AWS2-RUN: Runtime Policy, Approvals, And Action Control

Objective:

The scoped agentic workspace system should mediate agent actions before execution, apply policy to tool and connector use, require approval for high-impact action classes, and produce reviewable records of allowed, denied, and approved actions.

Primary layer: runtime platform.

Typical owner: runtime platform.

Applicability:

Applies when a runtime can invoke tools, connectors, scripts, shell commands, applications, workflows, sub-agents, or external services.

Level 1 Candidate Requirements

AWS2-RUN-L1-001: The scoped agentic workspace system MUST identify high-impact action classes that agents can request or perform, including tool calls, connector actions, shell or code execution, workflow invocations, external communications, data-export actions, access-control changes, and sub-agent delegation where applicable.

AWS2-RUN-L1-002: The scoped agentic workspace system MUST define which high-impact action classes require human approval, runtime policy approval, denial by default, step-up authorization, budget limits, circuit breakers, or a combination of these controls.

AWS2-RUN-L1-003: The scoped agentic workspace system MUST identify whether the runtime can allow, deny, pause, request approval for, interrupt, roll back, or record tool and connector actions before and after execution.

Level 2 Candidate Requirements

AWS2-RUN-L2-001: The scoped agentic workspace system MUST require an approval gate before an agent performs a high-impact action that writes to production systems, executes shell commands with broad filesystem or operational impact, sends external communications, changes access controls, exports sensitive data, or commits irreversible or difficult-to-reverse changes.

AWS2-RUN-L2-002: The scoped agentic workspace system MUST record policy outcomes for high-impact action requests, including allowed, denied, approval required, approved, rejected, expired, canceled, interrupted, rolled back, or rate-limited outcomes where applicable.

AWS2-RUN-L2-003: The scoped agentic workspace system SHOULD support emergency stop, session-cancel, rollback, or containment procedures for agent activity that deviates from approved scope, exceeds action budgets, violates allowlists, or matches known tool-abuse patterns.

Level 3 Candidate Requirements

AWS2-RUN-L3-001: The scoped agentic workspace system MUST enforce runtime mediation before high-impact actions execute, including policy checks for tool, connector, shell, workflow, external-service, and sub-agent actions where applicable, rather than relying only on after-the-fact log review.

AWS2-RUN-L3-002: The scoped agentic workspace system MUST test approval gates, denied-action paths, allowlists, budget limits, circuit breakers, emergency stops, rollback procedures, and critical policy decisions on a recurring or release-driven basis.

AWS2-RUN-L3-003: The scoped agentic workspace system SHOULD provide tamper-evident, independently retained, or separation-controlled records for high-impact runtime decisions.

Minimum evidence examples:

• runtime action policy
• high-impact action taxonomy
• tool or connector allowlist
• budget or circuit-breaker policy
• pre-execution hook or mediation configuration
• approval workflow configuration
• sampled approval receipts
• denied-action and policy-trigger logs
• emergency-stop or rollback test record
• tool-call abuse or blocked-action test record

Mapping notes:

• The completed crosswalk treats AWS2-RUN as a candidate-control family shaped by CSA AARM interception, authorization, step-up approval, and action receipt signals; OWASP AISVS budgets, circuit breakers, action gates, and MCP-control signals; AIUC-1 allowlist and pre-execution-hook signals; Five Eyes least-privilege, JIT, central-policy, and human-approval guidance; and MITRE ATLAS tool-invocation abuse scenarios.

Claim limits:

• Runtime policy evidence supports selected runtime-action controls. It does not imply AARM conformance, AISVS conformance, AIUC-1 certificate equivalence, legal sufficiency, or aws2 certification.