May Mandate: Discover Agents Across Cloud, Code, and SaaS Before You Govern Them
After spring security advisories, the gap is not another policy PDF—it is inventory. Discover agent-shaped automation across cloud workloads, repositories, and SaaS OAuth grants with owners before governance, audits, or AI assistants cite your stack.
Executive snapshot
Governance without inventory is performance art: you cannot enforce least privilege on agents you have not mapped to owners, data classes, and blast radius.
Cloud is not only “an LLM API call”—it is scheduled jobs, workflow engines, IAM roles, and managed agents attached to data planes your security team never modeled.
Code is where agents hide in plain sight: prompt chains in services, CI steps that call models, and internal tools wired to production credentials without a RACI chart.
SaaS is the fastest sprawl vector: mail, CRM, support, and analytics connectors with refresh tokens that outlive the employee who clicked Allow.
May is the practical window after Q1 close and spring advisories—before summer freezes and vacation coverage—when platform and security can run a two-week discovery pass together.
If your organization spent April rotating secrets and reviewing OAuth grants, you already know the uncomfortable truth: the incident class was not “someone guessed a password.” It was delegated trust—tools and automations that employees considered productivity, not production attack surface. May is when that lesson converts from incident tickets into operating discipline. The first discipline is discovery, not prohibition.
Start with a question executives can understand in one sentence: how many agent-shaped systems can read customer data, send mail, open tickets, or change infrastructure without a human in the loop—and who owns each one? If the answer is a shrug and a spreadsheet someone started in a panic, you are not ready for governance frameworks, no matter how polished the slide deck.
Cloud discovery means more than tagging an OpenAI line item in FinOps. It means inventorying Lambdas and Cloud Functions that call models, Step Functions and workflow products that branch on model output, service accounts with broad storage or database scopes, and “temporary” automations that became load-bearing in Q1 experiments. Match each item to an environment: production, staging, preview, and the shadow project finance does not know about.
Code discovery is a repo and pipeline exercise, not a survey. Search for model client libraries, agent frameworks, tool-calling wrappers, and environment variables that imply autonomous behavior. Include internal admin panels that “just help support” but can refund, reset passwords, or reissue API keys. Pair engineering leads with security for a read-only pass—blameless, but documented.
SaaS discovery is where April’s OAuth story lives on. Review third-party applications with mail, drive, directory, or broad API scopes. Distinguish sanctioned copilots from experiments attached to individual mailboxes. The goal is not zero tools—it is a list with owners, renewal dates, and data classes so revocation is a business decision, not a panic click.
Discovery buys you a May deliverable leadership can use: a single inventory with owners, not a hundred Jira epics. From there, policy means something—human checkpoints on high-risk tools, logging on agent runs, separation of preview and production credentials, and engineering partners who implement controls without freezing product. Black Aether runs this pass beside teams when speed, precision, and security cannot trade off against each other; the point of May is to make the map real before the next headline makes it urgent.
Frequently asked questions
- Why is May 2026 a common month for agent discovery programs?
- Teams finish April rotation and OAuth fire drills by early May, then have a window before summer release freezes and vacation coverage. Finance and security are still aligned from H1 reviews—use that attention for a two-week inventory sprint.
- What is the difference between agent discovery and agent governance?
- Discovery produces a catalog—what exists, where, and who owns it. Governance applies controls—allowlists, logging, approvals, revocation. Governance without discovery is policy attached to imaginary systems.
- Which surface is usually scanned last but matters most for OAuth risk?
- SaaS connectors with mail, drive, and directory scopes. They persist after hosting secrets rotate and are the class implicated in spring 2026 incident reporting on delegated trust paths.
When speed, precision, and security have to land together
Black Aether is the partner teams engage when those three cannot trade off against each other. If agent sprawl, brittle secrets, or a gap between how you ship and how you control OAuth and automation surfaced this spring, we bring product, engineering, and security as one practice—grounded in your telemetry and repositories, not a generic framework. Contact Black Aether when you want the work done beside your team.
A strategic AI and digital transformation consulting firm helping enterprises modernize, build resilience, and accelerate AI adoption through AI transformation, software engineering, cloud engineering, and product management expertise.
Capabilities
© 2026 Black Aether LLC. All rights reserved.