Machine identity
A dedicated machine gives the agent a concrete operating identity: known device, network context, local runtime, stored credentials, and controllable environment.
Dedicated workstationDevice identityNetwork presenceRuntime control
Secure operators, not loose chatbots
Agent Operations
Agents should operate like controlled users of the system: dedicated machine identity, authenticated API calls, bounded permissions, visible actions, and reviewable logs.
The agent is not the product by itself. The operating environment is the product.
A dedicated machine identity is useful when it is paired with API scopes, permissions, secrets management, and audit trails.
Generated apps make agent work visible because humans can inspect the same workflows, tasks, approvals, and results.
Authenticated API calls
The agent should act through approved API routes with role-bound permissions instead of unrestricted access to every system.
Scoped tokensService routesRole policyAction limits
Visible workflows
Agent work should appear inside dashboards, queues, approvals, drafts, holds, and event logs that people can inspect.
Task queuesApproval statesDraft reviewOperational logs
Human control
People need clear ways to pause, review, redirect, approve, revoke, or escalate agent activity.
PauseReviewEscalateRevoke
Agents need an operating system around them.
The dashboards page shows examples of the kinds of app surfaces people and agents can share.