You govern every attack surface your engineers touch. Except the one writing the code.
Agent skills are the new attack surface. Unreviewed, unaudited, unrevocable. Every skill running in your engineering org is infrastructure code with production-level reach — and most of it has never seen a security review.
The exposure that's already there
Your CISO office spent five years hardening the software delivery pipeline. Code review gates. Static analysis. Dependency scanning. Secrets detection. You built the controls. Then engineering adopted AI agents with production-level permissions — shell access, GitHub write, cloud credentials — and none of those controls extended to the skills the agents run.
A skill is a file. An engineer drops it in a local folder. The AI loads it on the next run. The skill can contain instructions to call APIs, write files, run shell commands, access databases, or interact with production systems. It can embed prompt injection. It can have hardcoded credentials. It can declare capabilities it doesn't actually need. None of it goes through your pipeline.
The difference between unreviewed code running in production and an unreviewed skill running in an agent is narrowing. Both execute against production systems. Both have an attack surface. Only one of them gets reviewed.
The incident this creates isn't hypothetical. A shared skill with a prompt injection flaw. Adopted by 40 engineers. 500 invocations a day. Running for six months before anyone in security finds it. That's not a future scenario. That's the steady-state risk profile of an engineering org with AI agents and no governance layer.
The inventory you don't have
Ask your security team how many agent skills are running across your engineering org right now. They can't answer. Ask which ones have been reviewed. They can't answer. Ask which engineers are using which skills and what those skills instruct the AI to do. They can't answer.
Skills are proliferating faster than any SaaS adoption your team has managed. Engineers build them, share them over Slack, copy them from GitHub, adapt them from public registries. The result is a skill estate that grows every day, is invisible to security, and has no off switch.
You can't audit what you can't inventory. You can't revoke what you can't find. The current approach to agent skills is to not have one — and that's the risk you're inheriting.
Three properties. In order.
Not all at once. In order.
Inventory
Know what skills exist, what they declare, who wrote them, where they're running. Without inventory, there's no posture. This is the starting point. Most security teams don't have it.
Approval
Skills that touch sensitive systems — auth, billing, PII, production infrastructure — enter an approval queue. Security signs off before any agent can invoke them. Skills that touch lower-risk surfaces move faster, but every one has a known owner and a review state.
Revocation
When a flawed skill is identified, it's removed across every machine in the fleet immediately. Not “send an email asking engineers to delete it.” Removed. This is the property your security team can't get any other way.
What Invoked does for your security posture
Invoked operates as the governance layer between your engineers and their agents. Three enforcement layers.
Authoring
Skills enter through an authoring path your team controls. Every skill has an owner, a scope, and a declared capability surface before it can reach approval. Prompt injection patterns are flagged at authorship.
Governance
Three enforcement layers before any skill reaches your engineers' machines: structural (well-formed, parseable, metadata complete), evaluative (security checks pass, capabilities match declarations), organizational (security sign-off for skills touching auth, billing, or PII — not optional).
Audit trail
Every skill invocation logs the full thinking trajectory: which skill, which version, which agent, which user, which approver chain, what tool calls were produced, what they touched. When the question comes from an auditor or an incident review, the chain of custody is already there.
Revocation at fleet speed
When a flawed skill is identified, Invoked revokes it across every agent in the fleet in one action. The skill stops loading on the next run — immediately, everywhere. You don't send a Slack message and wait for engineers to manually delete it. You don't wait for endpoint scan cycles. This is the difference between discovering a problem and containing one.
Start with a free exposure scan
Before you can govern it, you need to see it. Invoked reads the skill paths your agents discover from — read-only, no source code access, no repo permissions, no installation. You get a map of every skill running across your engineering org: what it declares, who built it, whether it's been reviewed, what privileged capabilities it exposes.
Most security teams are surprised by what they find. Skills with credentials in plain text. Skills copied from public registries with no review. Skills that haven't been updated in twelve months but still load into every engineer's agent on every run. The scan is your starting inventory.
What comes after the scan
The scan is the first step of the design partner path. If what we find together is material, we run a 90-day paid pilot with one team — typically the one carrying the most agent risk. Approval workflow. Full invocation audit trail. Continuous monitoring. The pilot output is a defensible governance posture for agent skills in your organization — the kind that satisfies an auditor.