SAIL 2.0

/

Build - AI Security Posture Management

/

Missing Per-Action Authorization Policy at Build

3.16

.

Missing Per-Action Authorization Policy at Build

sail
3.16
Risk

Missing Per-Action Authorization Policy at Build

Description

No policy framework is defined at posture-set time for action-level authorization, leaving the runtime layer with only session-level controls.

Example

An agent is approved at session start, then chains 50 tool calls β€” including ones that access HR data β€” none of which is individually authorized against policy.

Assets Affected

AI Policy

AI Agent

Tool

Agent Communication Protocol (ACP)

Mitigation
  • Define per-action authorization requirements at build time
  • classify tools and actions by sensitivity
  • specify which actions require secondary auth, human approval, or are auto-denied
  • align build-time policy with runtime enforcement.
Standards Mapping
  • ISO: A.9.4, A.6.2.5
  • OWASP agentic: ASI02, ASI03
  • OWASP LLM: LLM06:2025
  • EU AI Act: Art. 14, Art. 15(5)
  • DASF: Agents-Core 13.2, Model Serving 9.13
  • AIUC-1: B006, D003