Glossary entry

What is runtime authorization?

Runtime authorization is the practice of deciding whether an action is allowed at the moment it is attempted, using live context such as arguments, identity, prior actions, and time of day rather than relying on a permission grant set days or months earlier. For AI agents, it is the policy check that runs between the model's decision to call a tool and the tool running.

Key facts

  • Decisions are made at action time, with request context, not at deploy time.
  • Fits production AI agents that take real-world actions: payments, refunds, writes to databases, outbound emails.
  • Without it, agents inherit broad permissions and act on jailbroken or hallucinated instructions with no second check.
  • Veto runs an in-process policy decision on each governed tool call, evaluating YAML rules against the live arguments and identity.

In plain English

Static authorization is what most apps already have. A user signs in, the system loads their role, and from then on the role decides what they can do. The check happens once, often before the request arrives. That model breaks when the actor is an AI agent that can chain hundreds of actions per minute on behalf of many users, sometimes acting on instructions that did not come from any of them.

Runtime authorization treats each governed action as its own decision. Same agent, different arguments, different answer. An agent calling refund(order_id, amount) with a $50 amount and a $50,000 amount triggers the same code path but two different decisions. The authorization engine sees the arguments, checks them against policy, and returns allow, deny, or route to a human approver.

How it works

The pattern follows the policy decision point and policy enforcement point split familiar from XACML. The enforcement point sits on the tool path. It pauses the action, sends the request to the decision point, and waits for the verdict. The decision point evaluates a set of declarative rules against the request and returns one of three outcomes: allow, block, or require_approval.

With Veto, the rules live in YAML in your repo. They reference the tool name, the arguments, the agent identity, and anything in the request context. The SDK runs the decision in-process, returns locally before execution, and logs the verdict with the decision context.

# YAML policy: runtime authorization for refunds
- name: refunds_must_be_small_or_approved
  match:
    tool: refund_order
  rules:
    - if: args.amount_cents > 50000
      then: require_approval
    - if: args.amount_cents <= 50000
      then: allow

Operational consequence

The public failure pattern is specific: an agent with a valid session runs a destructive operation during a freeze, then the team has to reconstruct what happened from logs. Authentication was fine. What was missing was a check that asked: should this specific action, with these arguments, against this environment, be allowed right now? A runtime authorization policy that blocks destructive operations on production tables during freeze windows stops the call before it runs.

The same pattern shows up in compliance. The EU AI Act requires human oversight for high-risk systems. SOC 2 reviewers expect access-control and activity-review evidence. HIPAA requires ePHI access controls. None of them say "runtime authorization" by name, but they often require the kind of contextual, logged, human-overridable decision that runtime authorization provides.

Related terms

Agent Authorization

Deciding what an agent identity is allowed to do, separate from its operator.

Tool-Call Authorization

The specific mechanism: intercepting and judging governed tool invocations.

Runtime agent authorization

Veto's product page for the runtime authorization path.

Policy as Code for AI

How runtime authorization rules are expressed and version-controlled.

FAQ

How is runtime authorization different from access control lists?

An ACL is set at configuration time and grants a fixed set of permissions. Runtime authorization decides on each request, using arguments, time, prior actions, and signals the ACL never saw. An ACL can say 'this agent may issue refunds.' Runtime authorization can say 'this agent may issue refunds under $500, on its own merchant, after a fraud check passed within the last 60 seconds.'

Is runtime authorization the same as a guardrail?

Guardrails is the umbrella term: input filtering, output validation, and runtime authorization are all types of guardrail. Runtime authorization is specifically about answering allow or block on a concrete action with concrete arguments. Content filters and prompt-injection detectors protect the model itself.

Why not enforce authorization inside the LLM prompt?

Prompts are not authorization. They are suggestions to a probabilistic system. A model that can be jailbroken can be tricked into ignoring the rule it was told to follow. Runtime authorization runs outside the model in deterministic code, where the answer does not change based on how the request was phrased.

Does runtime authorization slow down agents?

A well-built policy decision runs locally before execution. The authorization check sits after tool selection and before side effects, where it pays for itself the first time it stops a destructive action.

Turn your agent permissions into runtime policy.

Sign upInstall the SDK