Your AI agent can act. It needs boundaries before production.

Agent Passports

Every AI agent needs
a Passport before it acts.

Owner, tool boundaries, data scope, approval gates, egress, trace logging, and expiry — defined before agents reach production.

Tool boundaries at issuanceHuman approval gatesHard expiry + instant revocationCISO / DPO review

Agent Boundary Map

passport: active

Research Agent

Owner: J. Moreau · Expiry: 30 Sep 2026

Allowed tools

✓ web_search

✓ pdf_read

✓ email_draft

✓ crm_read

Blocked

✗ email_send

✗ crm_write

✗ hr_system

✗ external_api

Human approval: required before send

Trace logging: all tool calls

Agents are different from chatbots.

A chatbot answers questions. An AI agent calls tools, sends requests, writes to systems, and generates side effects — often without a human seeing the individual actions. That is a different risk category. That requires a Passport.

When to issue an Agent Passport

Six actions that require a Passport before production.

Agent can send email

Requires human approval gate before outbound

Agent writes to CRM

CISO sign-off required. Read-only by default.

Agent accesses HR data

DPO review required. Art. 9 data flag.

Agent calls external API

Egress policy required. Allowlist enforced.

Agent uses credentials

Credential scope declared at issuance.

Agent retrieves documents

RAG boundary and retrieval receipt required.

The problem

Agents operating without a Passport.

Agent with no named owner.

Every Agent Passport requires an accountable owner who can approve, restrict, and revoke access instantly.

Agent with no tool boundary.

Allowed tools are declared at issuance. Any call outside the declared list is logged as an anomaly and flagged.

Agent with no audit trail.

Runtime trace is required. Every tool call is logged with timestamp, input context, and action taken.

Agent running indefinitely with no expiry or renewal.

Hard expiry on every Passport. Tide Monitor sweeps hourly and alerts before lapse — no silent renewals.

Passport structure

10 fields define the full boundary.

Agent name & owner

Who is accountable for this agent's actions?

Purpose & intended scope

What is the agent authorised to do?

Allowed tools

Which tools can the agent call? (web_search, pdf_reader, email_draft…)

Allowed data categories

Which data can the agent access?

Allowed systems

Which internal endpoints can the agent reach?

Credential scope

Which read/write permissions are granted?

Egress policy

What can leave the internal perimeter?

Human approval rules

Which actions require a human in the loop?

MCP & runtime trace

Is MCP enabled? Is runtime execution logged?

Expiry date

When does the authorisation lapse?

Human-in-the-loop

Some actions require a human before the agent can proceed.

Agent Passports define which actions require a human approval before execution. The agent pauses, a reviewer sees the proposed action, and approves or blocks — logged with actor and timestamp.

Sending any external communication

Writing to CRM, HR, or financial systems

Accessing credentials or API keys

Any action on customer or employee data

Calls to external APIs not on the allowlist

Signal Receipts

Every tool call generates a receipt.

Runtime Signal Receipts log every tool call the agent makes — with timestamp, input context, output, and whether human approval was granted. Receipts are signed and immutable.

tool: web_search→ Allowed · Logged · Receipt: SR-2026-A1-001

tool: email_draft→ Allowed · Logged · Receipt: SR-2026-A1-002

tool: email_send→ Blocked — outside allowlist · Anomaly flagged

tool: crm_read→ Pending human approval · Paused

Lifecycle

Issue. Approve. Monitor. Revoke.

Issue

Agent owner fills Passport: tools, data, scope, human approval rules, expiry.

Approve

CISO or DPO reviews in Compass. Approves, restricts, or blocks.

Monitor

Runtime trace logs every tool call. Tide sweeps for anomalies and expiry.

Revoke

One click revokes the Passport. Agent access stops immediately. Action logged.

The difference

Agents in production — with and without a Passport.

Without an Agent Passport

No named owner — accountability unclear
No declared tool boundary — agent calls what it chooses
No audit trail of tool calls or decisions
Agent runs indefinitely — no expiry
CISO and DPO unaware of agent's data access
No revocation path without code changes

With an Agent Passport

Named owner with instant revoke authority
Tool allowlist declared — anomalies flagged automatically
Full runtime trace: tool, timestamp, context, approval
Hard expiry with Tide Monitor alerting before lapse
CISO and DPO reviewed and approved before production
One-click revocation — access stops immediately

Common questions

Agent governance — addressed.

“Our agent is internal — not a vendor product.”

Internal agents often have more access than vendor AI tools — credentials, production systems, employee data. Agent Passports bring the same accountability whether the agent is internal or external.

“We monitor agents with LangSmith / our observability stack.”

Observability records what agents did. Agent Passports define what agents are authorised to do — and enforce expiry and revocation when authorisation changes.

“The agent is experimental — governance can come later.”

Experimental agents that access internal systems, APIs, or data are already creating exposure. Governance defined at the start costs minutes. Governance retrofitted after an incident costs significantly more.

Get started

Issue your first Agent Passport
before the agent acts.

Define tools, data, approval gates, and expiry. Every agent needs an owner, a boundary, and a signed receipt trail before it operates on company systems.

AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, or regulatory approval.

Every AI agent needsa Passport before it acts.