Decision Rights for AI Agents
The documented authority of an AI agent to take a class of action without further human approval — specifying who approved that authority, for what scope, under what justification, and for how long. The formulation comes from Knostic’s framing in AI Coding Agent Governance (Knostic, 2025–2026): “Governance refers to defining who has the authority to act and under what justification.”
Decision rights are the governance counterpart to least privilege. Where least privilege answers “what can the agent access?”, decision rights answer “what can the agent decide on its own — and on whose authority?”
Why it’s distinct from access scoping
Access scoping (D3 of Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal) controls reach: which repos, which APIs, which environments. Decision rights control authority delegation within that reach: among the actions the agent can take, which can it take autonomously, which require notification, which require approval, which are prohibited?
| Concept | Question it answers | CMM domain |
|---|---|---|
| Least privilege | What can the agent access? | D2 + D3 |
| Least agency (Least Agency Principle) | How autonomous is it? | D3 |
| Decision rights | On whose authority + under what justification? | D1 (governance) + D3 (control) |
| Auditability | Was the decision reversible and attributable? | D7 + D9 |
Without decision rights, an agent operates with apparent authority — the user delegating to it has implicitly granted it the authority to act in their name, but the delegation chain is undocumented. This is the failure mode that turns helpful agents into risk multipliers.
A decision-rights matrix (sample)
A decision-rights matrix per agent type / agent-role pair is the artifact that operationalizes this concept. Sample row:
| Agent type | Action class | Decision right | Approver | Justification | Time bound |
|---|---|---|---|---|---|
| code-review-agent | comment on PR | autonomous | n/a | task-defined | always |
| code-review-agent | merge approval | requires approval | named human reviewer | risk-tier=med | per-PR |
| deployment-agent | deploy to staging | autonomous | n/a | CI green | maintenance window only |
| deployment-agent | deploy to production | requires approval | release manager + on-call | change ticket | per-deploy |
| deployment-agent | force-push or branch deletion | prohibited | — | — | — |
A row is not optional for any action class an agent can take. “We didn’t write a row for this” defaults to prohibited.
Relation to OWASP Least Agency tiers
Maps directly to the OWASP four-tier least-agency model documented in Least Agency Principle:
| OWASP tier | Decision-right wording |
|---|---|
| auto | autonomous |
| notify | autonomous-with-notification |
| confirm | requires approval |
| block | prohibited |
The OWASP tiering is the mechanism; decision rights are the justification record — who approved the tier assignment, under what risk analysis, with what review cadence.
Place in the CMM
- D1 L3 evidence: documented decision-rights matrix per registered agent type (sharpening from the Knostic ingest).
- D3 L3+ evidence: the matrix is operationalized in the PDP (Cedar / OPA policies) — every tool call is mediated by the matrix at runtime.
- D9 L4 evidence: HITL approval-rate metrics per matrix row (rubber-stamp detection).
Halt-authority is also a decision right
Distributed Kill Switch — the practice of putting halt-authority in the hands of every team member in the loop — is itself a decision right that must appear in the matrix. Sample row:
| Agent type | Action class | Decision right | Approver | Justification | Time bound |
|---|---|---|---|---|---|
| any-agent | halt current run | autonomous (any in-loop human) | n/a | safety; logged-not-punished | always |
| any-agent | halt workflow / use case | autonomous (workflow owner) | n/a | safety + outcome | per-use-case |
| any-agent | halt project / line of business | requires approval | Council (Legal + COO seats) | escalation | per-project |
Without explicit halt rows, the practice has no audit trail and quietly degrades to “the CIO holds the kill switch alone” — the failure mode the talk explicitly warns against.
Relations
- Foundation: AI Coding Agent Governance (Knostic, 2025–2026) introduced the framing.
- Mechanism: Least Agency Principle (OWASP four-tier) — decision rights are the justification record for tier assignments.
- Halt-authority: Distributed Kill Switch — halt is itself a decision right.
- Cross-functional body: AI Agent Layered Council — the cross-functional body that approves portfolio-level decision-right assignments.
- Containment: Shadow Automation — without decision rights, agent inventory is not governance.
- IAM context: Non-Human Identity (NHI) — decision rights bind to NHI, not to the human delegating.