Get your AI & Cloud Leakage Score

Tirion Agent Permission Model

Agent Permission Model

A permission model for AI agents that use tools, read data or trigger actions without receiving uncontrolled privileges.

Tirion Agent Permission Model

Framework overview

An AI agent should not be treated like a human user with broad rights. The Agent Permission Model separates purpose, identity, tool inventory, scopes, data classes, action tiers, human approval, audit and kill switch.

Architecture model

The Rights And Control Model

The framework treats agents as operating risks of their own: they have purpose boundaries, identities, tools, data access and action impact that must be documented and approved separately.

01Purpose Bound

The agent has a narrow purpose and cannot use tools outside that purpose.

02Permission Stack

User, service and business identity, OAuth/Graph scopes and data classes are separated.

03Action Control

Actions are tiered by impact, validated, logged, approved and disabled when needed.

Scorecard logic

Each dimension is scored from 0 to 3. The most critical issues are write access, global admin rights, untrusted content and missing audit.

30 to 36 points

Production-ready for the defined scope.

23 to 29 points

Pilot-ready with controlled actions.

16 to 22 points

Demo or read-only only.

0 to 15 points

Do not deploy.

Readiness dimensions0-3
Purpose Bound

Is the agent purpose clear and narrow enough?

0-3
Identity

Is it clear which user, service and business identity acts?

0-3
Tool Inventory

Are all tools documented with owner, purpose and side effects?

0-3
Scope Minimality

Are API, Graph and OAuth scopes minimal and justified?

0-3
Data Boundary

Are data classes, tenant boundaries and sensitivity defined?

0-3
Action Tiering

Is every action assigned to P0 through P5?

0-3
Human Approval

Does approval match the impact of the action?

0-3
Prompt Injection Defense

Are untrusted contents separated from instructions?

0-3
Tool Guardrails

Is validation performed before and after tool execution?

0-3
Auditability

Are tool calls, arguments, approvals and outputs traceable?

0-3
Rollback

Are correction or reversal processes defined for write actions?

0-3
Kill Switch

Can the agent or tool be disabled immediately?

0-3

Hard stop criteria

Hard stop criteria

  • Write access without tool and approval policy.
  • Global admin, mailbox, drive or Graph rights without justification.
  • Untrusted content plus tool execution without isolation.
  • No audit for external or mutating actions.
  • No accountable owner.

Short checklist

Short checklist

  • Agent identity and owner defined.
  • Tool list and tool manifests available.
  • Scopes are minimal and separated by task.
  • P0-P5 action tier defined for each tool.
  • Human approval configured before P4/P5 actions.
  • Traces, rollback and kill switch available.

Where to use this framework

Where to use this framework

Review a tool agent before production

Classify every tool by purpose, side effects, approval and audit.

Limit M365 or Graph permissions

Prevent agents from receiving global or unnecessarily broad scopes.

Cut human approval cleanly

Define which actions are autonomous, review-required or forbidden.

Executive FAQ

Executive FAQ

Author: TirionReviewed by: Tirion Agent Governance Framework

Why does an agent need its own permission model?

Because agents combine tools, interpret content and trigger actions. Classic user permissions are not enough as a control model.

What is a hard stop criterion?

Any setup where an agent can write, communicate externally or read broad data without owner, approval, audit and kill switch.

Is read-only always safe?

No. Read-only still needs data classification, permission hygiene and prompt-injection defense, but it is often the better pilot start.

Start now

Need this translated into a real decision?

Use the score to identify the strongest AI, cloud or governance leakage before choosing a next step.