Sprawl Post 1
AppSec
For AppSec, the First AI Agent Problem Is Evidence Before Exploitation
Why the first public control problem in the report is weak evidence posture, not an already-proven exploit chain.
CAISI
Independent research and operating notes on AI agent governance.
CAISI Blog / Sprawl Report Series
What the Sprawl Report Means for Security and Platform Leaders
This four-part series stays anchored to one report and one subset run: `sprawl-v2-full-20260312b`, rebuilt from `890` completed public GitHub targets. The point is not to retell the report four times. It is to separate the strongest governance lessons for AppSec, CISOs, and platform teams from the numbers that are easy to misread.
Public evidence, not runtime certainty
AppSec, CISO, platform audiences
One report, four focused lessons
Why a separate sprawl series
The report is strongest on a specific question: what public repositories expose about AI tools, agent declarations, approval posture, evidence readiness, and control-aligned artifacts. That is a useful governance question, but it is easy for readers to over-rotate toward either complacency or alarm.
This series slows the read down. It explains why the report's strongest results are about proof and posture, why some zeros should not reassure anyone too quickly, and what each audience should do with the signal.
The 4 posts
Sprawl Post 2
CISO
An 11:1 Approval Gap Is a Proof Gap, Not a Panic Statistic
Why leaders should read the headline ratio as a machine-readable governance failure, not a claim that every unresolved tool is dangerous.
Sprawl Post 3
Platform
Declared Agents Are Not Deployed Agents
Why declaration volume and deployable-agent evidence need to be separated in platform design and governance conversations.
Sprawl Post 4
Leadership
What the Sprawl Report Proves, What It Doesn't, and What Leaders Should Do Next
A precise closing post on subset scope, transfer limits, and the first fixes security and platform leadership should insist on.