Enterprise Tool Access Model#
Three independent layers must agree before the agent can act:
Network reach (allowlist). Destination is reachable from the workspace boundary.
Per-service authentication. The service’s own credentials are valid and scoped.
Action class (per blueprint). The agent is permitted to perform this category of action against this service.
Where credentials live. Held by the credential proxy in the runtime layer. The agent receives capabilities; the proxy executes the call on its behalf; raw secrets never enter the agent process.
Where authority comes from. Across systems of record and messaging channels, the agent operates with a policy-defined subset of the end-user’s permissions — defined by the per-engagement delegation record — never a separate authority.
Read, search, summarize, and draft are typically allowed without review when inputs are trusted and outputs are consumed by a human. Untrusted data, write actions, or output consumed by another agent without HITL must always trigger human review.
Table 5: Service Category Recommended Baseline
Service Category |
Recommended Baseline |
|---|---|
Source control |
Search, read, branch, draft patch; review before merge or protected-branch write |
Systems of record (ticketing, wikis, databases, etc) |
Search, read, draft update; review before state change, assignment, or closure |
Instant messaging, email |
Search, read, summarize, draft message; review before send |
Package repositories |
Approved mirrors and package sources only; no install from arbitrary upstreams |
Model endpoints |
Approved endpoints via routed inference; per-blueprint policy on which models see which data |
External internet |
Explicit allowlist only; no generic outbound |