Skip to content

Team & Collaboration

AI agent security is not a solo activity. The security lead identifies vulnerabilities. Developers fix them. Compliance officers verify the fixes. Humanbound provides the structure to coordinate this workflow โ€” from discovery through resolution.

Team Roles

Every organization member has a role that determines what they can see and do:

Role What they can do
Owner Full control โ€” projects, members, billing, all operations
Admin Manage projects, members, run tests, view results (no billing)
Developer Create projects, run tests, view results, manage providers
Expert View projects and results, annotate findings โ€” no write access to projects or tests

The Expert role is designed for external security consultants or auditors who need to review findings and provide feedback without the ability to modify projects or run tests.

Managing Members

# List members
hb members list

# Invite with role
hb members invite security@company.com --role admin
hb members invite dev@company.com --role developer
hb members invite auditor@external.com --role expert

# Remove
hb members remove <member-id>

Finding Delegation

When a security test identifies vulnerabilities, the findings need to be triaged, assigned, and resolved. Finding delegation tracks this workflow with clear ownership and status at every stage.

The Workflow

Test identifies vulnerability
        โ”‚
        โ–ผ
  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ Unassigned   โ”‚  Finding exists, nobody owns it
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚  Security lead assigns to developer
         โ–ผ
  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ Assigned     โ”‚  Developer is responsible, timestamp recorded
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚  Developer starts working on fix
         โ–ผ
  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ In Progress  โ”‚  Fix is being implemented
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚  Next test cycle confirms fix works
         โ–ผ
  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ Verified     โ”‚  Resolution confirmed
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Why It Matters

Without delegation: - Critical findings sit in a list with no owner - Multiple developers may work on the same issue unknowingly - There's no visibility into which vulnerabilities are being actively addressed - Fixed findings aren't verified โ€” they may reappear silently

With delegation: - Every critical finding has an owner and a deadline - The security lead sees at a glance: what's unassigned, what's in progress, what's verified - Webhook notifications keep the team informed without manual status meetings - The next test cycle automatically validates whether the fix worked โ€” if the finding reappears, it transitions to regressed

CLI Usage

# Assign a finding to a team member (delegation status auto-set to "assigned")
hb findings assign <finding-id> --assignee <member-id>

# Update delegation progress
hb findings assign <finding-id> --delegation-status in_progress    # developer is working on it
hb findings assign <finding-id> --delegation-status verified       # fix confirmed

# View findings with their assignment and delegation status
hb findings
hb findings --status open          # filter by finding status (open/fixed/stale/regressed)
hb findings --severity critical    # filter by severity

Webhook Notifications

Delegation events trigger webhooks โ€” route them to Slack, email, or your ticketing system:

Event When
finding.assigned Finding assigned to a team member
finding.acknowledged Assignee acknowledged the assignment
finding.resolution_verified Security lead verified the fix 
hb webhooks create --url https://slack.example.com/webhook \
  --events finding.assigned,finding.resolution_verified

Integration with Continuous Monitoring

Delegation connects to the monitoring lifecycle:

  1. ASCAM cycle runs โ†’ new findings detected or existing findings regressed
  2. Security lead reviews โ†’ assigns critical/high findings to developers
  3. Developer fixes โ†’ marks as in_progress
  4. Next ASCAM cycle โ†’ finding not reproduced โ†’ status transitions to fixed
  5. Security lead verifies โ†’ marks as verified

If a fixed finding reappears in a later cycle, it automatically transitions to regressed with elevated posture penalty (1.2x vs 1.0x for open) โ€” the team is immediately alerted that a previous fix was lost.

Organization Structure

Humanbound follows a simple hierarchy:

Organization
โ”œโ”€โ”€ Members (with roles)
โ”œโ”€โ”€ Projects (one per AI agent)
โ”‚   โ”œโ”€โ”€ Experiments (test runs)
โ”‚   โ”œโ”€โ”€ Findings (persistent, cross-experiment)
โ”‚   โ”œโ”€โ”€ Posture (score + history)
โ”‚   โ””โ”€โ”€ Monitoring (ASCAM campaigns)
โ”œโ”€โ”€ Providers (LLM configurations)
โ”œโ”€โ”€ API Keys
โ””โ”€โ”€ Webhooks
  • One organization per company or team
  • One project per AI agent
  • Members have org-wide roles but can access all projects in the org
  • Findings are scoped to a project but assigned to org members
# Organization management
hb orgs list
hb orgs current
hb switch <org-id>

Platform feature

Team management and finding delegation require a Humanbound account. Local testing is single-user โ€” no team features needed.