ConsultingWorkbench-backed AI security engagements — map, attack, defend, and prove your AI systems.
Scope a Review
aisecurityllc
Log inTake DiagnosticScope a Review
aisecurityllc
Scope a Review
Deliverablesdeliverable
deliverable
public-sample

Agent Tool Permission Matrix

A structured matrix showing exactly what each AI agent can read, suggest, draft, queue, approve, execute, log, and change across tools and workflows.

12-24 pages3 offers2 CTAs3 personas1/1 data sources
Scope Agentic Workflow HardeningScope AI Product Security AssessmentScope Ai Red Team Assessment
Publication overview
public-sample
12-24 pages3 offers3 personas2 CTAs2026-05-25

Synthetic sample permission matrix for an AI copilot with retrieval, case-management, customer messaging, CRM, billing, and notification tool access.

System
Northstar Support Cloud / Customer Support Copilot
Environment
Production pilot
Primary owner
AI Platform Engineering
Security owner
Product Security
# Agent Tool Permission Matrix
Sample Deliverable

Executive Summary

This matrix turns agent authority into a reviewable control model. It separates what the AI system can read, suggest, draft, queue, approve, and execute across each connected tool. The key point is simple: agent security is not one permission. It is a set of bounded authorities, each with a risk level, owner, approval requirement, and audit trail.

Decision · conditional

Recommended agentic risk decision

agent-tool-permission-review

Continue read and draft capabilities under the gateway, but block customer-visible execution, billing changes, CRM writes, and external webhooks until action classes, approval bundles, and trace evidence are fully implemented.

Metrics

Permission Matrix Snapshot

agent-tool-permission-review
Tools reviewed
6
Critical actions
4
Blocked actions
3
Conditional actions
3
Human-only approvals
3
executive

The real risk is authority, not chat

A chatbot answers. An agent acts. The moment an AI system can call tools, update records, send messages, issue credits, or trigger workflows, the security question becomes one of authority.
## Authority model

Action classes

agent-tool-permission-review
Action classMeaningDefault approvalRisk
ReadRetrieve allowed context without changing statenot requiredmedium
SuggestPropose a next action without executable payloadnot requiredmedium
DraftPrepare customer-facing or system-facing contentrequired before sendhigh
QueueCreate a pending action objectrequired before executehigh
ApproveAuthorize an actionhuman-onlycritical
ExecutePerform a state-changing actionrestrictedcritical
Agent permission matrix

Agent Tool Permission Matrix

The matrix shows which capabilities are approved, conditional, blocked, or denied for each connected tool.

content/deliverables/data/agent-tool-permission-matrix.json
Synthetic sample permission matrix for an AI copilot with retrieval, case-management, customer messaging, CRM, billing, and notification tool access.
Principle
Separate reading, suggesting, drafting, queuing, approving, and executing. Do not treat all tool access as one permission.
Default posture
deny-by-default
Approval model
Human approval required for customer-visible, billing-impacting, destructive, privileged, or cross-tenant actions.
ReadSuggestDraftQueueApproveExecute
AgentToolActionScopeApprovalRiskOwner
Support CopilotCase Management APIreadtenant-scoped support cases visible to the authenticated usernomediumSupport Platform
Support CopilotCustomer Messagingdraftdraft response text for the active case onlyyes, before sendhighProduct Operations
Support CopilotCustomer Messagingexecutesend customer-visible responseyes, human-only approvalcriticalProduct Operations
Support CopilotCase Management APIqueuepriority, category, routing tags, summary fieldsyes for priority and routing changeshighSupport Platform
Support CopilotCRMreadaccount profile and entitlement fields needed for support contextnomediumRevenue Operations
Support CopilotCRMexecuteupdate account fieldsyes, restricted to human operatorscriticalRevenue Operations
Support CopilotBilling Systemreadplan, invoice status, entitlement flagsno for entitlement lookupshighFinance Systems
Support CopilotBilling Systemexecuteissue credits, refunds, plan changeshuman-only approval and finance policy gatecriticalFinance Systems
Support CopilotNotification Servicequeueinternal team notification for escalation onlyno for internal escalation templatesmediumProduct Operations
Support CopilotExternal Webhookexecutethird-party workflow triggersyes, security-reviewed allowlist onlycriticalIntegration Platform
Approval requirement
Approval
Approval requirement
Approval
## Findings
Findings

Permission Findings

Finding · critical

Action classes are not consistently enforced

Evidence: agent-tool-permission-review

The product separates some draft and execute paths, but the permission model is not yet enforced uniformly across all tools.

warning

Why this matters

A broad tool token is not an agent permission model. The control has to live at the action-class level.
Finding · high

Approval context is too thin for sensitive actions

Evidence: approval-context-review

Approvers need evidence, target, rationale, blast radius, and rollback details. Current approval screens do not always show enough context.

Finding · critical

Third-party webhook execution should remain blocked

Evidence: external-webhook-review

External webhooks create hard-to-bound blast radius and should remain blocked until allowlists, payload schemas, approval bundles, and trace evidence are complete.

## Tool policy

Tool policy by risk

agent-tool-permission-review
Tool surfaceAllowed nowConditionalBlocked
Case Management APIread casesqueue metadata updatesdirect destructive changes
Customer Messagingdraft responsessend with approvalauto-send
CRMread entitlement contextnonewrite account fields
Billing Systemread entitlement flagsnonecredits, refunds, plan changes
Notification Serviceinternal escalation notificationsexternal notificationsbroad broadcast
External Webhooksnoneallowlisted draft payloadsdirect execution
Decision · conditional

Approval bundle decision

approval-context-review

Do not approve sensitive actions from a generic confirmation modal. Require an approval context bundle with target, diff, evidence, rationale, blast radius, rollback path, reviewer identity, and immutable trace reference.

## Required implementation controls

Controls required before expanding agent authority

Enforce action classes in the AI gateway.
Bind tool calls to tenant, user, case, and policy context.
Require human-only approval for critical actions.
Show evidence and blast radius in the approval UI.
Log proposed action, approval, reviewer identity, and execution result.
Deny third-party webhooks until allowlists and payload schemas are reviewed.
Add abuse tests for tool misuse and approval bypass.
Reconcile production tool calls against the permission matrix.
evidence

Procurement value

This matrix gives enterprise reviewers a concrete answer to a hard question: what can the AI system actually do?
Artifact

Related artifact: AI Trust Boundary Map

The trust boundary map shows where authority changes. This matrix defines which authority is allowed at each tool boundary.

/deliverables/ai-trust-boundary-map
Page break
## Appendix: review questions

Questions to ask for every agent tool

What system does the tool access?
What data can the tool read?
What state can the tool change?
What action class does each tool call belong to?
What tenant and user context is bound to the call?
What approval is required?
What evidence is shown to the approver?
What is logged before and after execution?
What rollback path exists?