AI Agent Access Control and Governance
Security teams managing what data and APIs autonomous AI agents can access and what actions they can take.
Le problème
AI agents operating autonomously need bounded access — they should not be able to request arbitrary data or call any API. Corules's Gate 1 constraint evaluation defines the bounds of what an agent is allowed to propose before it reasons. This means the agent is told 'you may only consider discounts up to 25% for this customer' before generating its response. The agent cannot reason its way around this constraint because it never receives the option. Gate 2 validates the final action before execution.
Comment Corules le résout
Corules's policy runtime evaluates structured context against compiled CEL expressions — returning ALLOW, BLOCK, or ESCALATE with a reason and audit ID.
Exemple de politique
// Gate 1 tells the agent its allowed action space:
GET /v1/constraints?actor=agent_sales_01&use_case=discount_approval
→ {
"max_discount_pct": 0.25,
"allowed_customer_tiers": ["standard", "premium"],
"required_approval_above": 0.20
}
// Agent cannot propose outside these boundsFrequently Asked Questions
How is actor identity established for AI agents?
Agents use signed JWT tokens that carry their role and permissions. Identity is resolved from the token, not from the agent's self-report. This is a critical security property.
Can different agents have different permission sets?
Yes. Constraints are computed per actor × use case. A sales AI and a finance AI operating in the same system receive different constraint bounds.