Change Detection

The attack surface changes every time a model is updated, a new integration is added, a prompt is modified, or a new agent is deployed. Change detection is the practice of identifying surface changes as they happen — not days or weeks later during a scheduled review. Every undetected change is a period where the defense posture is misaligned with the actual surface.

1. Deployment Pipeline Integration Every deployment that adds, modifies, or removes a component triggers a surface map update. The CI/CD pipeline notifies the surface management system of the change. The surface map is updated before the deployment completes. Zero delay between deployment and map update.
2. Configuration Drift Detection Compare running configurations against the documented baseline continuously. A prompt change that bypasses the deployment pipeline, a manual API key rotation, or an ad-hoc integration added by a developer — all create drift between the map and reality. Drift detection catches changes that the pipeline missed.
3. Periodic Full Reconciliation Monthly, run a complete rediscovery against the environment and compare the results to the current map. The reconciliation catches everything that continuous monitoring missed — services deployed through alternate channels, integrations created outside the standard process, and components that were supposed to be decommissioned but still run.