AGENT AUTHORIZATION MATRIX (AAM) — TEMPLATE Purpose Define which AI/agent workflows exist, what actions they can take, and the human accountability and controls around them. This is not an “AI strategy” doc. It’s an operating document. 1) Inventory (list every workflow) For each workflow, fill one line: - Workflow name: - Where it runs (GitHub, Slack, Jira, internal service, cloud function, etc.): - Trigger (manual, scheduled, webhook, incident, ticket status change): - Primary output (PR, deploy, config change, customer reply, report): - Systems touched (repos, cloud accounts, databases, CRM, support tooling): 2) Classify autonomy (choose one) - Draft-only (writes suggestions; cannot execute) - Propose + gated execute (executes only after explicit approval) - Autonomous in sandbox (end-to-end, but only non-production) - Autonomous in production with guardrails (direct action allowed) 3) Decision rights and accountability For each workflow: - Business owner (name + role): accountable for outcomes and policy - Technical owner (name + role): accountable for implementation and reliability - Approver(s) for high-risk actions (role, not just a person): - On-call or escalation path: - Who can pause/disable it immediately: 4) Action policy (be concrete) List the exact actions allowed: - Allowed READ actions: - Allowed WRITE actions: - Forbidden actions (explicitly list): - Data prohibited (PII/PHI, secrets, certain repos, customer contracts, etc.): 5) Evidence required for execution Define what must be attached to an action before it can merge/ship: - Linked ticket/incident ID required? (Y/N) - Diff or plan required? (Y/N) - Test evidence required? (unit/integration/e2e; specify): - Human review required? (how many approvals; which team): - Logging required (tool-call logs, prompts, references used): 6) Guardrails and circuit breakers - Automatic downgrade conditions (e.g., repeated failures, missing context, uncertain classification): - Rate limits (qualitative is fine: “low/medium/high”): - Scope limits (only certain directories, services, or customer tiers): 7) Kill switch (must be usable under stress) Write the exact steps: - How to disable (feature flag, revoke IAM role, disable webhook, rotate secrets): - Who can do it without approval: - Where it’s documented (link): 8) Audit and review cadence - Where audit artifacts live (repo, ticketing system, log store): - Sampling plan (who reviews a sample of outputs; weekly or per release): - Postmortem rule: any incident involving the workflow includes agent behavior and control failures. Output When complete, you should be able to answer in one sentence per workflow: “Agent X is allowed to do Y in system Z, with approval A, proof P, and we can shut it off via K.”