Right-size AI-agent security to autonomy. Classify each agent by scope, then apply the control depth that scope demands across six dimensions — with the APRA CPS 234 evidence lens.
How to use this. More autonomy = bigger blast radius when an agent is manipulated. Place each agent in a scope (1–4), then read down the column for the control depth required in every dimension. Re-classify whenever you add a tool or remove an approval step.
| Dimension | Scope 1 | Scope 2 | Scope 3 | Scope 4 |
|---|---|---|---|---|
| Identity Context | User auth | + agent identity | Scoped to the acting user (AgentCore) | Per-action authz + JIT, no standing access |
| Data, Memory & State | Stateless | Read-only context | Protected, access-controlled memory | Memory integrity + poisoning detection |
| Audit & Logging | API call logs | + decision log | Reasoning-chain + tool-call logs | Full behavioural trace, retained |
| Agent & LLM Controls | Input/output filtering | Bedrock Guardrails | + sandboxing | Containment + kill switch |
| Agency Perimeters | Read-only scope | Mandatory approval gate | IAM/policy boundary (outside the prompt) | Dynamic, enforced constraints |
| Orchestration | Single tool | Reviewed tool set | Authorization per tool call | Agent-to-agent trust controls |