Discovery Questions
Discovery Questions
The Ownership Gap
Every question in this issue is a variation of the same one: who owns the agent?
You'll ask it differently depending on the room. A CISO hears it as a risk question. An IT director hears it as an operational one. A program officer hears it as "who authorized that chatbot to touch our data?" But the underlying problem is identical. A Cloud Security Alliance survey of 285 IT and security professionals found that only 28% of organizations can trace AI agent actions back to a human sponsor across all environments. Three out of four agencies deploying autonomous AI have no reliable chain from what the agent did to who approved it. That is the gap your conversations are designed to find.
Discovery Questions — CISO / Deputy CISO
Your CISO approved the AI roadmap. The identity infrastructure underneath it was built for a world where every credential had a human behind it. That's an audit exposure most CISOs haven't been asked about directly — and your first question tells you whether they know it, own it, or have pushed it somewhere else in the org. Three questions calibrated for the CISO's desk, with specific response patterns that distinguish a live opportunity from a polite deflection from a wrong-door conversation you should exit early.
Discovery Questions — CISO / Deputy CISO
Your CISO approved the AI roadmap. The identity infrastructure underneath it was built for a world where every credential had a human behind it. That's an audit exposure most CISOs haven't been asked about directly — and your first question tells you whether they know it, own it, or have pushed it somewhere else in the org. Three questions calibrated for the CISO's desk, with specific response patterns that distinguish a live opportunity from a polite deflection from a wrong-door conversation you should exit early.
They Just Mentioned Bots — Discovery Questions for the IT Director Conversation
Halfway through a routine check-in, the IT Director mentions a couple of bots running in procurement. The comment is offhand. They're already on the next slide. That throwaway line is the most valuable thing they've said in the meeting. Survey data consistently shows the majority of enterprises have AI agents running that nobody formally inventoried — and the IT Director who just mentioned bots is telling you they feel the edge of that problem. This piece gives you the questions to ask next, organized across four discovery domains, and how to read what you hear back. The questions are straightforward. Reading the answers, and knowing when to press, is where the call gets made.
They Just Mentioned Bots — Discovery Questions for the IT Director Conversation
Halfway through a routine check-in, the IT Director mentions a couple of bots running in procurement. The comment is offhand. They're already on the next slide. That throwaway line is the most valuable thing they've said in the meeting. Survey data consistently shows the majority of enterprises have AI agents running that nobody formally inventoried — and the IT Director who just mentioned bots is telling you they feel the edge of that problem. This piece gives you the questions to ask next, organized across four discovery domains, and how to read what you hear back. The questions are straightforward. Reading the answers, and knowing when to press, is where the call gets made.
Objection and Outsider
Two Conversations You're Avoiding, and What to Ask When You Stop
Your buyer says agent governance is handled. They're probably right about the agents they built inside their primary platform. The problem is the agent environment almost certainly extends beyond what any single platform governs automatically. Microsoft's own docs confirm Entra Agent ID doesn't cover legacy agents or those built outside Copilot Studio. CyberArk covers the privileged-access layer; the identity layer underneath sits outside its scope. Three questions surface the gap without arguing about vendors.
The Mission Owner Who Doesn't Buy Identity
The Program Officer deploying AI against a federal mission buys mission outcomes. Identity infrastructure is someone else's line item. But OMB's M-25-21 compliance deadline passed six weeks ago, and the AI tool they own creates governance obligations whether they budgeted for them or not. Open with access management vocabulary and this conversation dies. Three questions connect agent access to mission risk in language this stakeholder already uses.
Product Availability Reference
GA date was April 30, 2026. The platform organizes around three questions buyers already care about: Where are my agents? What can they connect to? What can they do?
What shipped: discovery of AI tools connecting to your buyer's environment without approval, audit trails logging every agent action to existing security tooling, and agent registration that ties each non-human identity back to a named human owner. These are real, generally available capabilities you can reference with confidence.
Cross App Access remains Early Access. Do not promise it to buyers, period.