What is runtime authorization for AI agents?

Service accounts, OAuth scopes, and human SSO answer "who is this principal?" They do not fully answer "may this specific action run now on this surface with this payload and escalation state?" Agents compose tools across sessions; identity alone cannot bind each commit to policy without a dedicated authorization step.

Prompt filters and classifiers reduce unsafe text; observability records what already happened. Neither retracts a wire transfer, a production config change, or a data export that cleared the gateway. If the last hop before side effects has no mandatory permit check, the system remains fail-open under pressure.

Production integrations pass a bounded frame, for example: agent identity and session, tool or connector, action verb and parameters, data classification or fields required by policy, destination surface or tenant, and policy context such as maintenance mode, geography, or break-glass. The evaluator returns a single outcome suitable for binding to a receipt.

TG-01-style evaluation is finite-state: PERMIT, DENY, or SILENCE (no authorization issued). Same inputs and policy version should yield the same decision so teams can replay incidents and prove what was allowed. Semantics: Decision model and deterministic authorization.

Receipts record decisions; runtimes record enforcement (for example executed vs blocked). The one-line contract: decisions deny; systems block. Keeping the axes separate prevents dashboards from silently collapsing policy truth. See Decision vs enforcement.

Signed receipts bind request context, policy version, and outcome so verifiers do not have to trust a single log stream or UI. They are how you answer supervisory questions after the fact without asking the vendor to vouch in real time. Structure: Protocol receipts; practice: Verify.

Teams often have strong identity, network segmentation, and observability, yet still lack a choke point that binds policy to each commit. The failure mode is predictable: automation inherits broad roles, tools become a graph of implicit capabilities, and the first irreversible step wins the race. Incidents are not "the model was wrong once"; they are unauthorized commits that cleared because nothing required a discrete permit for that frame at that time.

Closing the gap means placing evaluation on the hot path in front of those surfaces, with explicit outcomes and receipts. That is the same boundary described for pre-execution authorization and fail-closed defaults. The execution trace page walks the end-to-end sequence once, without demo theater.

TrigGuard places evaluation in front of execution surfaces: Gate for interception, Arbiter for policy lifecycle, Verify for receipt checks, SDK for embedding the contract. The TG-01 reference specification is the shared artifact between security, platform, and compliance teams.

Review the system model, read the spec, exercise verification, align on pricing, then talk to engineering.

• Architecture (same content: /protocol/architecture)
• Reference specification
• Verify receipts
• Pricing

Request a demo Contact engineering