Notifications
Clear all
Topic starter
06/06/2026 11:30 am
TL;DR: Excalidraw skills let Claude Code and similar agents generate structured diagrams of their own skills, connectors, and routing, turning agent configuration into a visual system map instead of stale documentation, according to WorkOS. The governance gap is not visibility alone but whether teams can still verify access, dependencies, and change impact as agentic systems grow more complex.
NHIMG editorial — based on content published by WorkOS: Use Excalidraw Skills so your agents can describe themselves
Questions worth separating out
Q: How should security teams govern agents that can describe their own architecture?
A: Security teams should treat self-generated architecture diagrams as review evidence, not as proof of safety.
Q: What breaks when agentic systems outgrow manual documentation?
A: Manual documentation breaks because it cannot keep pace with connector changes, tool additions, and routing updates.
Q: How do you know whether an agent’s self-map is actually useful?
A: A self-map is useful only if it is regenerated after meaningful changes and can be reconciled with the source configuration.
Practitioner guidance
- Use generated diagrams as change evidence Require a fresh Excalidraw snapshot after any connector, skill, or permission change, then compare it to the approved architecture before release.
- Review transitive access in every agent map Look beyond the obvious tools and trace every arrow, cluster, and dependency line to identify hidden reach created by chained skills or connectors.
- Tie self-documentation to authoritative config Store the diagram output alongside the source configuration and treat mismatches as a control failure rather than a documentation issue.
What's in the full article
WorkOS's full article covers the implementation detail this post intentionally leaves for the source:
- Step-by-step guidance for installing an Excalidraw skill in a Claude Code environment
- Examples of agent self-diagrams for skills, connectors, and routing paths
- Practical prompts used to generate a current system map from the agent itself
- Browser-based rendering and export options for sharing the resulting .excalidraw file
👉 Read WorkOS's article on Excalidraw skills for agent self-diagrams →
Agent self-diagrams with Excalidraw skills: are controls keeping up?
Explore further
06/06/2026 12:20 pm
Self-documenting agents create a new governance object, not just a better diagram. When an agent can generate its own architecture map, teams gain a runtime artefact that can support review, onboarding, and change validation. The value is real, but it also changes the governance surface because the map becomes part of how access is understood and challenged. For identity teams, the question is whether this artefact is tied to authoritative configuration or merely reflects what the agent says about itself. Practitioner conclusion: self-description is useful only when it is anchored to the controls that actually govern the agent.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: When should organisations review an agent’s blast radius?
A: Organisations should review blast radius whenever an agent gains a new tool, crosses a new trust boundary, or begins chaining skills across systems. The key question is not whether each permission looks reasonable in isolation, but whether the combined reach is still defensible for the task. That is a governance check, not a design preference.
👉 Read our full editorial: Excalidraw skills turn agent self-maps into a governance control
