Discovery is not permission
A caller may be allowed to know an agent exists without being allowed to invoke it, stream from it, or ask it to change a record.
Multi-agent access field packet
Before one agent discovers, calls, streams from, or authenticates with another, give the path a row: owner, caller list, scopes, operations, streaming rule, rate limit, credential source, log destination, disable owner, and review trigger.
Two or more agents discover, call, stream to, write to, authenticate with, or escalate to one another.
A new agent registry, A2A gateway, shared tool shelf, or orchestration layer is about to make agents easier to find.
A workflow crosses business boundaries such as support to billing, procurement to compliance, or sales to finance.
Streaming responses, delegated credentials, or automated escalation could expose context before review.
The owner cannot answer which agent may call which other agent, under which scope, and who can turn it off.
The current caller list still says any authenticated agent instead of naming allowed paths.
How to use it
A caller may be allowed to know an agent exists without being allowed to invoke it, stream from it, or ask it to change a record.
Allowed callers is the row that turns a broad agent graph into specific production access. Wildcards should block approval until owners narrow them.
Reading policy, opening an exception, streaming partial context, and administering rules are different permissions even when they target the same agent.
The access path should produce denials and audit records, but it also needs a person who can close the path immediately during an incident.
Copy the table into a planning document or spreadsheet. Keep the first pass narrow: one production workload or five recurring questions before creating a broad catalog.
| Field | What to write | Why it matters |
|---|---|---|
| Workflow name and owner | The workflow this access matrix governs, plus the person accountable for the outcome. | Agent permissions should be reviewed in the context of real work, not as disconnected infrastructure. |
| Agent ID | The stable name that appears in routing, policies, logs, and incident review. | A nickname cannot anchor access control or audits. |
| Business owner | The person or team accountable for this agent's behavior. | Every callable agent needs an owner before it becomes a dependency. |
| Runtime / endpoint | Where the agent runs and what path a client calls. | Routing should be visible before it becomes hidden infrastructure. |
| Capability / agent-card summary | What the agent claims it can do and what callers may discover. | Discovery metadata should not silently become permission. |
| Allowed callers | The agents, clients, workflows, or human consoles allowed to reach this agent. | This is where a wild-card graph becomes a governed graph. |
| Required scopes / claims | The JWT scopes, policy claims, or role grants required for access. | Authentication says who the caller is. Authorization says what path exists. |
| Allowed operations | Read, write, search, summarize, escalate, stream, administer, or a narrower verb list. | Calling an agent and asking it to change something are separate risks. |
| Streaming rule | Whether partial responses may stream back, to whom, and which content is excluded. | A live stream can leak reasoning or sensitive context before final review. |
| Rate limit | The ceiling per caller, per user, per workflow, or per minute. | Retry storms and runaway loops should fail closed before they become incidents. |
| Credential source | Where backend credentials, OAuth clients, or tokens are stored and rotated. | Point-to-point secrets are where invisible coupling starts. |
| Log / audit destination | Where calls, denials, streams, admin changes, and disables are recorded. | The path should be reconstructable after the fact. |
| Emergency disable owner | Who can close the path immediately and through what mechanism. | Incident response starts with knowing who can shut the gate. |
| Review date / trigger | When this row must be re-approved, retired, or changed. | Agent permissions age like production access. |
| Open question | The decision that still blocks approval. | A visible open question is safer than a quiet assumption. |
Copy block
The register is intentionally portable. It should survive a meeting, a pull request, a wiki page, or a spreadsheet before it becomes a polished internal tool.
Agent Access Matrix Workflow name: Workflow owner: Review date: Reviewer: | Agent ID | Business owner | Runtime / endpoint | Capability summary | Allowed callers | Required scopes / claims | Allowed operations | Streaming rule | Rate limit | Credential source | Log / audit destination | Emergency disable owner | Review trigger | Open question | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | | | | | | | | | | | | | | | If a caller is not listed, the call should: If streaming is disallowed, the fallback response mode is: If rate limit is exceeded, the workflow should: If the path must be disabled, the owner and mechanism are: What must be reviewed before the next agent is added:
Example row
Next step
BaristaLabs can help turn one live or proposed multi-agent workflow into caller lists, scopes, streaming rules, rate limits, credential sources, log destinations, disable owners, and review triggers before the access graph grows by exception.
Review one agent access graphSource notes
Related resources
Read the A2A gateway context behind this worksheet and the 20-agent connection-sprawl problem it addresses.
Open resourceConnect caller paths to approval policy, receipts, rollback, observability, and review queues.
Open resourceMap source systems, credentials, exclusions, approvals, retention, and unresolved questions before access expands.
Open resourceRecord calls, denials, source evidence, reviewer decisions, final actions, and correction paths for agent runs.
Open resourceSeparate which tools one agent may use from which agents may reach one another.
Open resourceUse the matrix when automating handoffs where multiple agents or workflows may exchange context.
Open resource