SAIL 2.0

/

AI Policy & Safe experimentation (Plan)

/

No Action-Authorization Policy Defined

1.12

.

No Action-Authorization Policy Defined

sail
1.12
Risk

No Action-Authorization Policy Defined

Description

Policy articulates session-level access control for agents but doesn't define per-action authorization requirements โ€” leaving the runtime layer without policy backing for action-level enforcement.

Example

An agent passes session authentication once and then chains 200 tool invocations across 30 minutes, none of which are individually authorized or policy-checked.

Assets Affected

AI Policy

AI Agent

Tool

Agent Communication Protocol (ACP)

Mitigation
  • Define a baseline allow/deny/HITL list of high-risk actions that are always blocked or always require approval and rely on harness auto-mode for routine actions rather than authorizing each call manually. Reserve finer-grained, context-aware authorization for the specific workflows that warrant it..
Standards Mapping
  • ISO: A.9.4, A.6.2.5
  • OWASP agentic: ASI02, ASI03
  • OWASP LLM: LLM06:2025
  • EU AI Act: Art. 14, Art. 15(5)
  • DASF: Agents-Core 13.2, Model Serving 9.13
  • AIUC-1: B006, D003