Agentic Workflow Hard-Permissions Checklist (2026)

Use this to turn “AI assistant” work into a shippable, supportable product feature.

1) Define the workflow boundary
- Name the workflow in business terms (e.g., “AP bill intake,” “support triage,” “access review”).
- List the systems touched (ticketing, email, CRM, repo, database, ERP).
- Identify irreversible actions (send, merge, delete, approve, grant access).

2) Convert actions into domain tools
- Avoid “super tools” (run_sql, admin_api, execute_script).
- Create narrow tool methods aligned to domain objects (create_draft_bill, propose_ticket_tags, open_pr_branch).
- Make each tool validate inputs; fail closed.

3) Implement a 3-tier permission model
- Read: fetch/search/summarize. Log everything.
- Write draft: create artifacts in a reversible state (drafts, branches, suggestion mode).
- Commit: external side effects. Require explicit approval or an existing approval workflow.

4) Bind identity and scopes
- Every tool call runs as a real principal: user or service account.
- Use your existing auth model (OAuth scopes, RBAC roles, service identities).
- Never allow the model to “act as admin” by default.

5) Ship an approval and review surface
- Show a plan before execution (structured steps tied to tool calls).
- Present diffs for changes (field-level diffs, patches, PRs).
- Batch approvals for high-volume workflows.

6) Build receipts (auditability)
- Log: user identity, model/version, prompt/context references, tool calls, outputs, artifact IDs, approvals.
- Make it searchable by object and by actor.
- Ensure logs don’t leak secrets to end users.

7) Add rollback and containment
- Provide undo for reversible actions.
- For irreversible actions, default to drafts/queues.
- Add a “safe mode” kill switch to disable commit actions while keeping read/draft.

8) Plan for failure modes
- Timeouts: agent should leave partial artifacts in a reviewable state.
- Hallucinations: require citations/links for any claimed source in the workflow.
- Data access: prevent cross-tenant data exposure; isolate retrieval per tenant.

9) Decide what you will not automate
- Write it down: which actions are always human-only.
- Encode that rule outside the model (tool denies), not only in prompts.

10) Acceptance test before launch
- Run the workflow with a test account that has minimal permissions.
- Confirm: the agent can propose and draft, but cannot commit without an approval record.
- Confirm: you can answer “who changed what, when, and through which tool call” using logs alone.