Authority Rules (SDS-031)
RBAC, RACI, and Separation of Duties for agent governance.
RBAC Roles
| Role ID |
Name |
Scope |
Description |
R-DS |
Domain Steward |
Bounded Context |
Semantic owner of domain |
R-AG |
Architecture Governor |
System-wide |
CALM compliance |
R-LC |
Ledger Custodian |
IFL Cluster |
Key custody, node management |
R-SO |
Security Officer |
System-wide |
Break-glass approval |
R-RM |
Release Manager |
Pipeline |
Deployment authority |
R-DEV |
Developer |
Feature/PR |
Implementation |
R-AA |
Automated Agent |
Task |
Recommends, executes |
Role Constraints
| ID |
Rule |
Rationale |
C-01 |
R-DS ≠ R-AG for same context |
Prevent conflict of interest |
C-02 |
R-LC ≠ R-SO |
Separate operational/security |
C-03 |
R-DEV cannot self-approve in production |
Four-eyes principle |
C-04 |
R-AA requires R-* sponsor |
Human accountability |
RACI Matrix
R = Responsible, A = Accountable, C = Consulted, I = Informed
Semantic Governance
| Decision |
R-DS |
R-AG |
R-SO |
R-RM |
R-DEV |
R-AA |
| Propose Change |
R |
C |
I |
I |
R |
R |
| Approve (Non-Breaking) |
A |
C |
I |
I |
- |
- |
| Approve (Breaking) |
R |
A |
C |
C |
- |
- |
| Accept Debt |
A |
C |
C |
I |
R |
- |
| Break-glass |
R |
C |
A |
C |
R |
- |
Agent Operations
| Decision |
R-DS |
R-AG |
R-SO |
R-RM |
R-DEV |
R-AA |
| Configure Agent |
C |
C |
I |
I |
R |
- |
| Deploy Agent |
I |
C |
I |
A |
I |
R |
| Invoke Agent |
I |
I |
I |
I |
R |
A |
| Approve Mutation |
A |
C |
C |
I |
R |
- |
Separation of Duties (SoD)
| ID |
Actor 1 |
Actor 2 |
Transaction |
SOD-01 |
Proposer |
Approver |
SemanticChangeProposal |
SOD-02 |
Debt Requester |
Debt Acceptor |
SemanticDebt.accept |
SOD-03 |
Break-glass Requester |
Approver |
BreakGlass.activate |
SOD-04 |
Key Generator |
Key Approver |
KeyRotation.execute |
SOD-05 |
Minter |
Semantic Owner |
Mint.execute |
Enforcement
1
2
3
4
5
6
7
8
9
10
| Policy SeparationOfDutiesEnforcement:
when:
- environment == "production"
- action.requires_approval == true
then:
- REQUIRE action.approver != action.proposer
- REQUIRE action.approver.role IN [R-DS, R-AG, R-SO, R-RM]
- EMIT AuditEvent(type: "sod.enforced")
else:
- REJECT "SoD Violation: Self-approval not permitted"
|
Agent Authority (R-AA)
Automated Agents CAN:
- Recommend actions
- Execute approved automation
- Monitor and report
Automated Agents CANNOT:
- Approve their own recommendations
- Execute privileged actions without sponsor
- Bypass governance controls
1
2
3
4
5
6
7
8
9
| agent:
id: pm-agent-001
role: R-AA
sponsor:
principalId: jane.doe
role: R-DS
constraints:
- all_mutations_require_hitl
- audit_all_actions
|
Non-Delegable Decisions
| Decision |
Why |
| Key rotation approval |
Security critical |
| CALM compliance |
Architectural integrity |
| Semantic meaning |
Domain ownership |
| Production promotion |
Release control |
Last Updated: January 2026