Concepts & the decision pipeline
How Provenant turns your configuration into a deterministic, explainable allow / hold / deny on every action.
The intersection model: mandate ∩ policies ∩ budgets ∩ connector scope
Every action must pass all applicable layers — the effective permission is their intersection, never a single gate. Each layer answers a different question and is owned by a different concern, so narrowing one never requires touching the others:
| Layer | Question it answers | Configured on | On violation |
|---|---|---|---|
| Mandate | What is THIS AGENT allowed to do, anywhere? | the agent (its attached mandate) | deny (scope/cap) or hold (threshold/hours) |
| Policies | What org-wide rules apply to everyone? | the organization (Policies page) | deny / hold, per the rule |
| Budgets | Is there money left in the applicable windows? | org, agent, or tag (Budgets page) | deny or hold, per budget behavior |
| Connector scope | What can EVER be done through this channel, by any agent? | the connector (optional — blank = any) | deny (connector.scope) |
Mandate vs. connector scope — not duplicates
email.send through a payments connector, and a broadly-scoped connector never widens a narrow mandate. Connector scope is optional — leave it blank and the mandate, policies, and budgets remain the only gates. Every deny/hold names its layer in the decision trail and the Activity list, so you always know where to fix it.Evaluation order (within the intersection)
For each action the engine evaluates, in order:
- agent status (active?)
- mandate action scope
- mandate resource scope (deny-list beats allow-list)
- mandate value cap
- permitted hours
- rate limit
- budgets
- mandate approval threshold
- behavioral risk gate
- org policies (with staged rollout + rich match)
- connector scope + egress (gateway/broker calls: is this channel permitted to serve it?)
- plan gates (action allowance, downgrade agent cap — when enforcement is on)
The final effect is the most restrictive across all of them; the headline reason comes from the worst failing check. The full trail is returned to the caller and written to the audit ledger.
Behavioral risk
Each agent carries a 0–100 risk score derived from its own baseline and the fleet. When the score crosses the org's risk-approval threshold, the action is held for approval rather than auto-allowed — anomalous behavior gets a human in the loop automatically.
Cooperative vs. enforced execution
In cooperative mode your code holds the credential and asks Provenant first, then acts. In enforced mode the agent acts through Provenant's gateway: Provenant holds the downstream credential and performs the call itself, only after an allow, so policy cannot be bypassed. For high-value one-shots the credential broker can instead mint a scoped, short-lived credential bound to the authorized action. See Connect the agent.