AGENT BOUNDARY SHEET — TEMPLATE (copy/paste into your PRD)

Goal: Define authority, approvals, evidence, and rollback for ONE agent workflow. This is the spec that prevents “cool demo, unusable product.”

1) Workflow
- Name:
- Primary user:
- Systems touched (e.g., Gmail, Slack, Jira, Salesforce, GitHub):
- Success condition (observable):

2) Data access (server-enforced; prompts don’t count)
For each system, fill:
- Connector/auth method (OAuth, service account, etc.):
- Scope: None / Read / Read+Write
- Object boundaries (which projects, repos, folders, orgs):
- Sensitive fields blocked (if any):

3) Actions catalog (be literal)
List every action the agent may propose or execute. For each action:
- Action verb: Create / Update / Delete / Send / Merge / Deploy / Invite / Grant access
- Target object(s):
- Max blast radius: Single / Small batch (define) / Large batch (define)
- Default mode: Propose-only or Execute

4) Approvals (map to risk)
For each action, choose ONE approval requirement:
- None (only for reversible, low-risk actions)
- Click confirm (requires preview UI)
- Typed confirmation phrase
- Step-up auth (SSO re-auth)
- Manager/admin approval (separate approver)

5) Evidence required BEFORE action
Define what the agent must show in the UI prior to execution:
- Exact payload/diff (before/after)
- Impacted objects list (IDs/names)
- Recipients (for any outbound message)
- Policy checks (DLP label, permission checks, environment checks)
- Cost/time estimate if relevant (qualitative is fine)

6) Rollback plan (no rollback = no autonomy)
For each executable action:
- Rollback type: Undo / Compensating action / None
- How rollback works (specific API call or manual steps):
- Rollback time window (if constrained by the external system):

7) Logging + audit
- Event types logged: Proposed, Approved, Executed, Failed, Rolled back
- Log fields: actor, tool, scope, payload hash, timestamps, trace ID
- Where logs live and who can access them:

8) Guardrails
- Rate limits (per user/per org/per hour):
- Environment restrictions (dev vs prod):
- Allowlist of tools/actions:
- Kill switch (who can disable autonomy instantly):

Definition of done:
- Every executable action has: (a) server-side permissioning, (b) a preview/evidence UI, (c) an approval rule, (d) a rollback or compensating action, (e) audit logs.