AiOpsOne

Agentic AI Security Scoping Matrix

Right-size AI-agent security to autonomy. Classify each agent by scope, then apply the control depth that scope demands across six dimensions — with the APRA CPS 234 evidence lens.

Version 1.0  ·  June 2026  ·  aiopsone.com  ·  YouTube @AiOpsOne

How to use this. More autonomy = bigger blast radius when an agent is manipulated. Place each agent in a scope (1–4), then read down the column for the control depth required in every dimension. Re-classify whenever you add a tool or remove an approval step.

SCOPE 1
No Agency
Read-only; recommends. Human executes everything.
SCOPE 2
Prescribed
Proposes changes; every action needs human approval.
SCOPE 3
Supervised
Acts autonomously within set boundaries.
SCOPE 4
Full Agency
Self-initiating; runs continuously, minimal oversight.
— autonomy & required control depth increase →

Six security dimensions × four scopes

DimensionScope 1Scope 2Scope 3Scope 4
Identity ContextUser auth+ agent identityScoped to the acting user (AgentCore)Per-action authz + JIT, no standing access
Data, Memory & StateStatelessRead-only contextProtected, access-controlled memoryMemory integrity + poisoning detection
Audit & LoggingAPI call logs+ decision logReasoning-chain + tool-call logsFull behavioural trace, retained
Agent & LLM ControlsInput/output filteringBedrock Guardrails+ sandboxingContainment + kill switch
Agency PerimetersRead-only scopeMandatory approval gateIAM/policy boundary (outside the prompt)Dynamic, enforced constraints
OrchestrationSingle toolReviewed tool setAuthorization per tool callAgent-to-agent trust controls

The CPS 234 lens

A Scope-3 or Scope-4 agent is a non-human identity with standing permission to act — in control terms, the same risk as a human with standing admin (a CPS 234 ¶21 / Essential Eight "restrict admin" finding), except it takes instructions from untrusted text. For an APRA-regulated entity: classify the agent on this matrix first, apply the column's controls, and keep the classification + the six-dimension evidence (IAM scoping, memory protection, reasoning-chain logs, guardrail config, policy boundary, tool authorization) as part of your control evidence.