Intent-Goal Policy Examples
Authorization patterns specifically designed for AI agent ecosystems.
Basic Intent Policies
Allow Specific Intents
permit(
principal is Agent,
action == Action::"read",
resource is Document
) when {
context.intent in [
"summarize_document",
"extract_key_points",
"analyze_content"
]
};
Intent Prefix Patterns
permit(
principal is Agent,
action == Action::"query",
resource is Database
) when {
context.intent.startsWith("analyze_") ||
context.intent.startsWith("report_") ||
context.intent.startsWith("aggregate_")
};
forbid(
principal is Agent,
action == Action::"query",
resource is Database
) when {
context.intent.startsWith("delete_") ||
context.intent.startsWith("drop_") ||
context.intent.startsWith("truncate_")
};
Intent Validation
// Require non-empty intent
forbid(
principal is Agent,
action,
resource
) when {
!context.has("intent") ||
context.intent == ""
};
Goal-Based Policies
Allow Specific Goals
permit(
principal is Agent,
action == Action::"access",
resource is CustomerData
) when {
context.goal in [
"customer_support",
"order_fulfillment",
"billing_inquiry"
]
};
Goal Hierarchy
permit(
principal is Agent,
action == Action::"read",
resource is FinancialDocument
) when {
// Allow reporting goals
context.goal.startsWith("reporting/") ||
// Allow audit goals
context.goal.startsWith("audit/") ||
// Allow specific compliance goals
context.goal in ["compliance/sox", "compliance/gdpr"]
};
Resource-Goal Mapping
permit(
principal is Agent,
action,
resource is Tool
) when {
// Tool defines which goals can use it
context.goal in resource.approved_goals
};
Intent + Goal Combined
Strict Intent-Goal Matching
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
// Must have both valid intent and goal
context.intent != "" &&
context.goal != "" &&
// Intent must be appropriate for the goal
(
(context.goal == "customer_support" &&
context.intent in ["lookup_customer", "check_order", "create_ticket"]) ||
(context.goal == "research" &&
context.intent in ["search_web", "analyze_document", "summarize"])
)
};
Intent-Goal Consistency
forbid(
principal is Agent,
action,
resource
) when {
// Block inconsistent intent/goal combinations
(context.goal == "read_only_analysis" &&
context.intent.contains("write")) ||
(context.goal == "internal_use" &&
context.intent.contains("external"))
};
Tool Execution Policies
Tool Risk Levels
// Low-risk tools: any agent
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
resource.risk_level == 1
};
// Medium-risk tools: require valid goal
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
resource.risk_level == 2 &&
context.goal in resource.approved_goals
};
// High-risk tools: require specific delegation
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
resource.risk_level == 3 &&
context.goal in resource.approved_goals &&
context.delegation_chain[0].from in resource.authorized_delegators
};
Tool Categories
// Read-only tools
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
resource.category == "read_only" &&
context.intent.startsWith("get_") ||
context.intent.startsWith("list_") ||
context.intent.startsWith("search_")
};
// Data modification tools
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
resource.category == "write" &&
context.has_human_approval == true
};
Delegation Chain Policies
Require Human Origin
permit(
principal is Agent,
action,
resource
) when {
// First delegator must be a user
context.delegation_chain.length > 0 &&
context.delegation_chain[0].from.startsWith("User::")
};
Delegation Depth Limits
forbid(
principal is Agent,
action,
resource is SensitiveData
) when {
// Direct human delegation only for sensitive data
context.delegation_chain.length > 1
};
permit(
principal is Agent,
action,
resource
) when {
// General limit of 3 delegation levels
context.delegation_chain.length <= 3
};
Delegation Scope Verification
permit(
principal is Agent,
action,
resource
) when {
// Verify action is within delegated scope
action in context.delegation_chain[-1].scope
};
Multi-Agent Workflows
Coordinator Agents
// Coordinators can delegate to sub-agents
permit(
principal is Agent,
action == Action::"delegate",
resource is Agent
) when {
principal.role == "coordinator" &&
resource.role == "worker" &&
context.goal == principal.assigned_goal
};
Worker Agent Restrictions
// Worker agents cannot delegate further
forbid(
principal is Agent,
action == Action::"delegate",
resource is Agent
) when {
principal.role == "worker"
};
// Workers limited to their assigned tools
permit(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
principal.role == "worker" &&
resource in principal.assigned_tools
};
Cross-Agent Communication
permit(
principal is Agent,
action == Action::"message",
resource is Agent
) when {
// Same goal allows communication
context.goal == resource.current_goal ||
// Or explicit communication permission
resource in principal.allowed_contacts
};
Safety Policies
Prevent Data Exfiltration
forbid(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
// Block external communication with sensitive data
resource.capability == "external_api" &&
context.has_sensitive_data == true
};
Rate Limiting
forbid(
principal is Agent,
action == Action::"execute",
resource is Tool
) when {
// Too many executions
context.tool_executions_this_minute > 10
};
Human-in-the-Loop
forbid(
principal is Agent,
action,
resource
) when {
// Require human approval for high-impact actions
resource.impact_level == "high" &&
!context.has_human_approval
};
Example: Customer Support Agent
// Base permissions for support agents
permit(
principal is Agent,
action == Action::"read",
resource is CustomerRecord
) when {
principal.type == "support_agent" &&
context.goal == "customer_support" &&
context.intent in [
"lookup_customer",
"view_order_history",
"check_account_status"
]
};
// Allow ticket creation
permit(
principal is Agent,
action == Action::"execute",
resource == Tool::"create_ticket"
) when {
principal.type == "support_agent" &&
context.goal == "customer_support" &&
context.intent == "create_support_ticket"
};
// Block sensitive data access
forbid(
principal is Agent,
action,
resource is PaymentInfo
) when {
principal.type == "support_agent"
};
// Require human for refunds
forbid(
principal is Agent,
action == Action::"execute",
resource == Tool::"process_refund"
) when {
!context.has_human_approval
};
Example: Research Agent
// Research agents can search and read
permit(
principal is Agent,
action in [Action::"search", Action::"read"],
resource
) when {
principal.type == "research_agent" &&
context.goal.startsWith("research/") &&
context.intent in [
"search_documents",
"analyze_content",
"summarize_findings"
]
};
// Can use web search tool
permit(
principal is Agent,
action == Action::"execute",
resource == Tool::"web_search"
) when {
principal.type == "research_agent" &&
context.intent == "search_web"
};
// Cannot modify data
forbid(
principal is Agent,
action in [Action::"write", Action::"delete"],
resource
) when {
principal.type == "research_agent"
};
Testing Intent-Goal Policies
# Test customer support agent
curl -X POST http://localhost:8081/authorize \
-H "Content-Type: application/json" \
-d '{
"principal": "Agent::\"support-bot\"",
"action": "Action::\"read\"",
"resource": "CustomerRecord::\"cust-12345\"",
"context": {
"intent": "lookup_customer",
"goal": "customer_support",
"delegation_chain": [
{
"from": "User::\"support-rep\"",
"to": "Agent::\"support-bot\"",
"scope": ["read", "execute"]
}
]
}
}'
Next Steps
- Delegation Chains - Deep dive on delegation
- SDK Integration - Implement in your agents