Skip to main content

What Are Roles?

A role defines how much authority an agent has when it detects something. Every agent is assigned exactly one role, and that role governs what the agent can do in response to its findings.

The Two Roles

The Observer role watches and records. When an agent operating as an Observer detects a risk, it logs the finding but takes no further action. Your team can review these logs at any time.Best for:
  • Initial rollout when you want to understand your risk landscape
  • Low-risk workspaces where visibility is sufficient
  • Gathering data before deciding on stricter enforcement
What happens: Every finding is logged and visible in your dashboard. No notifications are sent. No traces are interrupted.
The Enforcer role gives you the highest level of control. It can block traces outright and hold escalated traces until a human reviews and approves them.Best for:
  • High-risk workspaces handling sensitive data
  • Regulated industries with strict compliance requirements
  • Scenarios where a compliance violation must be prevented
What happens: Blocked traces are stopped immediately. Escalated traces are held in a review queue and cannot proceed until a team member resolves them.

What Are Intents?

An intent is the agent’s evaluation of a specific trace. After analysing a trace against its rules, the agent produces one of three intents.
IntentMeaning
AllowThe trace is compliant and can proceed normally.
BlockThe trace poses a risk and should be stopped.
EscalateThe trace needs human review before a decision is made.
An intent represents what the agent thinks should happen. The agent’s role determines what actually happens.

Action Resolution

The combination of an agent’s role and its intent determines the final action. Use this matrix as your reference.
AllowBlockEscalate
ObserverLogLogLog
EnforcerLogBlockReview Task (blocks until resolved)
Key takeaways from this matrix:
  • An Observer always logs, regardless of intent. It never interrupts anything.
  • Only an Enforcer can block a trace or create a review task that holds it pending human approval.

Choosing the Right Role

1

Start with Observer

Deploy agents in Observer mode first. This gives you a clear picture of what your agents are detecting without any disruption to your team. Run in this mode for at least one to two weeks.
2

Review your findings

Examine the logs to understand your risk profile. Look at what would have been blocked or escalated. Identify which agents are surfacing the most relevant findings.
3

Promote to Enforcer where needed

For high-risk areas where violations must be prevented, promote agents to Enforcer mode. Reserve this for workspaces and agents where the cost of a violation outweighs the cost of occasional interruption.

Next Steps

Configuring Agents

Set up roles at the organisation and workspace level.

Understanding Agents

Review the available agents and what each one covers.