Policy-bound autonomy

Supports: Verbatim description of the runtime policy-evaluation model this control instantiates. The decoupling of decision-making from enforcement is exactly the seam at which policy-bound autonomy inserts the OPA (or Cedar) call before tool execution. "Policies and data" maps directly to the declarative Rego ruleset that defines the agent's autonomy envelope.

Does not prove: OPA documentation is general-purpose and does not mention AI agents or autonomy envelopes specifically. The agentic application layer — wiring the tool-execution seam to OPA — is Helmwart's design pattern, not OPA's own framing.

Supports: Establishes policy-driven, per-request access decisions as a foundational ZTA tenet. The phrase "dynamic policy" applied to each resource request is the conceptual ancestor of runtime autonomy-envelope evaluation. The MDX content cites this section explicitly.

Does not prove: Does not mention AI agents, language models, or agentic systems. The "subject" in ZTA is a human user or device, not an AI agent. Helmwart extends the ZTA model to the agent action layer.

Supports: The PE/PEP split maps directly to OPA's architecture: the policy engine (PE) evaluates the Rego policy; the tool-execution seam acts as the PEP, allowing or blocking the action based on the engine's decision. Confirms the architectural model the MDX describes.

Does not prove: NIST defines PE/PEP for network and resource access, not for AI tool calls. Helmwart analogises the pattern; the document does not describe agentic action spaces.

Supports: Verbatim call for a "centralized policy engine" to re-verify each privileged step — the closest upstream wording match for the runtime policy-evaluation pattern this control implements. "Per-action" matches the tool-execution-seam placement described in the MDX.

Does not prove: ASI03's framing is about privilege escalation and identity abuse, not about declarative autonomy envelopes. Helmwart generalises the "per-action policy engine" pattern beyond privilege-escalation scenarios to all out-of-envelope actions.

Supports: Names "restricted execution environments … with API scopes based on least privilege" as a rogue-agent countermeasure. The API-scope restriction is an implementation-level expression of the autonomy envelope this control formalises into a declarative policy.

Does not prove: ASI10's primary focus is containment of behaviorally-deviant agents after divergence begins; policy-bound autonomy is a proactive prevention layer applied before execution. The two controls are complementary, not identical.

Supports: Verbatim pairing of "strict tool access control policies" with "granular RBAC & ABAC" as the proactive layer for containing tool misuse and privilege compromise (T2, T3). Both bullets describe exactly the policy-engine-enforced action-space restriction this control implements.

Does not prove: Playbook 3 describes the control class (RBAC/ABAC policies); it does not specify OPA or Cedar as the engine, nor does it describe the autonomy-envelope abstraction or the Rego policy-authoring investment required.

Supports: Concise upstream statement of the principle: the model's action and data-access space should be minimised. This is the principle that the autonomy-envelope policy operationalises into a machine-evaluable ruleset.

Does not prove: The AI Exchange control is principle-level guidance; it does not prescribe a runtime policy engine, OPA/Cedar, or the tool-execution seam as the enforcement point. Implementation specifics are Helmwart's.