System scope

Start with workflow surfaces. Scan AI providers inside them.

The buyer does not need a broad governance platform on day one. They need to know whether a specific automation can leak data, skip approvals, write to the wrong system, or leave no useful audit trail.

Primary surface

Zapier

Good for agencies, RevOps, and support ops teams with fast-moving automations. Native controls validate demand, but customers still need independent evidence and remediation.

  • Inputs: screenshots, step list, run history, owner map
  • Risks: weak approvals, external sends, broad app permissions, AI step data exposure
Primary surface

Make

Strong first surface because scenario blueprints and visual routing make manual-backed review practical before direct integration.

  • Inputs: blueprint, scenario screenshots, module list
  • Risks: branching drift, error route gaps, hidden high-impact modules
Primary surface

n8n

Useful for technical operators and small SaaS teams. Exports can be reviewed, but credentials and secret references need careful sanitization.

  • Inputs: sanitized workflow JSON, screenshots, test execution notes
  • Risks: self-hosting exposure, credential handling, custom code nodes, weak rollback

Provider layers

OpenAI, Anthropic, and Microsoft belong in the scan, not as separate v1 products.

Provider-only audits become a higher-trust security review. The sharper wedge is to inspect provider settings when a workflow already depends on them.

Provider layer

OpenAI

  • Project and API key scoping
  • Prompt, output, and tool-call logging posture
  • Model selection, approval gates, and injection exposure
Provider layer

Anthropic

  • Workspace roles and API access
  • Retention and data-use posture
  • Tool-use boundaries and sensitive-context handling
Provider layer

Microsoft

  • Azure OpenAI and Power Platform controls when used
  • DLP policy, environment, and audit log posture
  • Copilot Studio or AI Builder exposure by request

Expansion rule

Power Automate is next when Microsoft-heavy buyers pay.

Power Automate has a real governance story, including DLP and audit surfaces. It should become a first-class workflow surface after paid scans show recurring demand from Microsoft 365 teams.

Why not broad Microsoft first?

It would pull the offer toward enterprise governance, licensing questions, and platform administration before the smaller workflow-risk buying motion is proven.

When to expand

Add first-class Power Automate scanning when at least three paid scans ask for Microsoft workflow review, repeat scanning, or change monitoring.