Separation of Duties for AI Agents: Who Proposes, Who Authorizes, Who Is Accountable
A CISO's framework for applying separation of duties to AI agents: why the proposing agent can never authorize its own change, and who stays accountable.
Three roles the agent era keeps collapsing
SoD is usually taught as two roles, maker and checker, the "four-eyes" principle. Agent systems force a third role into the open, because automation makes it easy to lose track of who is answerable when something goes wrong. The clean model has three distinct seats:
- Who proposes. The actor that initiates and constructs a change: writes the code, generates the test, drafts the remediation, assembles the evidence. This is the maker. In a modern stack it is increasingly an agent.
- Who authorizes. The actor that decides the proposal may proceed into a protected environment. This is the checker, and it holds the authority the proposer does not. The authority is delegated and bounded by policy.
- Who is accountable. The named human or role who answers for the outcome to an examiner, a board, or a regulator. Accountability does not move just because execution was automated.
The failure mode is collapsing any two of these into one actor. The most dangerous collapse is proposer-equals-authorizer: an agent that applies its own change. The quietest and most common collapse is authorizer-equals-accountable disappearing entirely, where automation runs and no human can say who owns the result. For an insurer, where a mispriced endorsement or a broken claims rule has direct policyholder and solvency consequences, the accountable seat can never be vacant or assigned to a system.
The accountability seat: encode it, don't assume it
Authorization decides whether a change proceeds. Accountability decides who answers for it afterward. Insurers learn the hard way that these are not the same when an examiner asks who approved a rule that underpaid a class of claims, and the honest answer is "an automation pushed it and no one is named."
Accountability has to be encoded as policy, not left to org-chart inference:
- Every protected change carries a named authorizer by role, and that role is provably distinct from whatever proposed the change. The proposer cannot appear in the approver set.
- The accountable owner is recorded at decision time, bound to the proposal, the evidence, and the System Graph context the decision rested on, one linked, immutable artifact rather than a reconstruction.
- The trail proves the negative. An auditor's real test is not "do you have logs," it is "can you prove this specific change was authorized by someone permitted to authorize it, on evidence that existed before approval, and that the control was not bypassed."
That last point is where most programs fail. Roughly 80% of developers admit to bypassing policy or guardrails when they add friction. A separation of duties that lives in a wiki or a change-advisory meeting gets routed around at exactly the moment it matters. The control has to be a property of the system, where it cannot be skipped, with the audit trail as a byproduct of how the pipeline runs.
For workloads that cannot leave your perimeter, and in insurance, policyholder and claims data rarely can, the authority model has to hold inside your boundary. Edge Runners execute as signed capsules inside a secure enclave and emit audit-ready evidence outward, so residency and separation of duties stop being a tradeoff. The data stays; the proof leaves.
A note on the hardest case: remediation. Letting agents fix code unsupervised is reckless precisely because it is the step where proposing and authorizing are most tempting to merge. Governed Remediation Fleets stage the fix and the evidence but never self-authorize a change to a regulated or revenue-critical path.
What to do Monday morning
You do not need a platform rebuild to restore separation. Start with mapping, then enforcement.
- Find every place an agent can write to a protected environment today. This is your unsegregated-duty inventory. It is usually larger than expected.
- Build a three-seat RACI for changes. For each sensitive path, name who proposes, who authorizes, and who is accountable, and confirm no actor holds two seats.
- Set agents to propose-only by default, and require an explicit, role-checked human authorization for any reachable, regulated, or revenue-critical change.
- Make the authorizer read independent evidence, graph-derived blast radius and change-aware validation, never the proposer's own attestations.
- Bind the accountable owner into the record so a future exam answers in minutes, not weeks.
The bottom line
Guides associés
Produit associé
Continuer la lecture
Agents Propose, Humans Authorize: A Reference Architecture for Governed Autonomy
A reference architecture for letting agents act on production safely: the four control surfaces, policy, approval, evidence, attribution, and how they wire into the loop.
More Models Won't Save You: Why AI-Generated Code Needs a Control Layer, Not Smarter Autocomplete
Better code generation can't validate its own output. Why AI-written code needs a governed control layer that maps, tests, and proves every change.
Code Without Provenance: The Real Risk When 41% of Your Codebase Has No Author
When 41% of your codebase has no author, the real risk isn't bugs, it's lost intent. How a System Graph restores the provenance AI-generated code strips away.
