Agentless Discovery
Ascend's Agentless Discovery (F1) automatically scans your AWS environment to find AI agents and MCP servers that are operating outside the governance perimeter, without requiring any agent installation or code changes.
Overview
Many enterprises have AI agents deployed across Lambda functions, ECS containers, API Gateway endpoints, and CloudWatch log groups that were never registered with Ascend. Agentless Discovery finds them.
How It Works
- Configure Scan Source — Provide an IAM role ARN with read-only access to your AWS account
- Start Scan — Ascend assumes the role and scans CloudWatch logs, Lambda functions, ECS tasks, and API Gateway endpoints
- AI Classification — Each discovered service is analyzed for AI agent indicators (LLM API calls, framework imports, MCP protocol usage)
- Risk Assessment — Unregistered agents are classified by risk: low, medium, high, or critical
- Register or Dismiss — Promote discovered agents to the Agent Registry or dismiss them as reviewed
Scan Types
| Scan Type | What It Finds | Indicators |
|---|---|---|
| CloudWatch | Agents logging to CloudWatch | LLM API calls, framework log patterns |
| Lambda | Serverless AI functions | LangChain/LlamaIndex imports, OpenAI SDK usage |
| ECS | Containerized agents | Container image labels, environment variables |
| API Gateway | MCP server endpoints | MCP protocol headers, tool registration patterns |
Setup
1. Create IAM Role
Create a cross-account IAM role with the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::110948415588:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<provided-by-ascend>"
}
}
}
]
}
Attach the ReadOnlyAccess managed policy or a custom policy scoped to the scan types you need.
2. Configure Scan Source
Navigate to Agentless Discovery in the sidebar and click Add Source.
Provide:
- Display Name — friendly name for the AWS account
- Role ARN — the IAM role ARN created in step 1
- Regions — AWS regions to scan
- Scan Scope — which scan types to enable
The External ID is generated automatically and displayed after creation.
3. Run Scans
Click Start Scan to begin. Scans typically complete in 1-3 minutes depending on the size of your environment.
4. Review Results
Discovered agents appear in the Discovered Agents tab with:
- Agent name and framework (LangChain, LlamaIndex, custom)
- Risk indicator (low/medium/high/critical)
- Confidence score (0-100%)
- Source type (Lambda, ECS, CloudWatch, API Gateway)
5. Register or Dismiss
- Register — promotes the agent to the Agent Registry with full governance controls
- Dismiss — marks the agent as reviewed (hidden from future scans)
Security
- All AWS API calls use STS AssumeRole with external ID verification
- No credentials are stored — temporary session tokens only
- Scan results are tenant-isolated by organization_id
- IAM role requires minimum read-only permissions
Quick API Access
All endpoints verified live. Authentication: API key or JWT session token.
| Method | Path | Auth | Description |
|---|---|---|---|
| GET | /api/v1/discovery/agents | API key | List all discovered agents |
| GET | /api/v1/discovery/sources | API key | List discovery sources |
| GET | /api/v1/discovery/mcp/results | API key | MCP discovery scan results |
| POST | /api/v1/discovery/scan/start | Admin | Trigger a discovery scan |
Example:
curl -H "X-API-Key: your_api_key" \
https://pilot.owkai.app/api/v1/discovery/agents
For the complete endpoint reference see the Discovery API page.
API Reference
See Discovery API for the full endpoint reference.
Compliance
| Standard | Control | Implementation |
|---|---|---|
| SOC 2 CC6.1 | Logical Access | Role-based scan source management |
| NIST AC-2 | Account Management | Discovery of unmanaged AI accounts |
| NIST SI-4 | System Monitoring | Continuous scanning for shadow agents |
| NIST AI RMF MAP-1 | Context Mapping | Enumerate all AI systems in scope |