Authorization Controls - Continuum/AI

The Authorization domain constrains what authenticated agents can do. Five controls address permission scope, temporal constraints, and delegation.

AZN-01 Least Privilege

Requirement: Agents shall be granted only the minimum permissions required to accomplish their designated functions.

Rationale: Reduces impact of agent compromise or manipulation.

Evidence: Permission inventory with justification for each grant.

Profile: Essential

Requirement: Agent permissions shall be scoped to specific resources rather than broad categories where technically feasible.

Rationale: Contains the blast radius of unauthorized actions.

Evidence: Authorization configuration showing resource-level restrictions.

Profile: Standard

Requirement: Agent sessions shall have defined maximum durations after which reauthentication is required.

Rationale: Limits the duration of exposure from session compromise.

Evidence: Session timeout configuration and enforcement logs.

Profile: Standard

Requirement: Authorization systems shall evaluate individual actions rather than relying solely on initial authentication.

Rationale: Enables fine-grained control over agent behavior within sessions.

Evidence: Per-action authorization logs.

Profile: Elevated

Requirement: When agents operate on behalf of users, the agent shall not possess permissions exceeding those of the delegating user.

Rationale: Prevents privilege escalation through delegation.

Evidence: Delegation configuration and permission comparison records.

Profile: Elevated