⚠️
Demo dossier — synthetic runtime data. These audits are published for demonstration purposes. Runtime traces were synthetically generated to illustrate the behavioral audit methodology. Systems are anonymised. Full production dossiers with live execution evidence are available under NDA — contact@factnotebook.com

⚠️ Risk Control Matrix — Control Gap Analysis

agents-for-openbb · 50 sessions analysed · 7 risks from register

⚠️ Reading note — Control Gap Rate ≠ Risk Realization
This report measures the inability to verify expected mitigation controls within the observed sessions. A Control Gap Rate of 100% means the expected controls could not be verified in 100% of observed sessions — it does not mean the risk materialized, nor that the control is necessarily absent (it may be out of scope, not instrumented, or not observable in the traces).
Three distinct states: VERIFIED (control observed operating) · NOT VERIFIED (no usable evidence) · FAILED (control evaluated and requirement not met). The Exposure Drivers below show which specific control creates the gap.
6
Control Gap CRITICAL
0
Control Gap ELEVATED
0
Unverifiable
50
Runtime sessions
✗ VIOLATED FAILED — control evaluated, requirement not met (negative evidence) N/O NOT VERIFIED — no usable evidence (absence of evidence ≠ evidence of absence) ✓ VERIFIED VERIFIED — control observed operating in this session
Control Gap Severity Risk ID Risk description Declared severity Expected controls Control Gap Rate Failed N/O Verified loop-CBD98F9query-035645query-068E07query-0962FBquery-0A0606query-0ED1A0query-101762query-1F7C36query-20DFEAquery-22B514query-3BD496query-480CC7query-492F56query-52F49Bquery-587512query-5900D8query-5973E2query-5AB4C7query-68053Fquery-740AA2query-7C41BEquery-8163BDquery-858AB9query-87000Aquery-8B5C35query-9A2D9Cquery-9B25D9query-A71795query-A736DAquery-B29F18query-B63A79query-B8CEE6query-BCCFC5query-BCD109query-BEDF7Cquery-C241E4query-CE4A0Cquery-CED496query-D42416query-D6545Bquery-D845B2query-D9CC9Dquery-E10DEAquery-E30972query-E980EBquery-F2D276query-F48E2Equery-F5D42Cquery-F66856query-F7716F
CRITICAL RISK-FIN-001 The LLM agent may produce factually incorrect financial data… CRITICAL Audit Trail, Confidence-Based Human Routing, Decision Record Structure, Human-in-the-Loop Mechanism, Escalation to Human, Human Validation mapped 100.0% 50 0 0
Audit Trail✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Human Validation✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Confidence-Based Human Routing✗ 10/50 sessions where the expected control could not be verified (20%)— control not verified within observed evidence; does not imply the risk materialized
Decision Record Structure✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
Human-in-the-Loop Mechanism✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
Escalation to Human✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
CRITICAL RISK-FIN-002 Agent responses are streamed directly to users without any h… HIGH Audit Trail, Decision Record Structure, Human-in-the-Loop Mechanism, Escalation to Human, Human Validation mapped 100.0% 50 0 0
Audit Trail✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Human Validation✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Decision Record Structure✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
Human-in-the-Loop Mechanism✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
Escalation to Human✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
CRITICAL RISK-FIN-003 The agent uses widget data to answer questions but does not … HIGH Audit Trail, Decision Record Structure, Human Validation mapped 100.0% 50 0 0
Audit Trail✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Human Validation✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Decision Record Structure✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
CRITICAL RISK-FIN-005 Training data bias may cause systematic over-bullishness on … MEDIUM Audit Trail, Decision Record Structure, Human Validation mapped 100.0% 50 0 0
Audit Trail✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Human Validation✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Decision Record Structure✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
CRITICAL RISK-FIN-006 When no widget data is provided, the agent answers from LLM … HIGH Audit Trail mapped 100.0% 50 0 0
Audit Trail✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
CRITICAL RISK-FIN-007 Widget data retrieved from OpenBB Terminal Pro could contain… HIGH Audit Trail, Data Cleansing & Anonymisation mapped 100.0% 50 0 0
Audit Trail✗ 50/50 sessions where the expected control could not be verified (100%)— control not verified within observed evidence; does not imply the risk materialized
Data Cleansing & Anonymisation✓ 0/50 sessions where the expected control could not be verified— control not verified within observed evidence; does not imply the risk materialized
MODERATE RISK-FIN-004 Advanced agents can make unlimited tool calls in a single se… MEDIUM Execution Limits (Guardrails) mapped 2.0% 1 0 49
Execution Limits (Guardrails)✗ 1/50 sessions where the expected control could not be verified (2%)— control not verified within observed evidence; does not imply the risk materialized

Control Gap Rate = percentage of observed sessions where the expected mitigation control was evaluated and the requirement was not met (FAILED). This metric measures the inability to positively verify expected controls within the observed evidence set. It does not indicate that the risk materialized.
Control mapping: field_map["risk_checkpoint_mapping"] > built-in > LLM fallback. UNVERIFIABLE = no matching control found for this risk.
Generated by CAMSVA WorkflowMiner — FACTNOTEBOOK_RISK_CONTROL_MATRIX

💬 Feedback
Does this report convince you? ×