AI AGENT TYPES
Every type of AI agent
operating in your organisation.
Eight categories. Five detection surfaces. One complete picture — what each agent is, what it can access, what the exposure is if nobody's managing it, and how Sunbeam finds and controls it.
01 — DETECT
Sunbeam finds every AI agent
across five surfaces simultaneously.
Network fingerprinting matches 154 known AI services against every device on your /24. Workstation scanning reads browser history, shell history, environment variables, VS Code extensions, and installed apps. Egress analysis catches agents calling home to AI APIs. Cloud scanners cover AWS, Azure, and GCP. SaaS authenticated scanning finds agents invisible to the network — Copilot licences, Agentforce, Now Assist, Slack AI.
155 fingerprints · 7 SaaS platforms · Under 10 minutes
02 — CATALOGUE
Every agent gets a workforce record.
Name. Owner. Risk. Surface.
Every finding is risk-scored HIGH / MEDIUM / LOW with blast radius — what data the agent can access if it acts outside its intended boundary. Every finding is mapped to GDPR, EU AI Act, DORA, ISO 27001, SOC 2, and PCI DSS. The PDF report is signed with Ed25519 — tamper-evident chain of custody ready for your auditor.
Agentic Risk Score 0–100 · 9 compliance frameworks · Ed25519 signed
03 — CONTROL
Three choices for every agent.
Remove it. Restrict it. Authorise it.
Removal findings include the OS user who installed the agent and exact removal commands. For agents you want to keep — the CIM Control Plane lets you define a delegation contract: exactly which domains it can reach, which tools it can invoke, what it can spend, and which actions require human approval. The gateway enforces those boundaries on every action in under 10ms. Fail-closed. Always.
Sub-10ms enforcement · Fail-closed gateway · Tamper-evident audit log
Eight Agent Types
What Sunbeam finds — and what each one can do.
Local Inference Servers
Ollama · LM Studio · LiteLLM · Jan
Self-hosted LLM runtimes running AI models directly on your hardware — no cloud API required.
Local filesystem, network interfaces, and any service reachable from the host machine.
An unmanaged local inference server can process sensitive documents, generate outputs, and serve responses to any client on the network — with no access log and no oversight.
Network fingerprint scanning on port 11434, 1234, 4000, and 8080. Process detection and application log analysis.
CIM delegation contract restricts which clients can reach the server and what prompts it can process.
Workflow Automation Agents
n8n · Flowise · Dify · Make · Zapier AI
Visual workflow engines that chain AI models, APIs, databases, and services into automated multi-step processes.
Any system connected via credential — email, Slack, databases, CRMs, cloud storage, third-party APIs.
A workflow agent with broad credentials can exfiltrate data, send communications, and trigger actions across multiple systems — all without a human in the loop.
Network fingerprint matching on known workflow engine ports. HTTP title and response body analysis.
CIM enforces per-action approval for high-risk steps — database writes, external sends, and new API connections.
IDE & Coding Assistants
GitHub Copilot · Claude Code · Cursor · Cline · Continue AI
AI agents embedded in development environments that read code, suggest completions, and execute terminal commands.
Full repository contents, shell access, environment variables, and any credentials stored in the development environment.
A coding assistant with shell access and repository access can read API keys, access databases, and execute arbitrary commands — often with the same permissions as the developer.
VS Code extension manifest scanning. Shell history pattern matching. Browser history analysis.
Owner identified per machine. CIM restricts shell execution scope and credential access.
SaaS AI Platforms
M365 Copilot · Salesforce Agentforce · ServiceNow Now Assist · Slack AI
AI capabilities embedded directly into enterprise SaaS platforms — operating under existing platform permissions.
All data the platform account can access — emails, documents, customer records, support tickets, channel history.
A SaaS AI agent operates with the permissions of the account that enabled it. 47 M365 Copilot licences means 47 agents with access to your entire SharePoint and Teams history.
Authenticated API scanning across 7 enterprise platforms — licence counts, enabled users, agent configurations.
Findings surface in CIM as pending review. Contract defines which data sources each agent can access.
Cloud AI Services
AWS Bedrock · Azure OpenAI · GCP Vertex AI · SageMaker
Managed AI services deployed in cloud accounts — model endpoints, inference APIs, and AI pipelines.
Any AWS / Azure / GCP resource reachable from the service — S3 buckets, databases, Lambda functions, VPCs.
A Bedrock agent connected to a customer PII database with no governance contract is a compliance gap that appears nowhere on your network.
32 cloud scanners across AWS, Azure, and GCP using account credentials. IAM role analysis and service enumeration.
CIM registers cloud AI endpoints as managed agents with spend caps, rate limits, and data access contracts.
API-Connected Scripts
Python scripts · Node.js apps · Any code calling OpenAI / Anthropic
Custom code that calls AI APIs directly — anything from a one-off script to a production service.
Whatever the script has access to — files, databases, APIs — plus the AI API itself.
A script that called an API once and never stopped. No owner. No cost visibility. No output monitoring. The most common finding on engineering team machines.
Egress analysis matches outbound connections against AI API CIDR ranges. Environment variable scanning finds API keys.
CIM SDK wraps API calls and enforces contracts — rate limits, spend caps, domain restrictions — per script.
Scheduled AI Jobs
Cron jobs · LaunchAgents · systemd · Windows Task Scheduler
AI workloads configured to run automatically on a schedule — without any human trigger.
Whatever the scheduled user account can access at runtime — often with elevated system permissions.
An AI job running every 6 hours with no owner, no output log, and system-level permissions is operating entirely outside any governance boundary.
Scheduler scanning reads crontab, LaunchAgent plists, systemd units, and Windows Task Scheduler entries for AI patterns.
CIM registers scheduled jobs as agents. Contracts define allowed execution windows and output destinations.
RAG & Data Retrieval Agents
LangChain · LlamaIndex · Chroma · Pinecone · Weaviate
Agents that maintain a persistent knowledge base — vectorising documents and retrieving context for AI responses.
Any document loaded into the vector database — often proprietary documents, customer data, or internal knowledge bases.
A 450MB Chroma database on a developer’s machine means someone has loaded proprietary documents into a knowledge base that any AI agent on that machine can query — with no access log.
Vector database path detection. Embedding model file scanning. RAG framework configuration detection.
CIM restricts which agents can query the knowledge base and logs every retrieval operation.
See which of these are running
in your environment right now.
Sunbeam finds all eight categories across five surfaces. Under 10 minutes. No deployment required.
macOS 12+. Signed and notarized. Windows coming soon.