Agents that can “read everything” eventually read the wrong thing. Data boundaries define what an agent may retrieve, write, or infer—and what always requires a human.
Allow / deny matrix (template)
| Resource | Read | Write | Conditions |
|---|---|---|---|
| CRM (customer tier) | Yes | No | Production account only |
| Ticket system | Yes | Yes (draft note) | No PII export off-platform |
| Email send | No | No | Human sends in v1 |
Internal wiki approved |
Yes | No | Tag filter required |
| HR / payroll | No | No | Always denied |
Policy triggers (examples)
- Export-control or health-related keywords → stop, route to human.
- Request to bulk-delete records → deny tool call.
- Confidence below threshold → no write actions.
Implementation notes
- Enforce boundaries in integration layer, not only in prompt text.
- Log every tool call with actor, workflow version, and resource ID.
- Review boundaries when you add a model or connector—not only at launch.