Core Concepts

This page explains the fundamental concepts you'll encounter when using Agent Action Firewall.

Actions

An Action is any operation an AI agent wants to perform. Actions have:

• Tool: The type of operation (e.g., http, database, file)
• Operation: The specific action (e.g., GET, POST, read, write)
• Parameters: Data needed to execute the action
• Context: Metadata about who/why this action is being performed

{
  id: "action-123",
  tool: "http_proxy",
  operation: "POST",
  params: {
    url: "https://api.example.com/users",
    body: { name: "John" }
  },
  context: {
    user_id: "user-456",
    session_id: "session-789",
    purpose: "Create new user account"
  }
}

Policies

Policies define the rules that govern what actions are allowed. AAF supports three policy types:

Rego Policies

Written in Rego, OPA's policy language:

package aaf.policy

decision = "allow" {
  input.action.tool == "http_proxy"
  input.action.operation == "GET"
}

decision = "require_approval" {
  input.action.tool == "http_proxy"
  input.action.operation == "POST"
  input.action.params.url == "https://api.stripe.com/v1/charges"
}

Visual Workflows

Build policies using a drag-and-drop interface—no code required.

NLP Policies

Define policies in natural language, powered by LLMs:

Deny any action that sends data to unknown external domains.
Require approval for financial transactions over $1000.

Decisions

Every action receives one of three decisions:

Approvals

When an action receives require_approval, it enters the approval workflow:

1. Approvers are notified (email, Slack, dashboard)
2. Approvers can view action details and context
3. Approvers approve or deny with optional reason
4. If approved, action executes; if denied, agent is notified

Approvals have configurable expiration (default: 24 hours).

Agents

An Agent represents an AI system integrated with AAF. Each agent:

• Has a unique identifier and API key
• Can be grouped into teams
• Has its own activity history and risk score
• Can have agent-specific policies

Organizations

Organizations are the top-level tenant boundary. All data is isolated by organization:

• Users and teams
• Agents and policies
• Audit logs and approvals
• Billing and usage

Risk Levels

AAF automatically assigns risk levels to actions:

Risk levels influence:

• Default approval requirements
• Notification urgency
• Audit retention

Audit Trail

Every action and decision is logged to the audit trail, which features:

• Tamper-evidence: Each event is cryptographically linked to the previous
• Immutability: Events cannot be modified or deleted
• Completeness: All metadata, decisions, and outcomes recorded
• Exportability: Download as JSON, CSV, or proof packs

Proof Packs

A Proof Pack is an exportable bundle containing:

• The original action request
• The policy that was evaluated
• The evaluation decision and reasoning
• Any approval records
• The complete audit trail with hash chain

Proof packs are used for compliance audits and incident investigation.

Tool Connectors

Connectors enable the firewall to execute approved actions:

Data Loss Prevention (DLP)

AAF automatically scans action payloads for sensitive data:

• Social Security Numbers (SSN)
• Credit card numbers
• API keys and secrets
• Email addresses
• Custom patterns you define

Sensitive data can be:

• Masked before execution
• Blocked entirely
• Flagged for review

Anomaly Detection

AAF monitors agent behavior and alerts on anomalies:

• Unusual action volume
• Access to new/unexpected resources
• Actions outside normal hours
• Deviation from learned patterns

Next Steps

• Policy Engine — Deep dive into policy evaluation
• API Reference — Explore the complete API