Enterprise controls
The control plane around runtime proof.
Imladri already records the runtime decision and proof packet. The enterprise layer makes that operational: workspace RBAC, audit-log search, export, retention, and incident review around every agent boundary.
RBAC model
| Role | Expected permissions |
|---|---|
| Owner | Manage workspace, agents, SDK key rotation, policy publish, proof shares, exports, and cleanup. |
| Operator | Run terminal/API proof, launch allowed workflows, sync scanner evidence, and stop provider or sandbox resources. |
| Reviewer | Inspect activity, proof packets, policy diffs, scanner findings, and approve review-required actions. |
| Auditor | Read redacted proof shares and verification metadata without raw secrets or private workspace state. |
Audit record
| Area | What should be searchable |
|---|---|
| Identity | Organization, workspace, account, active agent, authority subject, and delegation depth. |
| Policy | Published version, allowed/review/blocked actions, unknown-action mode, and policy diff context. |
| Decision | Action type, boundary, expected decision, status, HTTP code, latency, source, request id, and event hash. |
| Evidence | Runtime evidence, scanner report, SDK certification, DB branch proof, provider proof, packet digest, and chain root. |
| Export | JSON, Markdown, PDF, public share creation, share access, revocation, redaction mode, and verifier result. |
Implementation status
| Capability | Status |
|---|---|
| Implemented: RBAC | Backend admin roles gate read, mutate, and proof-run surfaces for the current control-plane workspace. |
| Implemented: audit log | Admin login and control-plane mutations write append-only audit events. |
| Implemented: Admin readback | Operators can see workspace health, route coverage, activity counts, proof readiness, and key state without raw key values. |
| Implemented: alert webhook | Worker dead-letter and operator-alert routing can post to the configured webhook and fallback email route. |
| Next: SSO/OIDC/SAML | Enterprise identity federation is the next identity phase; do not position it as complete yet. |
| Next: SCIM | Directory lifecycle sync is planned after SSO/OIDC is in place. |
| Next: SIEM export | Normalized customer-owned SIEM export is planned beyond the current operator-alert webhook. |
| Next: retention controls | Workspace retention policies are planned beyond current redacted-share and export behavior. |
Readiness line
Current pilots prove runtime controls and operator governance; full enterprise identity comes next.
Use the design-partner path for one privileged workflow first, then expand SSO/OIDC, SCIM, customer SIEM export, retention, and approval routing around the same decision timeline and proof packet.