This is a post for those people struggling with the issues of developing AI Agents.
We know that there are hundreds of problems you’re facing right now, and one of them can be classified as Agent Authorizations.
Agent Authorizations may range from limiting access to specific documents during RAG, to determining the need for human confirmation before proceeding with an action or pausing the agentic loop when a potential prompt injection is detected.
Most developers usually find it hard to distinguish between what we call Agent Authorizations and what they call Agent Logic. That feeling of authorizations being too deeply tied to the app logic was indeed common even before AI Agents came into play.
It makes perfect sense to keep all the authorizations inside the application logic when it is quite simple. However, as soon as the complexity grows, the benefits of decoupling authorization policies from the core application logic are evident. These benefits include accessing multiple services to retrieve the necessary information, determining new consistent policy changes in a centralized way, and enabling fine-grained, dynamic control without having to rewrite the whole code.
If that was the case for deterministic software, imagine how entropy could skyrocket with LLM-powered applications. You may want to ask for human authorization just for some of the more risky actions the AI Agent would perform. However, you may also want to enforce an additional human-in-the-loop feature when the request comes from an untrusted IP address. The variety of those cases will be so high it will be almost impossible to edit the application logic every time a new change comes to the mind of the security team.
This is how we see the future of AI Agent architectures. The purple box is us.
As the image illustrates, we believe that the application's logic (in the yellow box) should be solely dedicated to the raw power and performance of the Agent. This specific area should be the focus of evals and iterations for optimization.
Conversely, all other limitations should be managed through policy enforcement.
We've created a Discord server to discuss these topics with devs interested in applying authorization as a service to their Agentic architectures.
You can join it here.
Feel free to jump in and shoot us any questions!