Home/agent authz

Developer shorthand

Agent authz: authorization for AI agent actions.

BLUF

Agent authz is developer shorthand for runtime agent authorization after identity is known. Authn says the agent, user, or service is valid. Authz decides whether this proposed tool call may execute with these arguments in this context.

Wrap a tool call Book authorization review

Authn vs authz for agents

Platform teams already know the split. Identity is necessary, but it does not authorize dynamic action. An agent with a valid token can still attempt the wrong transfer, tenant export, deploy, or external message.

Layer	Question	Common mechanism	Agent gap
Authn	Who is acting?	JWT, API key, OAuth token, SPIFFE ID.	A valid actor can still attempt unsafe work.
Authz	May this action run now?	Policy, context, risk, approvals, audit logs.	Must inspect the concrete tool call and arguments.

The enforcement boundary is the tool call

Agent authz belongs where intent turns into side effect. Put the policy enforcement point directly around the function, MCP server, browser action, or API client. Do not trust a prompt, chain step, or planner node to be the final control.

const guardedTools = veto.wrap(tools)

model -> proposed tool call -> PEP -> PDP -> allow | block | approval -> tool

PDP, PEP, and YAML policy-as-code

A clean agent authz design separates enforcement from decisioning. The PEP is close to the tool. The PDP is deterministic and inspectable. Policy lives in code review, not in a prompt string.

PEP

Policy enforcement point

The wrapper around tools, MCP servers, browser actions, deployment calls, or financial operations. It blocks execution until policy returns a decision.

PDP

Policy decision point

The evaluator that receives tool name, arguments, actor, tenant, environment, risk, and policy context, then returns an enforceable outcome.

Policy-as-code

YAML rules

Reviewable rules that live with code. They express argument caps, tenant boundaries, environment rules, rate limits, and approval requirements.

rules:
  - tool: transfer_funds
    when:
      args.amount_usd: ">= 5000"
      context.environment: "production"
    outcome: require_approval
  - tool: delete_customer_record
    outcome: block

Keep the outcome contract small

Tool wrappers, agents, humans, logs, and tests should share one contract. Veto reduces the runtime decision to three outcomes: allow, block, or require approval.

Allow

Forward the call to the underlying tool and log the decision context.

Block

Stop the call, return a controlled error to the agent, and record the denial reason.

Require approval

Pause execution until a human approves or denies the action with full context.

Implementation checklist

Pass actor, tenant, project, environment, and request IDs into each check.

Treat money movement, PHI, claims, deploys, deletes, browser writes, and external messages as high-risk by default.

Keep YAML policies in git and require review for production policy changes.

Log tool name, arguments, matched policy, decision, timestamp, and approver when present.

Related Veto routes

Runtime agent authorization

Exact architecture for policy checks after model planning and before execution.

AI agent authorization

The full guide to can versus may, authn versus authz, approvals, and audit trails.

AI agent access control

Tool-call boundary access control beyond static RBAC and OAuth scopes.

Veto for AI agents

Clarifies the “veto ai” search phrase and the product name.

Agent authz FAQ

What does agent authz mean?

Agent authz is developer shorthand for authorization of AI agent actions. In production, it means checking a proposed tool call after identity is known and before the tool executes.

How is authn different from authz for AI agents?

Authn proves the actor is a known user, service, or agent. Authz decides whether that actor may run this specific tool with these arguments in this tenant, environment, and risk context right now.

Where should agent authz run?

Run it at the tool-call boundary. The model proposes a tool call, the policy enforcement point sends the call context to policy evaluation, and the underlying function, MCP server, browser action, or API call runs only after an allow decision.

What outcomes should an agent authz layer return?

Use a small outcome contract: allow, block, or require approval. That keeps agent handling predictable, keeps approval workflows explicit, and gives auditors a clear decision record for every sensitive action.

Is agent authz a product name?

No. It is a shorthand search phrase and engineering term. The product is Veto, a runtime action authorization layer for AI agents.

Design agent authz before the first production tool call.

Bring your tool list and one high-risk workflow.

Book authorization review