Workflow text becomes operational authority.

Runbooks, handoff notes, review sheets, and approval text can be adopted as active authority rather than treated as passive context.

Summarize, review, and handoff tasks can drift into action preparation.

The failure often appears before the final risky tool: the model asks for the exact command, recipient, destination, or missing approval detail needed to continue the malicious workflow.

Containment and compromise are different safety signals.

A runtime can successfully block dangerous execution after unsafe tool intent has already formed. Public reporting has to preserve both signals.

Cartograph organizes the agentic surface into nine threat channels and a public program scope of 246 attack cases across 20 datasets.

Attack generation combines iterative attacker loops, multi-turn escalation, and realistic workflow poisoning cases.

The execution shell separates model behavior from runtime permissioning through layered controls: tool allowlists, approval gates, egress controls, and path restrictions.

Cartograph scores unsafe intent formation separately from final execution and adds intermediate workflow compromise signals such as semantic capture.

Every public claim in this packet is meant to resolve to replay-backed evidence, a bounded transcript, or an explicitly downgraded aggregate result.