The Three Layers of AI Permissions
Prakash Rengarajan
19 Jun, 2026
5 min read
The hard question with an AI agent is not what it can do. It is what it must never be able to do, even when the prompt is clever, the model is confident, and the situation is one nobody planned for. Prompt guardrails live in the model's head, which is exactly the wrong place to keep a hard rule. Ontoz keeps the rules in the platform's hands, enforced through three permission layers that stack, where the narrowest layer always wins.
Layer one: construct-level flags
The first layer is set on the data and the operations themselves. Fields carry aiReadable and aiWritable flags; Actions and automated activities carry aiInvocable. Set them once, and they govern every AI that ever touches that construct. If a field is not aiReadable, no copilot, no agent, no future binding can read it. The rule is attached to the thing being protected, not to the agent asking.
Layer two: tool catalog defaults
The second layer sits on the shared tools an agent can call. Every tool in the catalog carries system-wide caps that hold no matter who invokes it. A code-execution tool, for example, has a hard wall-clock ceiling. These defaults are the platform's floor: a guarantee that applies across every copilot and agentic task at once.
Layer three: per-binding allow-list
The third layer is the configurator's narrowing for one specific copilot or agentic task. Two agents can share the same tool definition and still have completely different blast radii, because each binding declares its own allow-list. This is where you say "this agent, in this workflow, may only do these things."
Narrowest wins
A capability is permitted only when all three layers allow it. A binding can never widen what the construct flags or the catalog defaults deny. That ordering is the whole point: a configurator setting up a new agent cannot accidentally grant access that the data owner already closed off, because layer three can only subtract from what layers one and two allow.
This is what action-level governance looks like in practice. When determinism is no longer a given, security cannot sit at the edge of the system as a role-based resource grant. It has to move down to the level of individual actions, permissioned for people, AI agents, and reviewers alike. Three stacked layers, narrowest wins, is how an agent stays inside its lane on the day the prompt tries to take it somewhere new.
