This policy establishes access control requirements for AI agents operating within organizational systems. It defines the minimum standards for authentication, authorization, and privilege management for autonomous and semi-autonomous AI systems.
1.0 Policy Statement
AI agents, including autonomous software systems that act on behalf of users or the organization, must be subject to the same identity and access management (IAM) controls applied to human users and traditional software systems. All AI agent access to organizational resources shall follow the principle of least privilege, be time-bounded where feasible, and be fully auditable.
An AI agent is not a trusted insider by default. It is a software principal with defined permissions, an auditable identity, and revocable access. Treat AI agent credentials with the same rigor as privileged human accounts.
2.0 Scope
This policy applies to all AI agents deployed by or on behalf of the organization, including but not limited to:
- LLM-based agents with access to internal APIs, databases, or communication systems
- Robotic process automation (RPA) bots executing on behalf of users or business processes
- Agentic AI tools capable of browsing, file operations, code execution, or external API calls
- AI systems with delegated authority to act on user behalf (e.g., scheduling, email drafting, procurement)
- Third-party AI products integrated into internal systems via OAuth, API keys, or SSO
This policy does not apply to read-only AI assistants with no system access, or to AI tools operating entirely outside organizational networks and data environments.
3.0 AI Agent Access Tiers
All AI agents operating within organizational systems must be classified at the time of intake using the following access tier framework. Classification determines the required controls, review frequency, and oversight requirements.
| Tier | Classification | Permitted Access | Prohibited | Oversight |
|---|---|---|---|---|
| Tier 0 | Read-only / No system access | Public data, user-supplied input | No internal system access | No formal review required |
| Tier 1 | Low Privilege | Internal read-only APIs, approved data lakes, user calendar with explicit consent | Write access to production systems | Annual review, IT approval |
| Tier 2 | Elevated Privilege | Write access to non-critical systems, API calls with rate limits, delegated email with logging | Financial transactions, HR data, infrastructure changes without human approval | Quarterly review, CISO + AI Lead |
| Tier 3 | High Privilege / Restricted | Permitted only under explicit human-in-the-loop authorization for each action sequence | Unsupervised autonomous action in critical systems | Continuous monitoring, board notification required |
4.0 Required Access Controls
All AI agents classified at Tier 1 or above must implement the following controls prior to production deployment. Controls must be documented in the AI agent's system record.
4.1 Identity and Authentication
- Each AI agent must be issued a unique, non-shared identity (service account, OAuth client, or API key)
- Credentials must be stored in an approved secrets management system; hardcoded credentials are prohibited
- Credentials must expire and rotate on a schedule not to exceed 90 days for Tier 2 and above
- AI agent identities must be distinguishable from human user identities in all access logs
4.2 Authorization and Least Privilege
- AI agents must be granted only the minimum permissions required to complete their defined function
- Permissions must be explicitly approved; deny-by-default applies to all unlisted resource access
- Broad resource scopes (e.g., full read/write to a shared drive) require documented business justification and CISO approval
- Delegated user permissions (acting on behalf of a human) must require explicit user consent and be revocable at any time
4.3 Audit and Logging
- All AI agent actions on organizational systems must generate audit log entries including: timestamp, agent identity, resource accessed, action taken, and outcome
- Logs must be retained for a minimum of 12 months and be tamper-evident
- Anomalous access patterns must trigger automated alerts to the security operations team
AI agent sessions must time out after a defined inactivity period. Tier 2 agents: 4 hours. Tier 3 agents: 1 hour or per-task, whichever is shorter.
AI agents may not request additional permissions at runtime. Any permission expansion requires a new access request and approval cycle.
A defined process must exist to revoke all AI agent credentials within 15 minutes of an incident declaration, without requiring access to the agent itself.
Vendor AI tools requesting OAuth or API access must pass vendor risk assessment before credentials are issued. Access must be scoped to the minimum required by the product.
5.0 Prohibited Configurations
The following configurations are prohibited for all AI agents regardless of tier, business justification, or vendor claims:
- Shared credentials between an AI agent and any human user account
- AI agent access to production databases without a read-only replica or abstraction layer
- AI agents with the ability to create or modify their own access permissions
- AI agents with write access to audit or security log systems
- AI agents operating without an assigned human owner accountable for their actions
- AI agents that can invoke other AI agents or tools without explicit organizational approval of the agentic chain
6.0 Policy Exceptions
Exceptions to this policy must be submitted to the AI Governance Lead and CISO for joint review. All approved exceptions must include: a documented risk acceptance statement, a defined remediation timeline, and compensating controls. Exceptions are valid for a maximum of 90 days and may not be renewed more than once without executive escalation.