Back to Blog

Authorization Coverage

A board-reportable metric for AI agent security. Definition, formula, a sample dashboard, and the trajectory.

June 25, 2026

TL;DR

  • Every CISO this year is being asked the same board-level question: are our AI agents under control? “Yes” isn’t a measurement. “We have policies” isn’t either.
  • Authorization Coverage is the measurement. Define it as the share of consequential agent actions in your environment that are evaluated by an externalized authorization policy. Honest, finite, reportable.
  • The first time you measure it, the number will be small — usually under 10%. That’s not a failure of the program; it’s the baseline. The point of having the metric is to grow it. Customers running this program reach 80–90% in 60 days when they sequence the rollout right.

The Board Is Asking. The Slide Doesn’t Exist Yet.

Encryption has a coverage metric. “What percent of customer data at rest is encrypted with FIPS-validated algorithms?” A board can read that. Auditors can read that. Insurance underwriters can read that. The number can move quarter to quarter and stakeholders know what better looks like.

Agent security has no equivalent. Most quarterly board updates in 2026 are still framed as we’ve been thinking about it, we’re drafting a policy, we’re piloting tooling. That language reads as competent until the first incident; then it reads as the program that didn’t exist. The board needs a number.

Authorization Coverage is the number. It is simple enough to fit on a slide, honest enough to survive an auditor’s pen test, and operational enough that a security team can move it on purpose rather than by accident.

The Definition

We’ll be specific.

Authorization Coverage = consequential agent actions evaluated by external policy total consequential agent actions

Three load-bearing words in the numerator.

Consequential

The action either changes durable state (write, delete, send, transact) or accesses non-public data. A model reasoning out loud about an email doesn’t count. The model actually sending the email does.

Agent

A Non-Person Entity acting under model-driven decisioning — whether that’s Claude Code on a developer’s laptop, a production agent in a backend, or an MCP-connected desktop. Humans typing in a console aren’t agents for this metric.

Evaluated by External Policy

The decision to allow or deny was returned by a policy engine outside the agent runtime, against versioned rules, with a decision logged. An if statement in a tool handler doesn’t count. Hope doesn’t count.

Anything that fails one of those three is in the denominator but not the numerator. That’s the metric working as intended. The whole point is to know how big the gap is.

What the Board Slide Looks Like

One number, one trajectory, one breakdown. The slide a CISO can present in ninety seconds:

Authorization Coverage — AI Agents
FY26 Q2 · trailing 30d
87%
↑ +12 pts vs. Q1
Agents in Scope
142
across 8 business units
Actions / Week
47,300
consequential
DENY Rate
1.8%
of evaluated calls
Uncovered Surface
13%
3 legacy services
Avg Decision Latency
8 ms
P50, in-region
Audit Stream
100%
to SIEM

The five tiles around the headline number do most of the boardroom work. They turn the percentage from a slogan into a story: 142 agents, almost 50,000 actions a week, 1.8% denied, 13% uncovered — and we know exactly which three services that 13% is. The board doesn’t need to know the architecture; they need to know there’s a number, it’s moving in the right direction, and the gap is named.

The 60-Day Trajectory You Can Honestly Promise

The first measurement of Authorization Coverage in a real environment is small. Almost no organization is starting from 50%. Customers running a disciplined rollout follow a predictable curve:

Day 0 0% baseline before the program starts Day 7 8% one high-blast-radius agent fully covered (proof of concept) Day 14 22% pilot team rolled out via MDM, 4-6 agents Day 30 48% most production agents wrapped, policy library mature Day 45 73% long-tail agents picked up via discovery scan Day 60 87% only legacy services remain; named, with retirement dates

The shape matters more than the numbers. Coverage moves in steps, not lines. Each step corresponds to a class of agents going from outside the system to inside — one developer fleet, one production service tier, one orchestrator framework, one MCP surface. Coverage that grows linearly is a sign the program is doing too many things at once; coverage that grows in steps is the sign of a controlled rollout.

By day 60, the remaining gap usually isn’t agents the team forgot about. It’s agents the team has consciously deferred — a legacy service scheduled for retirement, a vendor integration that’s mid-replacement, a research environment with no production traffic. Naming the remaining 13% is the metric’s second most useful property. If the gap can be named with rationale, the program is healthy. If it can’t, the metric is doing its job by surfacing what no one has yet measured.

The Denominator Problem (And How to Handle It)

Every coverage metric has a definitional weakness. For Authorization Coverage, it’s the question every auditor will ask first: how do you know what the total number of consequential agent actions actually is?

Honest answer: you don’t, perfectly. You know what you’ve instrumented. There’s a long tail of shadow agents that nobody has registered, sub-agents spawned at runtime by orchestrators, and one-off scripts a developer wrote last quarter that hit a production API once a week.

Three practices keep the metric honest:

Discover Continuously, Not Quarterly

Run an agent-discovery scan against your environments at least weekly — OAuth grants in Workspace, MDM-registered Claude Code installs, MCP server inventory, service-account tokens with model providers. The denominator grows as discovery finds new agents; that’s the metric working, not breaking.

Surface the Denominator on the Slide

Coverage of 87% over 47,300 actions/week is meaningful. Coverage of 87% with no denominator visible is suspicious. Show the actions/week tile next to the percentage so a reader can see whether the base is growing or shrinking.

Report Coverage With a Confidence Band

For high-rigor environments — federal, financial, healthcare — publish coverage as a range based on best/worst estimates of unregistered agents. “87% known, 78% if estimated shadow agents are included” is more honest than a single point and is the kind of language that survives an external audit.

The metric is not a guarantee of completeness. It’s a structured way of being clear about what is and isn’t under control. Pretending otherwise breaks the metric’s ability to survive scrutiny — which is the only reason boards take it seriously.

Coverage Is Necessary. It Is Not Sufficient.

The most common failure mode of a coverage metric is treating it as the whole program. It isn’t. An agent surface can be 100% covered by external policy and still be insecure if those policies are wrong — too permissive, badly classified, mis-tiered against the resources they protect. Coverage measures whether the decision happens, not whether the decision is correct.

Three companion metrics keep the picture honest:

Policy Test Coverage

Percentage of policy rules with at least one regression test. The policy library has the same software-quality discipline as the application code that consults it.

Decision Latency

P50 / P99 of decision evaluation time. A policy plane that takes 800 ms per call gets routed around. A policy plane that decides in single-digit milliseconds gets used.

Action-Tier Mismatch Rate

Rate at which an agent’s declared action tier disagrees with the actual tier of the call. High mismatch rates surface agents whose self-description is drifting or being spoofed — a signal coverage alone can’t produce.

Coverage on the slide; the supporting metrics on the appendix page. Together they describe a program that doesn’t just exist but works.

How the Board Conversation Actually Goes

With the metric in place, the quarterly board update changes shape. The before:

“We’re continuing to evaluate our exposure to agentic AI risk and have engaged a vendor to help us think through the policy framework. Pilot deployments are underway in the engineering organization.”

The after:

“Agent authorization coverage is at 87%, up 12 points from last quarter. The uncovered 13% is three named legacy services scheduled for migration by year-end. Decision latency is single-digit milliseconds. Our denial-rate trend and a current shadow-agent estimate are in the appendix.”

The first version is a status update. The second is a program. The board can ask follow-up questions of the second; the first leaves them with nothing to challenge or affirm.

See What Your Coverage Number Would Look Like

The fastest way to know your current Authorization Coverage is to run a one-week discovery scan against a production environment. We bring the scan; you bring an environment. The output is the baseline number, the named uncovered surface, and a 60-day plan to move it.

Book a coverage assessment Explore the Platform

Read Next

One number on the slide. A program underneath it.