Agent Operations Design Notes (6/9) — Where to Draw the Line Between Allow, Ask, and Deny

The moment an agent can read files, edit them, run commands, and send something outside the system, quality and safety stop being separate concerns. Many teams still treat permission design as a simple choice between blocking and allowing. In practice, the more useful question is different: what should be allowed by default, what should stop for human approval, and what should be structurally forbidden?

ํ•ต์‹ฌ ์š”์•ฝ

  • The core of permission design is not merely having three buckets called allow, ask, and deny. It is having a consistent rule for which actions belong in which bucket.
  • The same broad label of tool use hides very different risks. Reading, editing, executing, externally sending, and publishing should not live in one policy bucket.
  • Anthropic's Claude Code permission model and the OpenAI Agents SDK guardrail model use different surfaces, but both treat permissions as structure, not wording.
  • Permission design is not only a security problem. If it is cut poorly, the agent stalls too often. If it is too loose, the blast radius becomes too large. So permissions are also a quality design problem.

1. Why permission design is also an agent quality problem

Permissions are often discussed only in security language. That is reasonable, but incomplete.

In real operations:

  • if too much is allowed, one bad action can travel too far
  • if too much asks for approval, the workflow keeps breaking
  • if too much is denied, the agent spends more effort on workaround behavior than on useful work

So permission design is not only about how safe is the system. It is also about how reliably can the system keep working from start to finish.

That is why modern agent platforms increasingly discuss tool access, sandboxing, approvals, and hooks as one combined surface rather than as isolated toggles.

2. The base frame: allow, ask, and deny are three kinds of responsibility

Many teams read the three buckets too literally:

  • allow: just let it happen
  • ask: ask a human first
  • deny: block it

Operationally, those are not just three buttons. They imply different ownership models.

Bucket Meaning Operational responsibility
allow safe enough to proceed automatically can logs and post-checks handle failure
ask needs human judgment in the middle who approves, with what context, and how often
deny should be structurally blocked what counts as an exception and how it is recorded

The key idea is simple:

Ask does not merely mean dangerous. It means the organization does not want the current automation layer making that decision alone.

If that distinction is blurry, ask starts to spread everywhere. Once that happens, approval quality usually collapses.

3. First rule: do not put read, edit, execute, send, and publish in one bucket

Permission models usually become vague when superficially similar actions are grouped together.

All of these can look like tool use:

Action Surface appearance Real risk
reading local docs lookup relatively low
editing a draft file write medium
running tests in a shell execution medium to high
calling an external API network action possible data leakage
publishing a blog post transmission / publication hard to undo
touching credential files read very high

That is why a practical system should usually separate at least:

  1. read
  2. local edit
  3. code or command execution
  4. external sending
  5. publication or deployment
  6. credential or protected asset access

Without that separation, allow becomes too broad, ask becomes noisy, and deny arrives too late.

4. Second rule: use ask only where human judgment adds real value

Many systems quietly fail because ask becomes the lazy default. If something looks risky, the system asks a human and pushes the cost into operations.

But ask is not free:

  • it introduces waiting
  • it breaks momentum
  • it creates inconsistency between reviewers
  • it makes important approvals harder to notice if used too often

So ask should be reserved for boundaries where human review is genuinely useful, such as:

  • sending content outside the organization
  • hard-to-revert writes
  • expensive or far-reaching execution
  • expanding data access scope
  • any action that raises privileges

Low-blast-radius work such as reading docs or editing a narrow draft file usually should not stop the flow.

5. Third rule: deny should be explainable, not merely absolute

Deny looks simple, but it is the strongest policy surface in the system. That is why it is not enough to know what is blocked. It must also be clear why it is blocked.

Typical deny candidates include:

  • direct credential access
  • external publication without approval
  • edits outside the allowed workspace
  • outbound network transmission without policy clearance
  • direct modification of protected deploy or publish paths

Good deny rules usually have these properties:

  • their scope is explicit
  • any exception path is separately defined
  • violations are logged
  • the human conditions for opening an exception are documented

So deny is less like an arbitrary wall and more like an organization's irreversible boundary.

6. What Claude Code and the OpenAI Agents SDK have in common

Anthropic and OpenAI implement permission surfaces differently, but the operating lesson is similar.

Claude Code describes permissions through several layers such as hooks, ask rules, deny rules, allow rules, and tool permission callbacks. That makes one point very clear: permissions are not a single boolean setting.

The OpenAI Agents SDK discusses guardrails at multiple surfaces too, including input/output guardrails and tool-level controls. As workflows become more complex, permission logic has to move closer to the actual action surface.

The shared lesson is this:

  • permissions live outside the model
  • permissions cannot be separated cleanly from tool design
  • permissions usually get more granular as workflows become more operational

7. Five practical questions for cutting a permission model

Abstract principles help, but the most practical questions are usually these:

  1. If this action fails, is recovery easy?
  2. Does this action leave an external trace?
  3. Does it touch protected assets or wide scope?
  4. Can a human meaningfully make a better judgment here?
  5. Is a log enough, or does this need prevention before execution?

These questions often lead to a structure like this:

Result Default suggestion
small blast radius, easy recovery allow
human judgment adds real value ask
irreversible or protected-asset action deny or strong ask

This does not replace local policy, but it does reduce the common failure mode of using ask everywhere.

8. Three common failure patterns

8.1 Treating all writes as ask

That may look safe at first, but it creates human bottlenecks quickly. Low-risk draft edits do not deserve the same treatment as production-affecting changes.

8.2 Treating external send and local execution as the same risk

They can both look like execution, but undo cost is very different. External send usually leaves a harder-to-reverse trail.

8.3 Adding deny only after incidents happen

Teams often start wide open and tighten later. For credential access or unapproved publication, that is usually backwards. Those boundaries are better designed up front.

9. A quick health check for your permission model

If two or three of these are true, the model is probably blurring:

  • approval prompts appear so often that humans mostly auto-approve them
  • the same kind of action is handled differently depending on the day
  • external sending and local editing share the same policy rule
  • after a policy failure, it is hard to explain why the system allowed it
  • the agent's biggest blocker is not model weakness but permission ambiguity

A strong model does not cripple the agent. It creates broad low-risk allow lanes, sharp high-value ask lanes, and explicit irreversible deny boundaries.

10. Conclusion: allow, ask, and deny are not just settings, but operating philosophy

Permission design is not only a safety-team problem. In real agent systems, the permission model becomes part of the quality model.

The deeper questions are:

  • how small should failure radius be
  • where should human approval be spent
  • which boundaries should never be crossed automatically

So allow / ask / deny is not just three configuration values. It is a way for an organization to express how much autonomy and how much responsibility boundary it wants to grant an agent.

Related Internal Links

References

Series overview: Series index

๋Œ“๊ธ€

๋Œ“๊ธ€ ์“ฐ๊ธฐ

์ด ๋ธ”๋กœ๊ทธ์˜ ์ธ๊ธฐ ๊ฒŒ์‹œ๋ฌผ

Agent Memory Engine (2/10) — Building an AI Agent Memory System with SQLite Alone

← 1/10 SQLite Memory Engine f… ๐Ÿ“š Series Index 3/10 memcore Completed → A memory engine that runs without daemons, without dependencies, anywhere ํ•ต์‹ฌ ์š”์•ฝ This post covers how to design an AI agent memory engine (memcore) on a single-file SQLite backend. - Structure: 25 modules, ~6,464 lines, 22 DB tables - Principles: no daemon, single-file portability, no required external dependencies, host-agnostic - Core techniques: 4-layer hybrid search (topic · vector · FTS5 · LIKE), U-tag dialectic-based confidence evolution, ingestion-layer bias rejection rules What This Post Covers One approach to building AI agent memory without a server or cloud vector DB. Specifically: (1) the limitations of text-file-based memory, (2) vector DB alternatives compared and selection criteria, (3) how to layer search tiers, (4) how to evolve confidence scores over time, and (5) how to block biased memory accumulation at the ingestion stage. Design Principles: Why Single-File SQLite Text-file-based ...
Read more »

"ML Foundations (9/9) — PyTorch vs TensorFlow, and the Road to Local LLMs"

์ด๋ฏธ์ง€
← 8/9 Deep Learning Architec… ๐Ÿ“š Series Index (series end) The final part. So far we've focused on models. Now we focus on the tools that actually run them . We'll lay out the philosophical difference between PyTorch and TensorFlow, and trace how Hugging Face transformers , llama.cpp , MLX , and Ollama built the bridge to running large language models on your own machine. By the end you should have the full mental model of "download a pretrained LLM and serve it locally." 0. Learning Objectives Explain the eager-vs-graph difference between PyTorch and TensorFlow. Explain, in graph terms, how autograd automates the backward pass. Use Hugging Face transformers ' AutoModel , AutoTokenizer , and pipeline abstractions. Describe llama.cpp's GGUF quantization, INT4 inference, and CPU-first flow. Describe Apple MLX's use of unified memory and how it differs from PyTorch. Run a local LLM with Ollama and call it through an OpenAI-compatible API. ...
Read more »

"RAG Core Study (14/26) — Evaluation Sets with RAGAS & DeepEval"

์ด๋ฏธ์ง€
Series overview: Series index ๐Ÿ“š Series Index Without an evaluation set, every RAG improvement is a story, not evidence. RAG systems fail in more than one place: retrieval, context selection, answer generation, and grounding. That means "looks better" is not a metric. Part 14 explains how to build a golden dataset , how RAGAS and DeepEval fit into the workflow, and why teams must separate retrieval quality from answer quality if they want tuning decisions to hold up. 0. Prerequisites Part 13 reranking — system quality now depends on multi-stage ranking. Part 1 grounding — a correct-looking answer is not enough. Part 12 Hybrid — multiple retrieval settings need comparison on fixed data. 1. Learning Objectives Build a small but useful golden dataset for RAG. Distinguish retrieval metrics from answer metrics . Use RAGAS and DeepEval in the right roles. Avoid the common traps in judge-model-based evaluation. 2. ํ•ต์‹ฌ ์š”์•ฝ An evaluation set for RAG is ...
Read more »

"ML Foundations (8/9) — Deep Learning Architectures: CNN, RNN, Attention"

์ด๋ฏธ์ง€
← 7/9 Deep Learning Training ๐Ÿ“š Series Index 9/9 PyTorch vs TensorFlow → What did we keep adding on top of an MLP? Vision went CNN, sequences went RNN/LSTM, and eventually both converged on Attention and the Transformer. Each architecture is easier to remember if you read it as what it gave up to gain something else . This part is the one-line summary of the decisive inflection points: LeNet → AlexNet → ResNet → LSTM → Attention → Transformer. 0. Learning Objectives Explain why CNN's convolution, pooling, and weight sharing match images so well. Trace what got unblocked from LeNet → AlexNet → VGG → ResNet as depth grew. State BPTT for RNNs and the vanishing/exploding gradient problem. Write the LSTM gate equations (forget, input, output) with intuition. Write the attention formula in query/key/value form and the scaled dot-product variant. State the precise reasons Transformers replaced RNNs (parallelism + long-range dependencies). 1. ํ•ต์‹ฌ ์š”์•ฝ CNN : weight sharin...
Read more »

"ML Foundations (7/9) — Deep Learning Training: Optimizers, Regularization, Initialization"

← 6/9 Neural Networks ๐Ÿ“š Series Index 8/9 Deep Learning Architec… → Building an MLP, as we did in Part 6, is not the same as getting it to train well . The right optimizer, regularization, initialization, and learning rate — when these line up, deep networks converge. When they don't, the network refuses to learn at all. This part is the catalog of those crafts, with formulas, paper citations, and code in one place. 0. Learning Objectives Compare and write the update rules for SGD, Momentum, Nesterov, and Adam. Explain how Dropout, BatchNorm, and LayerNorm work and where they belong in a model. Derive the variance formulas for Xavier and He initialization and match them to activations. Implement step, cosine, and warmup learning-rate schedules in PyTorch. Explain why gradient clipping is effectively required for RNNs and Transformers. Diagnose the most common training failures (NaN, plateau, overfitting) and apply first-line fixes. 1. ํ•ต์‹ฌ ์š”์•ฝ SGD : \(w \leftarro...
Read more »

OpenClaw to Hermes Migration (2/13) — What to Preserve, Partially Port, or Discard

← 1/13 Current Structure Inve… ๐Ÿ“š Series Index 3/13 What Moves to Hermes → A code review record classifying operational scripts into three tiers: preserve, partial-preserve, and discard. What This Post Covers An asset classification framework (preserve / partial-preserve / discard) for migrating a legacy agent system to a successor A concrete case applying the Strangler Fig + Subset Migration strategy to a memory pipeline Classification results evaluated across LOC, external dependencies, and replaceability axes A method for slimming down a bloated single file (1,310 LOC) using the migration as a natural entry point Problem Definition: Port Everything or Cut Deep? The OpenClaw inventory comprises multiple agents, multiple scheduler/daemon processes, and multiple operational scripts. When moving to the successor system, Hermes, the choice is not binary. A full port carries accumulated technical debt along with it; a minimal port discards hard-won domain logic. Code-revie...
Read more »

AI Agents I Built (5/7) — Building an Automated Blogger API Publishing System

← 4/7 My Life Organizer Agent ๐Ÿ“š Series Index 6/7 Dual → Designing a Markdown-Based Auto-Publish Pipeline with Blogger API v3 + OAuth 2.0 Key Summary Blogger API v3 + OAuth 2.0 enables a pipeline that converts Markdown files into publishable HTML posts blogger_publish.py handles the full flow — frontmatter parsing → body cleanup → HTML conversion → CSS injection → API post — in a single script For bulk publishing, quota management (delay, retry, TOC suppression) is the critical design concern Platform Selection Criteria API access is mandatory for AI agent-driven content publishing. A comparison of platforms: Platform API Cost AdSense Decision WordPress.com REST API Paid plan required Paid only Cost overhead Ghost REST API Self-hosted or paid Manual setup Ops overhead Blogger v3 API Free Native integration Adopted Blogger is free, exposes a REST API, and integrates natively with AdSense. For personal blog automation, this combination i...
Read more »