain — 45 CVEs tracked"]}},"posture_history":[{"date":"2026-04-21","posture_score":72.6,"agent_score":79.4,"mcp_score":70.7,"shadow_score":61.9},{"date":"2026-04-22","posture_score":71.2,"agent_score":75.9,"mcp_score":70.0,"shadow_score":60.2},{"date":"2026-04-23","posture_score":71.3,"agent_score":80.2,"mcp_score":68.2,"shadow_score":63.8},{"date":"2026-04-24","posture_score":71.3,"agent_score":82.4,"mcp_score":70.6,"shadow_score":61.1},{"date":"2026-04-25","posture_score":73.1,"agent_score":83.3,"mcp_score":74.2,"shadow_score":61.2},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-26","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-27","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0},{"date":"2026-04-28","posture_score":50.0,"agent_score":null,"mcp_score":null,"shadow_score":50.0}],"recommendations":[{"title":"Connect signal sources to enable real-time AI visibility","detail":"Zero signal sources are active, meaning ThreatVec has no telemetry to detect threats or validate your 50/100 score. Integrate at least one source — such as your SIEM, M365 logs, or the ThreatVec Chrome extension — immediately to establish a baseline.","impact":"high","effort":"low"},{"title":"Deploy alert rules to detect AI policy violations","detail":"No alert rules have fired in 30 days because none are configured. Create a minimum ruleset covering prompt injection, shadow AI usage, and MCP schema drift to move from blind to monitored posture.","impact":"high","effort":"low"},{"title":"Enable enforcement blocks to prevent uncontrolled AI use","detail":"Zero enforcement blocks in 30 days indicates no active controls are in place. Configure at minimum a block policy for unregistered AI services to reduce exposure while broader rules are built out.","impact":"high","effort":"medium"},{"title":"Run a shadow AI discovery sweep across endpoints and M365","detail":"With no signal sources active, the current count of zero unregistered AI services cannot be trusted — it reflects absence of detection, not absence of risk. Deploy the ThreatVec Chrome extension and connect M365 logs to surface actual shadow AI usage.","impact":"medium","effort":"medium"},{"title":"Establish a red team exercise to validate agent controls","detail":"The Agent Score component includes red team pass rate, which cannot be measured without an active test. Schedule a focused red team exercise targeting your AI agents to generate a defensible baseline and identify behavioural drift early.","impact":"medium","effort":"high"}],"ai_enhanced":true}