Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / MYTHOS · Objections & Reframes

Documentation

MYTHOS · Objections & Reframes

arxsec-site / MYTHOS_OBJECTIONS.md

arxsec-site repo-root MYTHOS_OBJECTIONS.md

A copy-paste-ready response doc for the founder, AE, or anyone fielding the two objections that come up most often when Arx is pitched as "agent governance."

> Frame, every time. Stop selling governance. Sell a number per call, automated containment when it crosses the line, and a tamper-evident trail. Compliance is the byproduct.

---

Objection #1 — "Governance is overhead. The board doesn't buy overhead."

One-sentence reframe

> *"Agreed — that's why we don't sell governance. We sell measurable risk reduction: a 0–100 score per agent action, automated containment when it crosses your threshold, and bounded permission for your remediation agents to actually fix the underlying issue."*

Three concrete proof points

  1. The risk formula is open and auditable. From governance/risk-scoring.html:

risk_score = operation_risk + connector_sensitivity + session_frequency + target_sensitivity. Every input is in the audit row. Anyone — including your auditor or a regulator — can recompute the score and reach the same verdict.

  1. Drift suspension is automatic and deterministic. governance/drift-detection.html:676 — high or critical drift on an agent flips its status to suspended. Subsequent connector calls are denied at the intercept layer with score 100, before policy evaluation runs. Manual reactivation is required, by an admin, after investigation.
  1. Scoped, time-bound write grants are a primitive. Arx Approvals.html:113 — a remediation agent (e.g. Cloud Posture Remediation) can request temporary S3 write to fix a misconfigured bucket, with a 15-minute TTL. Arx grants the permission. The agent does the fix. The grant auto-reverts. The audit row proves both the grant and the fix.

Follow-up question (use this to redirect)

> *"What is the dollar exposure of the agents you've already deployed without runtime visibility? If you can't put a number on it today, that is the gap we close."*

---

Objection #2 — "A list of issues is not actionable. We don't need another findings dashboard."

One-sentence reframe

> *"Right — and we don't ship a list. We ship a ranked queue with a quantified score, automated containment for the obvious cases, a scoped permission primitive that lets your remediation agents fix the rest inside a bounded window, and an audit trail that proves the loop closed."*

Live walk-through

  1. Open Arx Approvals.html. The CRITICAL queue is sorted by TTL ascending. Each row carries the risk score, the requesting agent, the operation, and the time-to-decision.
  2. Click into the Cloud Posture Remediation row. Show the scoped grant: S3 write, 15-minute TTL, auto-revert on expiry. Be explicit: *Arx grants the permission; the customer's remediation agent does the fix.*
  3. Switch to Arx Audit.html. Pull the audit hash for the remediation request. Show that the score, the verdict, the approver, the grant scope, and the eventual revert are all on the same hash-chained row.

Compare table — "List of findings" vs. "Arx context graph"

| Dimension | List of findings | Arx context graph | |---|---|---| | Quantified | A severity label | A 0–100 score per call, with the formula inputs in the audit row | | Ranked | By severity, often by alert age | By score, with TTL countdowns on the gray-zone queue | | Automatically contained | No — every finding is a human task | Yes — deny on threshold, suspend on drift, decline on TTL elapsed | | Bounded remediation | Out of scope — list it and forget it | Scoped, time-bound write grants to your remediation agents (Arx grants; your agent fixes; the audit row proves both) | | Traceable | Often, but the list and the trail live in different systems | One hash-chained, witness-signed trail covering score → verdict → grant → revert → drift |

The line that closes it

> *"A list of findings is what you have today. The agents are running anyway. We turn that list into a per-call number, and the number into an automatic decision."*

---

Bonus — Wiz analogy (use if the buyer is familiar with Wiz)

> *"Wiz built the cloud security graph by connecting CSPM, vulnerabilities, identities, and runtime into a single context layer. That graph is what lets a SecOps team prioritize the 0.1% of findings that matter. Arx is the agent security graph: intent → runtime → outcome. The graph is what lets you score every connector call, contain it automatically when the score is high, grant your remediation agents bounded write permission to fix the underlying issue, and verify the whole chain from a witness bucket you control. AI alone doesn't make security faster — context does."*

---

Accuracy guardrail (do not violate in any pitch, page, or doc)

Allowed verbs for what Arx does automatically: *score, deny, suspend, throttle, alert, decline, revert (permission), block, audit.*

For remediation, the precise framing is: *"Arx grants scoped, time-bound write permission to your remediation agents."*

Never claim Arx itself "fixes," "remediates," or "auto-remediates" issues. The remediation agent does the fix; Arx's role is to bound the permission and record what happened.