← Master Architecture

Policy Model

Policy-as-code for AI authorization

AI IAM evaluates every action dynamically using identity, capability, data entitlement, purpose, context, and risk.

Decision Function

Decision = f(user, agent, capability, action, resource, purpose, context, risk)

Authorization is evaluated at runtime using all dimensions of the request, not just identity or role.

Entity Model

User

Agent

Tool

Data

Model

Policy Evaluation Flow

  1. Authenticate user identity
  2. Validate user → agent access
  3. Validate agent → capability access
  4. Apply user data entitlements
  5. Evaluate purpose, context, and risk
  6. Return allow, deny, or step-up decision

Example Policy (Cedar-style)

permit(
  principal == User::"adam",
  action == Action::"InvokeAgent",
  resource == Agent::"finance-agent"
)
when {
  context.purpose == "reporting" &&
  context.risk != "high"
};

Continuous evaluation

Decisions are made at every step of execution.

Least privilege

Agents operate within strictly bounded capabilities.

Full auditability

Every decision and action is logged and traceable.