What is aws2?

aws2 is the Agentic Workspace Security Standard. It is a working-draft profile model for business workflows where AI agents can reach files, tools, apps, repositories, shells, documents, memory, connectors, or communication channels.

The simple version

An AI chatbot answers questions. An AI agent can help do work.

That difference matters. Once an agent can read a folder, call a tool, open a repository, use a connector, run a command, draft a message, or update a business record, the risk is no longer only whether the answer sounds right. The risk is what the agent could touch, what it could change, whose authority it used, and what record remains afterward.

aws2 gives teams a way to draw that boundary for one workflow.

Why a separate profile is useful

Most organizations already have useful buckets: identity controls, endpoint security, application security, AI governance, logging, legal review, vendor review, and internal policies.

Agentic work crosses those buckets. One workflow can involve a user's account, a runtime policy, local files, a SaaS connector, a source repository, retrieved context, memory, approval gates, logs, and governance decisions. No single existing bucket usually explains the whole path.

aws2 is meant to sit around that combined workflow. It asks for the connective evidence:

• what is in scope and what is excluded
• what the agent can observe, invoke, change, send, retain, or prove
• whose authority the workflow uses
• which high-impact actions must pause for approval
• which skills, tools, connectors, and context sources can steer the agent
• how secrets and sensitive data are handled
• which logs, receipts, findings, exceptions, and claim limits exist

Who it is for

Executives and managers can use aws2 to ask whether an AI workflow is visible enough to approve, narrow, or stop.

DevOps and platform teams can use it to identify the runtime, workspace, connector, shell, repository, and deployment boundaries that matter.

Security operations and reviewers can use it to look for receipts, approval records, validation findings, source trust, sensitive-data controls, and exception ownership.

Developers and implementation teams can use it to understand which controls and evidence are expected before a workflow gets stronger claims.

The review unit

The review unit is a scoped agentic workspace system.

That means one named workflow and its actual reachable environment. It is broader than a prompt or model. It is narrower than every AI use in the company.

For example, a release-assistant workflow might include one AI runtime, selected repositories, a documentation folder, a ticket project, a shell command policy, a draft-message path, human approval for external messages, and a set of logs or receipts. Other AI tools in the company are outside the scope unless the profile includes them.

What good looks like

A useful aws2 profile should help a reviewer answer seven questions:

1. What workflow is being reviewed?
2. What can the agent reach?
3. What can it change, send, execute, or trigger?
4. Whose authority does it use?
5. What must stop for approval?
6. What evidence can reconstruct important actions?
7. What gaps, exclusions, or exceptions block stronger claims?

The point is not to slow every AI workflow down. The point is to stop invisible AI work from becoming normal business process before anyone can explain its boundary.