Concepts & the decision pipeline

How Provenant turns your configuration into a deterministic, explainable allow / hold / deny on every action.

The intersection model: mandate ∩ policies ∩ budgets ∩ connector scope

Every action must pass all applicable layers — the effective permission is their intersection, never a single gate. Each layer answers a different question and is owned by a different concern, so narrowing one never requires touching the others:

LayerQuestion it answersConfigured onOn violation
MandateWhat is THIS AGENT allowed to do, anywhere?the agent (its attached mandate)deny (scope/cap) or hold (threshold/hours)
PoliciesWhat org-wide rules apply to everyone?the organization (Policies page)deny / hold, per the rule
BudgetsIs there money left in the applicable windows?org, agent, or tag (Budgets page)deny or hold, per budget behavior
Connector scopeWhat can EVER be done through this channel, by any agent?the connector (optional — blank = any)deny (connector.scope)

Mandate vs. connector scope — not duplicates

The mandate is subject-side authority (what the agent may do); connector scope is an object-side clamp (what any agent can do through that channel). A broadly-mandated agent still can't push email.send through a payments connector, and a broadly-scoped connector never widens a narrow mandate. Connector scope is optional — leave it blank and the mandate, policies, and budgets remain the only gates. Every deny/hold names its layer in the decision trail and the Activity list, so you always know where to fix it.

Evaluation order (within the intersection)

For each action the engine evaluates, in order:

  1. agent status (active?)
  2. mandate action scope
  3. mandate resource scope (deny-list beats allow-list)
  4. mandate value cap
  5. permitted hours
  6. rate limit
  7. budgets
  8. mandate approval threshold
  9. behavioral risk gate
  10. org policies (with staged rollout + rich match)
  11. connector scope + egress (gateway/broker calls: is this channel permitted to serve it?)
  12. plan gates (action allowance, downgrade agent cap — when enforcement is on)

The final effect is the most restrictive across all of them; the headline reason comes from the worst failing check. The full trail is returned to the caller and written to the audit ledger.

Behavioral risk

Each agent carries a 0–100 risk score derived from its own baseline and the fleet. When the score crosses the org's risk-approval threshold, the action is held for approval rather than auto-allowed — anomalous behavior gets a human in the loop automatically.

Cooperative vs. enforced execution

In cooperative mode your code holds the credential and asks Provenant first, then acts. In enforced mode the agent acts through Provenant's gateway: Provenant holds the downstream credential and performs the call itself, only after an allow, so policy cannot be bypassed. For high-value one-shots the credential broker can instead mint a scoped, short-lived credential bound to the authorized action. See Connect the agent.