Overview
Validate → policy-check → SoD → risk-score → provision or escalate: turns an access request into a safe, policy-grounded outcome.
Least privilege by default: it grants only the standard, low-risk access a role clearly warrants, and nothing more.
Separation-of-duties aware: it blocks grants that would create a toxic combination (e.g. create-vendor + approve-payment).
Defensive: never auto-grants privileged/production/sensitive access, prefers time-bound grants, and escalates exceptions with a full audit trail.
AgentAz™ specification
A lightweight, design-time governance spec for security review. It documents what this agent is authorized to do — and why — and pairs with whatever policy engine you already run. It does not enforce anything at runtime.
Machine-readable contract (agentaz.json), validated against the open AgentAz™ JSON Schema — bundled for offline use and published at a permanent URL:
{
"$schema": "./agentaz.schema.json",
"version": "2.0.0",
"last_reviewed": "2026-06-24",
"agent_id": "access-request-agent",
"trust_level": "A3",
"dna_pattern": "Planning",
"worst_case_action": "Prepares an incorrect access change for human approval. Cannot grant or revoke access.",
"authority_boundary": "Prepares access changes against policy for approval; provisioning tools absent.",
"tags": [
"security",
"iam",
"access-request",
"human-approval"
],
"tool_boundary": {
"allowed_tools": [
"read_request",
"check_policy",
"prepare_change",
"summarize"
],
"execution_tools_absent": true
},
"output_boundary": {
"format": "structured_json",
"never_emits": [
"grant_access",
"revoke_access",
"provisioning_write"
]
},
"cost_boundary": {
"max_usd_per_trace_loop": 0.25,
"alert_threshold_usd": 0.16
},
"loop_boundary": {
"max_reasoning_turns": 8
},
"human_handoff": {
"triggers": [
"sensitive_resource",
"policy_ambiguous",
"low_confidence"
],
"destination": "access_owner"
},
"audit": {
"append_only": true,
"logs": [
"request",
"policy_check",
"prepared_change",
"approvals"
]
}
}New to this? Read the AgentAz specification guide — Trust Levels, DNA patterns, and how it complements your runtime.
This is a flagship reference blueprint for AgentAz v1.0.0. AgentAz™ is open source under Apache-2.0 (spec text under CC‑BY‑4.0) — schema and source on GitHub.
Governance matrix
A scannable summary of this blueprint's governance coverage, derived from its AgentAz™ specification. It documents the boundaries that already ship — not new functionality.
| Agent goal | Bounded by the authority spec above |
|---|---|
| Trust Level | A3 — Human-Approved |
| Tool access | Least privilege — execution tools absent (read-only) |
| Context handling | Grounded in provided inputs; cites or flags rather than guessing |
| Memory strategy | Task-scoped; no persistent cross-session memory |
| Human approval | Required on sensitive resource, policy ambiguous, low confidence → access owner |
| Audit trail | Append-only log (request, policy check, prepared change, approvals) |
| Cost & loop bounds | ≤ $0.25 per loop · ≤ 8 reasoning turns |
| Recovery / escalation | Escalates to access owner |
Agent component mapping
A framework-neutral view of how this blueprint maps to standard agent-architecture components (the vocabulary common to ADK-style frameworks). It describes structure for clarity — not an official integration or certified compatibility.
| Agent | Primary reasoner — Human-Approved authority (A3) |
|---|---|
| Tools | read request, check policy, prepare change, summarize — execution tools absent (read-only) |
| Memory | Task-scoped working context; no persistent cross-session memory |
| Guardrails | Worst-case classified (A3); no execution tools; ≤ $0.25/loop · ≤ 8 turns |
| Evaluator | Confidence and authority-boundary checks; low-confidence or out-of-bounds results are flagged, not actioned |
| Handoff | Escalates to access owner on sensitive resource, policy ambiguous, low confidence |
Failure modes
Specific ways this blueprint can fail, and how it is designed to detect, contain, and recover from each — the boundaries that make it safe to run, stated plainly.
Prepares an over-privileged grant — more access than the request needs.
- Detection
- The request is compared to a role baseline; privilege escalation is flagged.
- Mitigation
- The agent prepares only; a human approves, with a least-privilege check.
- Recovery
- The approver rejects it and a right-sized grant is prepared.
Decides against a stale policy.
- Detection
- The policy version is checked at decision time.
- Mitigation
- Access is never granted autonomously.
- Recovery
- The request is re-evaluated against the current policy.
A segregation-of-duties conflict slips through.
- Detection
- A segregation-of-duties ruleset is checked and conflicts are flagged.
- Mitigation
- Conflicts are flagged for a human and never auto-approved.
- Recovery
- The case is routed to the access owner; it is denied or the exception is logged.
Evaluation
Least-privilege correctness matters most — whether the prepared grant matches the minimal access the request warrants — because over-provisioning is the silent risk.
| Decision agreement | Agreement of the prepared grant or deny with an access owner's decision. |
|---|---|
| Least-privilege accuracy | Share where the proposed scope matches the minimal necessary, with no over-provisioning. |
| SoD-conflict recall | Of segregation-of-duties conflicts present, the share it flags. |
| Escalation rate | How often it correctly routes exceptions to a human. |
| Latency | Time to a prepared decision. |
Recommended approach. Replay historical access requests with known correct outcomes and role baselines; measure agreement, over-provisioning rate, and SoD-conflict recall. Approvals always remain human during evaluation.
When to use
Use it when
- Your IT/helpdesk queue is full of routine access requests that follow role-based policy.
- You have an entitlement/role policy and identity data (role, department, manager) the agent can check against.
- You want consistent least-privilege provisioning with separation-of-duties enforcement and a clean audit trail.
- You want to auto-handle standard low-risk grants while routing privileged and sensitive ones to humans.
Avoid it when
- You expect it to grant admin, production, or sensitive-data access autonomously — it must not.
- You have no role/entitlement policy for it to ground decisions in.
- You can't integrate approval verification, so it would have to assume approvals.
- You can't keep human review on privileged and exception requests.
System prompt
You are an Access Request & Provisioning Agent in an IT/security workflow. You process ONE access request: validate it, check policy, enforce least privilege and separation-of-duties, and either provision standard low-risk access or escalate. You are judged on safe, correct, least-privilege provisioning and on never granting access that should have gone to a human.
== CORE PRINCIPLES ==
1. Least privilege by default. Grant the minimum access the person's role clearly warrants for the stated need — never more. Prefer time-bound / just-in-time grants over standing access.
2. Policy-grounded. Base every decision on the entitlement/role policy and verified identity data (role, department, manager). Cite the policy basis. Do not invent entitlements.
3. Verify, don't assume. Confirm the required approvals and justification actually exist. Never fabricate or presume an approval.
== HARD RULES (NON-NEGOTIABLE) ==
- NEVER AUTO-GRANT HIGH-RISK ACCESS: Admin/privileged roles, production system access, sensitive/regulated data, security tooling, or anything outside the requester's standard role MUST be escalated for human approval — never auto-provisioned.
- SEPARATION OF DUTIES: Block any grant that creates a toxic combination (e.g. create-vendor + approve-payment, develop + deploy-to-prod, request + approve). Flag the conflict and escalate.
- APPROVAL REQUIRED WHERE POLICY SAYS: If policy requires manager and/or resource-owner approval, verify it's present before provisioning. Missing approval = escalate, not grant.
- AUDIT EVERYTHING: Every decision (grant or deny) is logged with the policy basis, approvals, and risk rationale.
- NO FABRICATION: Never invent an entitlement, role, approval, or justification. If data is missing, request it or escalate.
== METHOD ==
- Validate the request and resolve the requester's identity (role, dept, manager).
- Look up the entitlement policy for the requested access; determine if it's standard for the role.
- Run a separation-of-duties check against the requester's existing access.
- Score access risk (privilege level, data sensitivity, production scope, blast radius).
- Verify required approvals. Then decide.
== DECISION POLICY (calibrated confidence 0.0-1.0) ==
- AUTO_PROVISION: standard, low-risk, role-appropriate access; no SoD conflict; required approvals present; confidence >= 0.85. Grant least-privilege (time-bound if supported).
- REQUEST_INFO: missing justification or approval — state exactly what's needed; do not grant.
- ESCALATE: privileged/production/sensitive access, SoD conflict, out-of-role request, or any uncertainty. Route to security/owner with the findings.
== COST CONTROL ==
Look up only the policy and identity data this request needs; reuse what's loaded. Cap tool calls; if exceeded, escalate with current findings.
== OUTPUT FORMAT (return ONE JSON object) ==
{
"request_id": "<id>",
"requester_role": "<role/dept>",
"requested_access": "<resource + level>",
"risk": "low|moderate|high",
"policy_basis": "<entitlement rule cited>",
"sod_conflict": "<conflict description, or 'none'>",
"approvals": "<present/required/missing>",
"decision": "AUTO_PROVISION|REQUEST_INFO|ESCALATE",
"grant": { "access": "<least-privilege grant>", "time_bound": "<expiry, or 'standing'>", "applied": <bool> },
"actions": [ { "tool": "<tool>", "args": { ... }, "requires_approval": <bool> } ],
"requester_note": "<clear status message>",
"escalation": { "needed": <bool>, "to": "security|resource_owner|manager|none", "reason": "<why, or empty>" }
}
If access is privileged/production/sensitive, or any SoD conflict exists, decision must be ESCALATE — never AUTO_PROVISION.Simulate run
Try the agent with a sample task. This is a frontend-only preview that shows how the kit would plan and execute — no API calls, nothing leaves your browser.
Frontend preview only — no data leaves your browser. Tip: press ⌘/Ctrl + Enter to run.
Setup guide
Install and connect IAM/ITSM
Install the agent and connect it to your identity provider and ticketing.
pipx install access-request-agent access-request-agent connect --idp okta --itsm servicenow access-request-agent doctor # verifies least-privilege provisioning scope
Configure guardrails
What may auto-provision. Privileged/sensitive/production access never can. Enforced outside the model.
cp .env.example .env
ANTHROPIC_API_KEY=sk-ant-...
AUTO_PROVISION_ONLY: { risk: "low", role_standard: true, approvals: "present" }
NEVER_AUTO: ["admin", "production", "sensitive_data", "security_tooling"]
PREFER_TIME_BOUND=trueLoad entitlement policy & SoD rules
Define standard role entitlements and the toxic combinations to block.
# access.yml
roles:
engineer: { standard: ["repo:read", "ci:read", "dev-db:read"] }
sod_conflicts:
- ["vendor:create", "payment:approve"]
- ["code:develop", "prod:deploy"]
privileged: ["*:admin", "prod:*", "pii:*"]Dry-run on past requests
Replay historical requests to confirm it never auto-grants privileged access or SoD conflicts.
access-request-agent backtest --range 60d --explain # reports auto-provision/escalate decisions; privileged auto-grants must be 0
Wire into the request flow
Route access requests to the agent; privileged/sensitive/SoD requests auto-route to security.
# access request ticket -> POST https://your-host/access/handle (HMAC) # decision=ESCALATE auto-assigns to the security queue
Architecture
Tools required
Workflow
1. Validate the request
Capture the requester, resource, level, and justification, and resolve identity (role, dept, manager).
2. Check entitlement policy
Look up the role-based policy for the requested access and determine whether it's standard or an exception.
3. Run separation-of-duties
Compare against existing access for toxic combinations; a conflict blocks auto-provisioning.
4. Score access risk
Rate privilege, data sensitivity, production scope, and blast radius to choose the path.
5. Verify approvals
Confirm required approvals and justification exist; missing approval means request-info or escalate, never grant.
6. Provision or escalate
Auto-provision only standard, low-risk, role-appropriate access (least-privilege, time-bound if possible); escalate privileged/sensitive/SoD cases.
7. Audit
Log every decision with the policy basis, approvals, and risk rationale for review and access certification.
Examples
Standard role-based access, approved → auto-provision (least privilege)
An engineer requests read access to a dev tool their role normally has, with manager approval. Low risk, in-policy.
Input
Request REQ-5512: engineer requests read access to the staging dashboard. Role policy lists staging:read as standard for engineers. Manager approval present.
Output
{
"request_id": "REQ-5512",
"requester_role": "Engineer / Platform",
"requested_access": "staging-dashboard:read",
"risk": "low",
"policy_basis": "entitlement: 'staging:read' is standard for the Engineer role",
"sod_conflict": "none",
"approvals": "present (manager approved)",
"decision": "AUTO_PROVISION",
"grant": { "access": "staging-dashboard:read", "time_bound": "standing", "applied": true },
"actions": [ { "tool": "provision_access", "args": { "user": "REQ-5512.requester", "access": "staging-dashboard:read" }, "requires_approval": false } ],
"requester_note": "Your request for read access to the staging dashboard has been provisioned. It matches your role's standard access and your manager approved it.",
"escalation": { "needed": false, "to": "none", "reason": "" }
}Note: The routine grant the kit clears instantly: read-only, standard for the role, manager-approved, no SoD conflict. It provisions exactly the least-privilege access requested (read, not write) and cites the policy basis. This is the volume that should never need a human.
Production/admin access requested → never auto-grant, escalate
A developer requests admin access to a production database. Regardless of approval, the high-risk rule forces escalation.
Input
Request REQ-5570: developer requests admin (write) access to the production payments database, justification 'need to debug an issue'.
Output
{
"request_id": "REQ-5570",
"requester_role": "Engineer / Payments",
"requested_access": "prod-payments-db:admin (write)",
"risk": "high",
"policy_basis": "prod:* and *:admin are privileged — not standard for the Engineer role",
"sod_conflict": "none",
"approvals": "manager approval present; resource-owner approval NOT present",
"decision": "ESCALATE",
"grant": { "access": "", "time_bound": "", "applied": false },
"actions": [ { "tool": "escalate_to_security", "args": { "to": "security+db_owner", "priority": "high" }, "requires_approval": false } ],
"requester_note": "Your request for admin access to the production payments database needs security review — production and admin access can't be auto-granted. In the meantime, consider whether time-bound read access or a break-glass procedure would address the debugging need.",
"escalation": { "needed": true, "to": "security", "reason": "Privileged admin access to a production payments database — high risk, requires security + resource-owner approval; suggest least-privilege/time-bound alternative." }
}Note: Even with manager approval and a plausible reason, production + admin access is privileged and high-risk, so it's never auto-granted. The agent escalates to security and the DB owner and proactively suggests a least-privilege alternative (time-bound read, break-glass) — pushing toward minimal access rather than just relaying the request.
Separation-of-duties conflict → block and escalate
Someone who can already create vendors requests payment-approval access. Granting it would create a fraud-enabling toxic combination.
Input
Request REQ-5604: a finance ops user with existing 'vendor:create' access requests 'payment:approve' access.
Output
{
"request_id": "REQ-5604",
"requester_role": "Finance Ops",
"requested_access": "payment:approve",
"risk": "high",
"policy_basis": "payment:approve is grantable to the role, BUT SoD policy forbids it combined with existing access",
"sod_conflict": "Requester already holds 'vendor:create'; combining with 'payment:approve' violates SoD (one person could create a vendor and approve its payments)",
"approvals": "manager approval present",
"decision": "ESCALATE",
"grant": { "access": "", "time_bound": "", "applied": false },
"actions": [ { "tool": "escalate_to_security", "args": { "to": "security+finance_controls", "conflict": "vendor:create + payment:approve" }, "requires_approval": false } ],
"requester_note": "This request can't be auto-approved: combining payment-approval with your existing vendor-creation access would violate separation-of-duties controls. Finance controls/security will review options (e.g. removing one entitlement or adding a second approver).",
"escalation": { "needed": true, "to": "security", "reason": "Separation-of-duties conflict: vendor:create + payment:approve on one identity enables fraud; needs controls review." }
}Note: The defining control: 'payment:approve' is grantable on its own and the manager approved it — but the requester already holds 'vendor:create', and that combination is a classic fraud-enabling toxic pair. The SoD check catches what a naive entitlement lookup would miss, blocks the grant, and escalates to finance controls with the exact conflict named.
Implementation notes
- Default to least privilege and time-bound/just-in-time grants; standing privileged access is the thing this agent exists to avoid handing out.
- Enforce the 'never auto-grant privileged/production/sensitive' rule and the SoD check in a deterministic gate — these are security controls, not model preferences.
- Run separation-of-duties against the requester's existing access, not just the new request; toxic combinations are invisible if you only look at one entitlement.
- Verify approvals actually exist before provisioning; a missing resource-owner approval is an escalation, never an assumption.
- Log every decision with policy basis, approvals, and risk for access certification and audit — this is also what makes the agent defensible to security review.
- Have the agent suggest least-privilege alternatives (time-bound read, break-glass) when escalating high-risk requests, rather than just relaying them.
- Spend the strong model on risk and SoD judgment — a cheaper model can resolve identity and look up policy.
Variations
Basic
Request triage assistant
Validates the request, checks policy and separation-of-duties, scores risk, and recommends grant/escalate for an IT analyst. No autonomous provisioning.
Advanced
Guarded auto-provisioning
Auto-provisions standard low-risk, role-appropriate access (least-privilege, time-bound) with approval verification, and escalates privileged/sensitive/SoD-conflict requests.
Enterprise
Governed access automation
Adds IGA/IAM integration, role-mining and entitlement catalogs, JIT access, full audit and access-certification support, and policy tuning — privileged access always human-approved.
Download the Agent Blueprint
Export
This flagship blueprint and the AgentAz™ specification live in the central AgentKits registry — open source under Apache-2.0 (code & schema) and CC‑BY‑4.0 (text).
Frequently asked questions
Never. Privileged roles, production access, sensitive/regulated data, and security tooling are always escalated for human approval. It only auto-provisions standard, low-risk, role-appropriate access.
It grants the minimum access the role clearly warrants for the stated need — read instead of write where that suffices — and prefers time-bound/just-in-time grants over standing access, citing the policy basis each time.
Before granting, it compares the request against the requester's existing access to catch toxic combinations (like create-vendor + approve-payment, or develop + deploy-to-prod). Any conflict blocks auto-provisioning and is escalated.
No. It verifies that required manager/resource-owner approvals and justification actually exist. Missing approval means it requests it or escalates — it never fabricates or presumes an approval.
Yes. Every grant or denial is logged with the policy basis, the approvals, and the risk rationale, which supports access certification and security review.
Start in advise mode where it recommends, backtest on past requests to confirm it never auto-grants privileged access or SoD conflicts, then enable auto-provisioning for standard low-risk requests.