TL;DR
- Every CISO this year is being asked the same board-level question: are our AI agents under control? “Yes” isn’t a measurement. “We have policies” isn’t either.
- Authorization Coverage is the measurement. Define it as the share of consequential agent actions in your environment that are evaluated by an externalized authorization policy. Honest, finite, reportable.
- The first time you measure it, the number will be small — usually under 10%. That’s not a failure of the program; it’s the baseline. The point of having the metric is to grow it. Customers running this program reach 80–90% in 60 days when they sequence the rollout right.
The Board Is Asking. The Slide Doesn’t Exist Yet.
Encryption has a coverage metric. “What percent of customer data at rest is encrypted with FIPS-validated algorithms?” A board can read that. Auditors can read that. Insurance underwriters can read that. The number can move quarter to quarter and stakeholders know what better looks like.
Agent security has no equivalent. Most quarterly board updates in 2026 are still framed as we’ve been thinking about it, we’re drafting a policy, we’re piloting tooling. That language reads as competent until the first incident; then it reads as the program that didn’t exist. The board needs a number.
Authorization Coverage is the number. It is simple enough to fit on a slide, honest enough to survive an auditor’s pen test, and operational enough that a security team can move it on purpose rather than by accident.
The Definition
We’ll be specific.
Three load-bearing words in the numerator.
Consequential
The action either changes durable state (write, delete, send, transact) or accesses non-public data. A model reasoning out loud about an email doesn’t count. The model actually sending the email does.
Agent
A Non-Person Entity acting under model-driven decisioning — whether that’s Claude Code on a developer’s laptop, a production agent in a backend, or an MCP-connected desktop. Humans typing in a console aren’t agents for this metric.
Evaluated by External Policy
The decision to allow or deny was returned by a policy engine outside the agent runtime, against versioned rules, with a decision logged. An if statement in a tool handler doesn’t count. Hope doesn’t count.
Anything that fails one of those three is in the denominator but not the numerator. That’s the metric working as intended. The whole point is to know how big the gap is.
What the Board Slide Looks Like
One number, one trajectory, one breakdown. The slide a CISO can present in ninety seconds:
The five tiles around the headline number do most of the boardroom work. They turn the percentage from a slogan into a story: 142 agents, almost 50,000 actions a week, 1.8% denied, 13% uncovered — and we know exactly which three services that 13% is. The board doesn’t need to know the architecture; they need to know there’s a number, it’s moving in the right direction, and the gap is named.
The 60-Day Trajectory You Can Honestly Promise
The first measurement of Authorization Coverage in a real environment is small. Almost no organization is starting from 50%. Customers running a disciplined rollout follow a predictable curve:
The shape matters more than the numbers. Coverage moves in steps, not lines. Each step corresponds to a class of agents going from outside the system to inside — one developer fleet, one production service tier, one orchestrator framework, one MCP surface. Coverage that grows linearly is a sign the program is doing too many things at once; coverage that grows in steps is the sign of a controlled rollout.
By day 60, the remaining gap usually isn’t agents the team forgot about. It’s agents the team has consciously deferred — a legacy service scheduled for retirement, a vendor integration that’s mid-replacement, a research environment with no production traffic. Naming the remaining 13% is the metric’s second most useful property. If the gap can be named with rationale, the program is healthy. If it can’t, the metric is doing its job by surfacing what no one has yet measured.
The Denominator Problem (And How to Handle It)
Every coverage metric has a definitional weakness. For Authorization Coverage, it’s the question every auditor will ask first: how do you know what the total number of consequential agent actions actually is?
Honest answer: you don’t, perfectly. You know what you’ve instrumented. There’s a long tail of shadow agents that nobody has registered, sub-agents spawned at runtime by orchestrators, and one-off scripts a developer wrote last quarter that hit a production API once a week.
Three practices keep the metric honest:
Discover Continuously, Not Quarterly
Run an agent-discovery scan against your environments at least weekly — OAuth grants in Workspace, MDM-registered Claude Code installs, MCP server inventory, service-account tokens with model providers. The denominator grows as discovery finds new agents; that’s the metric working, not breaking.
Surface the Denominator on the Slide
Coverage of 87% over 47,300 actions/week is meaningful. Coverage of 87% with no denominator visible is suspicious. Show the actions/week tile next to the percentage so a reader can see whether the base is growing or shrinking.
Report Coverage With a Confidence Band
For high-rigor environments — federal, financial, healthcare — publish coverage as a range based on best/worst estimates of unregistered agents. “87% known, 78% if estimated shadow agents are included” is more honest than a single point and is the kind of language that survives an external audit.
The metric is not a guarantee of completeness. It’s a structured way of being clear about what is and isn’t under control. Pretending otherwise breaks the metric’s ability to survive scrutiny — which is the only reason boards take it seriously.
Coverage Is Necessary. It Is Not Sufficient.
The most common failure mode of a coverage metric is treating it as the whole program. It isn’t. An agent surface can be 100% covered by external policy and still be insecure if those policies are wrong — too permissive, badly classified, mis-tiered against the resources they protect. Coverage measures whether the decision happens, not whether the decision is correct.
Three companion metrics keep the picture honest:
Policy Test Coverage
Percentage of policy rules with at least one regression test. The policy library has the same software-quality discipline as the application code that consults it.
Decision Latency
P50 / P99 of decision evaluation time. A policy plane that takes 800 ms per call gets routed around. A policy plane that decides in single-digit milliseconds gets used.
Action-Tier Mismatch Rate
Rate at which an agent’s declared action tier disagrees with the actual tier of the call. High mismatch rates surface agents whose self-description is drifting or being spoofed — a signal coverage alone can’t produce.
Coverage on the slide; the supporting metrics on the appendix page. Together they describe a program that doesn’t just exist but works.
How the Board Conversation Actually Goes
With the metric in place, the quarterly board update changes shape. The before:
“We’re continuing to evaluate our exposure to agentic AI risk and have engaged a vendor to help us think through the policy framework. Pilot deployments are underway in the engineering organization.”
The after:
“Agent authorization coverage is at 87%, up 12 points from last quarter. The uncovered 13% is three named legacy services scheduled for migration by year-end. Decision latency is single-digit milliseconds. Our denial-rate trend and a current shadow-agent estimate are in the appendix.”
The first version is a status update. The second is a program. The board can ask follow-up questions of the second; the first leaves them with nothing to challenge or affirm.
See What Your Coverage Number Would Look Like
The fastest way to know your current Authorization Coverage is to run a one-week discovery scan against a production environment. We bring the scan; you bring an environment. The output is the baseline number, the named uncovered surface, and a 60-day plan to move it.
Read Next
- Stratium, “Stratium in 90 Seconds: Compound Decisions for AI Agent Authorization” — the decision plane that produces the numerator.
- Stratium, “Confidentiality Is Not Agent Security” — where the “authorization coverage” term first appeared as a stake in the ground.
- Stratium, “Defense in Depth Needs a Floor” — why a shared decision plane is the substrate the metric measures.
- Stratium, “Agents Are Showing Up in Places You Can’t Roll Back” — the case for raising coverage before the next incident, not after.