Next-Gen

AI Agent IAM Reference Architecture

Layered identity, authorization & enforcement for secure AI agent operations.

Layer 1

User Identity Layer

Establish and enrich human identity and attributes.

User Access Flow

User→Client / UI→IdP / SSO (MFA)

Identity & Attribute Service

User IDRoles / GroupsDepartment / BUClearance / LevelEntitlementsRisk / ContextDevice / Location

Request / Data Flow

Layer 2

User → Agent Authorization Layer

Determines which agents the user is allowed to access.

Authorization Point #1

Can THIS USER use THIS AGENT?

Policy Decision (OPA / Cedar)

Allow Deny

Agent Catalog (Discoverable Agents)

Finance Analyst Agent

HR Assistant Agent

Legal Research Agent

IT Support Agent

Layer 3

Agent Identity Layer

Agent identity established with capabilities and trust context.

Agent Runtime & Identity

Agent IDVersionOwner / TeamCapabilities DeclaredTrust LevelCredential / Key IDEnvironment

Request Context (per Session / Task)

User IDAgent IDSession / Correlation IDPurpose (Why)Task / ActionTime / LocationDevice / IPSensitivity HintDelegation Token ID (if any)

Layer 4

Agent → Capability Authorization Layer

Determines what this agent is allowed to access and do.

Authorization Point #2

Can THIS AGENT access THIS TOOL / DATA / API?

Policy Decision (OPA / Cedar)

Allow Deny

Agent Capabilities (Allow List)

Tools / APIs

Data Sources / Collections

Functions / Operations

Allowed Actions

Layer 5

User → Data Authorization Layer

Determines what data the user is entitled to see. (Entitlement Overlay)

Authorization Point #3

User Entitlement Check for THIS DATA?

Policy Decision (OPA / Cedar)

Allow Deny

Data Entitlements & Classification

Data Classification & Sensitivity

Ownership / Domain

Access Levels (RLS / CLS)

Row / Field Policies & Restrictions

Layer 6

Runtime Intersection Decision Layer

Policy evaluation with context. Evaluates the full intersection and returns a decision and obligations.

Authorization Point #4 — Policy Evaluation (Intersection)

Decision = f(user, agent, action, resource, context)

User Identity & EntitlementsAgent Identity & CapabilitiesAction / Operation IntentResource / Data (What)Context (Where / When / How)Purpose (Why)Risk Signals (Behavior, Threat, History)

Allow Deny+ Obligations / Controls (What must happen)

Cutting-Edge Enhancements (Built into Policy Evaluation)

Enforcement

Layer 7

Enforcement Layer

Decisions are enforced at every execution boundary. (Multiple Boundaries)

Guardrail Pipeline

Input Guardrails

Validate & sanitise user input (PII, jailbreak, etc.)

→

Retrieval Layer

Enforce collection filters & metadata constraints (classification, ownership, RLS)

→

Tool / API Gateway

Tool allow list, parameter constraints, rate limits, scopes

→

Data Access Layer

Query rewriting, RLS/CLS, masking, row/field security, DLP

→

Model / LLM Guardrails

Model allow list, prompt controls, context limits, policy constraints

→

Output Guardrails

Redaction, policy checks, toxicity, PII detection, summarization limits

→

Agent Response

Output to User

Layer 8

Observability & Audit Layer

End-to-end visibility for accountability and improvement.

Runtime Events & Audit Trail (Immutable)

User LoginAgent InvokedPolicy Decisions (1, 2, 3, 4)Delegation Issued / RevokedTool / API CallsData Access QueriesModel Invocations & ResponsesOutputs DeliveredAlerts / Anomalies

SIEM / Log Platform — Long-term Storage & Correlation

Control Plane

Centralized Governance

Legend

→ Request / Data Flow- -→ Policy / Control Flow Allow Deny Policy Decision Point Enforcement Point Control Plane Service