// security agent maturity

Where is your security
agent program today?

Every enterprise security program sits at one of five maturity levels. Most are at Level 1 or 2 without knowing it. The agents are running. The CISO can't account for them. The board is starting to ask questions. ARX moves organizations from invisible to accountable — systematically, and in under 10 minutes for the first agent.

// the five levels

Five levels. One journey.

01 Invisible WHERE MOST PROGRAMS START RISK: HIGH
The security team has informal automation running — scripts, notebooks, scheduled tasks — that nobody officially calls an agent. The CISO has no inventory. The tools are undocumented. Credentials are hardcoded in .env files on individual laptops. Nobody knows what systems these tools touch or what they can do.
Common Signs
  • Security engineers use "just a script" to describe production automation
  • No formal inventory of internal security tools exists
  • CISO cannot answer "what automated tools touch CrowdStrike?"
  • API keys exist in code repositories and engineer laptops
What ARX Does Here
Deploy ARX and immediately get a registry of what is running. Most Level 1 organizations are shocked by what they find.
02 Uncontrolled MOST COMMON ENTRY POINT RISK: VERY HIGH
Agents are intentionally built and deployed in production. They do real work — triage, enrichment, correlation. But there is no governance layer. No audit trail. No policy enforcement. No visibility for the CISO. The agents run with whatever permissions the API key allows. One bad prompt, one model update, one edge case — the agent does something it was never supposed to do.
Common Signs
  • Agents are running in production but not in any official registry
  • No formal policy defines what each agent is permitted to do
  • Audit trail is whatever the individual tools log — not agent-level
  • CISO knows agents exist but cannot account for what they do
What ARX Does Here
Wrap existing agents with governance immediately. The registry, audit trail, and policy engine deploy in days. Level 2 organizations often generate their first compliance package within the first week.
03 Governed WHERE ARX TAKES YOU — DAY ONE RISK: MODERATE
The security program has deployed formal agent governance. The CISO has a registry. A policy layer defines what agents can do. An audit trail exists at the agent action level. Human approval gates are in place for high-risk operations. But compliance documentation is still manual — vendor security reviews still take months — and the agent deployment process is still slow for engineers.
Common Signs
  • Agent registry exists and is maintained
  • Policy rules are defined and enforced
  • Audit logs exist at the agent action level
  • Human approval gates are in place for high-risk operations
  • BUT: compliance packages require manual work
  • BUT: new agents still stall in vendor security review
What ARX Does Here
Automate the compliance documentation layer. Engineer deployment drops from weeks to minutes. The six-month vendor review becomes two weeks.
04 Compliant FULL ARX DEPLOYMENT RISK: LOW
The security program has both governance and compliance. Agents are registered, governed, and audited. Compliance documentation is auto-generated from runtime behavior. Vendor security reviews are fast. The CISO can walk into any audit or board conversation and answer every question about what their agents are doing.
Common Signs
  • Auto-generated compliance packages submitted to procurement routinely
  • Vendor security reviews for new agents complete in under 30 days
  • CISO dashboard answers any question an auditor asks
  • Agent deployment measured in minutes, not weeks
  • BUT: behavioral drift detection is reactive, not proactive
  • BUT: agent intelligence does not improve across the portfolio
What ARX Does Here
Activate behavioral drift detection and declared intent monitoring. Move from reactive governance to proactive behavioral compliance.
05 Autonomous & Accountable THE TARGET STATE RISK: MINIMAL
The mature security agent program. Agents are deployed in minutes. Governance is automatic. Compliance documentation is continuous and current. Behavioral drift is detected proactively before it causes problems. The CISO has real-time visibility into every agent's behavior against its declared intent. The security program expands its agent footprint with confidence because governance scales with it.
Common Signs
  • New agents deploy in under 10 minutes with governance active from first invocation
  • Compliance packages always current — maintained continuously, not generated on request
  • Behavioral drift alerts surface before incidents occur
  • Agent portfolio expanding because governance creates confidence, not friction
  • CISO uses the agent registry as a strategic planning tool
What ARX Does Here
You are the reference customer. This is where ARX wants to take every organization.
// the journey

From invisible to
fully accountable.

01
Invisible
HIGH
02
Uncontrolled
VERY HIGH
03
Governed
ARX: DAY ONE
MODERATE
04
Compliant
LOW
05
Autonomous
MINIMAL
ARX MOVES YOUR PROGRAM FROM WHEREVER YOU ARE TO LEVEL 3 IN UNDER 10 MINUTES.
// the assessment

Find your level.
2 minutes.

Answer ten yes-or-no questions about your security agent program. The assessment tells you your current maturity level and what it would take to reach the next one.

Q01
Do you have a formal inventory of all AI agents running in your security stack?
Q02
Is there a defined policy for what each agent is permitted to access and do?
Q03
Do you have an audit trail at the individual agent action level?
Q04
Are human approval gates in place for high-risk agent operations?
Q05
Can your CISO answer any auditor question about agent behavior in real time?
Q06
Are compliance packages for agent deployments generated automatically?
Q07
Do vendor security reviews for new agents complete in under 30 days?
Q08
Is behavioral drift detection active and proactive across your agent portfolio?
Q09
Can a new agent go from code to governed production in under 10 minutes?
Q10
Are compliance packages maintained continuously rather than generated on request?
// the cost of inaction

Every level has a cost.
Most organizations are paying it
without knowing.

THE COST OF LEVEL 1-2

You have automation running in production with no audit trail, no policy enforcement, and no accountability. One autonomous action — a misconfigured enrichment, a triage agent that escalates the wrong way, a script that touches production data it was never supposed to access — and you have a board-level incident with no evidence of what happened or why. The average cost of an AI-related security incident is $670K. The reputational cost is higher. And the regulatory exposure is just starting.

THE COST OF STAYING AT LEVEL 3

You have governance but compliance is manual. Every new agent stalls in vendor security review. Every compliance package takes weeks to assemble. Your engineers are waiting. Your security team is buried in documentation. The agents that should be saving time are creating more work than they eliminate. You are governed but not scaling.

THE VALUE OF LEVEL 5

Your security program expands its agent footprint with confidence. Every agent deploys in minutes with governance active from the first invocation. Compliance is continuous. Behavioral drift is detected before it causes problems. The CISO has real-time visibility into everything. The board gets answers, not promises. Your team builds faster because governance is not friction — it is infrastructure.

// arx and the maturity model

ARX at every level.
What changes when you deploy.

Level 1 → 2
Deploy ARX. See what you didn't know was running. The agent registry surfaces every piece of automation touching your security stack — scripts, notebooks, scheduled tasks, and production agents your team built but never documented.
MOST COMMON ENTRY POINT Level 2 → 3
Deploy ARX. Agent registry live. Policy rules active. Audit trail running. Human approval gates configured. All in under one hour. First compliance package the same week.
Level 3 → 4
Compliance Package Generator activates. Engineer deployment drops from weeks to minutes. Vendor reviews from months to two weeks.
Level 4 → 5
Behavioral drift detection activates. Declared intent manifests are signed and monitored. The program expands with confidence.
Level 5
You are the reference customer. This is where ARX wants to take every organization.
// let's talk
Know your level. Close the gap.

Your team builds the agents. ARX
makes them enterprise-ready —
without slowing anyone down.

The genie isn't going back in the bottle. ARX gives you full visibility and control over every agent your team deploys — so you can move fast and prove it.

From invisible to fully accountable.
Schedule 30 Minutes
mershard@arxsec.io   |   +1 (800) 555-1234