Skip to main content
Question

Where should deterministic authorization live before an AI agent executes a transaction?

  • July 16, 2026
  • 1 reply
  • 13 views

Founderbyled
Forum|alt.badge.img

Google Cloud’s agentic architecture provides strong controls for identity, isolation, prompt protection, observability, and tool access.

However, once an AI agent is allowed to trigger a consequential operation — such as approving a financial condition, changing an account state, executing a transaction, or closing a security alert — observability alone is not authorization.

We are currently testing the following separation of responsibilities for a regulated financial workflow:

1. **The AI interprets**
   - Understands the user’s intent.
   - Retrieves permitted context.
   - Selects a potential action and its parameters.
   - Produces a proposal, not an authorization.

2. **A deterministic policy service authorizes**
   - Evaluates the end-user identity, agent identity, tenant, purpose, consent, policy version, transaction parameters, authority limits, and risk constraints.
   - Returns either a denial or a short-lived, single-use authorization artifact.
   - Operates fail-closed.

3. **The transactional system executes**
   - Does not trust the model’s output as authorization.
   - Independently validates the authorization artifact.
   - Verifies that the identity, parameters, policy decision, and requested operation are still the same.
   - Prevents replay and time-of-check/time-of-use substitution.

4. **An evidence layer proves**
   - Generates a unique Decision ID and a tamper-evident receipt.
   - Binds the policy version, identities, action, result, and timestamps.
   - Avoids retaining the raw prompt or model output when the payload contains regulated or personal data.

Conceptually:

User / Channel
→ Agent Runtime
→ Deterministic Policy Decision Point
→ Tool or MCP invocation
→ Transactional backend
→ Verifiable decision receipt

The unresolved question is where the definitive enforcement boundary should live in Google Cloud’s current agentic stack.

The candidate patterns we are evaluating are:

- Agent Gateway as the policy enforcement point before every tool call;
- a dedicated Cloud Run policy decision service;
- an MCP proxy wrapping each consequential capability;
- enforcement directly inside each transactional backend;
- or a combination in which the gateway evaluates policy, but the backend independently verifies a signed authorization artifact.

The design must preserve the following invariants:

- the model cannot grant authority to itself;
- the human and agent identities remain attributable end-to-end;
- authorization is bound to one exact action and parameter set;
- authorization cannot be replayed or substituted;
- policy changes invalidate stale authorizations;
- failures and timeouts deny execution;
- tenant and jurisdiction boundaries remain isolated;
- audit evidence can be independently verified;
- sensitive prompts and outputs do not need to be retained;
- the additional latency remains suitable for synchronous transactions.

I would value the community’s perspective on five specific questions:

1. Is Agent Gateway intended to become the definitive authorization boundary for consequential tool execution, or primarily a routing, visibility, and security-policy layer?

2. What is the recommended Google Cloud pattern for binding a policy decision to exactly one downstream tool invocation, so that the backend can independently verify the decision?

3. Should the final enforcement decision occur at Agent Gateway, at the MCP server, or inside the transactional system itself?

4. Is there a Google-native reference pattern for producing signed, append-only, independently verifiable decision receipts without retaining the underlying prompt and response?

5. How should a single correlation or Decision ID propagate across Agent Runtime, Agent Gateway, MCP, Cloud Run, and the transactional backend without placing regulated data in logs or traces?

Our current architectural position is:

**The AI interprets.  
The institution authorizes.  
The system executes.  
The evidence proves.**

This pattern is being implemented and adversarially tested in a bounded financial-services workflow on Google Cloud. I can share a sanitized architecture diagram and the associated security invariants if that would help the discussion.

1 reply

whathehack81
Forum|alt.badge.img+5

I would treat the transactional backend as the definitive policy enforcement point, with Agent Gateway and the MCP layer providing earlier, defense-in-depth enforcement.

The model should only produce a proposed operation. A deterministic PDP can evaluate that proposal and issue a short-lived, audience-bound, single-use authorization artifact, but the backend must independently verify it against the exact operation, canonicalized parameter hash, resource identity/version, tenant, user identity, agent identity, purpose, policy version, and current policy epoch.

One important distinction is that a self-contained signed artifact does not by itself satisfy the requirement that policy changes invalidate stale authorizations. That requires either online introspection, a backend-validated policy/revocation epoch, or a very short-lived grant backed by a one-time authorization registry.

For replay protection, I would bind the grant to a unique jti or nonce and consume it atomically with the transaction. The artifact should also include a narrow audience identifying the specific backend capability, not merely the agent or MCP server.

My preferred enforcement sequence would therefore be:

Agent Gateway validates identity and constrains the call
→ MCP proxy normalizes the capability request
→ deterministic PDP authorizes the exact canonical request
→ transactional backend independently validates and atomically consumes the grant
→ evidence service records the Decision ID and signed result receipt

For the evidence layer, the receipt can contain hashes and identifiers rather than prompts or model output: Decision ID, identity references, canonical action hash, policy version, authorization result, execution result, and timestamps. That preserves independent verification without retaining regulated conversational content.

So I would describe Agent Gateway as an important policy enforcement layer, but not as the sole or definitive authorization boundary for consequential transactions. The system that owns the protected state must retain final authority over whether that state changes.