Permission and access maps
What may the agent, workflow, field, account, or tool call reach?
Artifact examples
- access matrix
- workflow boundary map
- permission lease
- capability shelf
- secret courier policy
- text-field action map
AI workflow artifacts
When an AI workflow touches customers, records, code, money, public facts, or another agent, the next step should not be a vague policy discussion. Choose the matrix, packet, receipt, ledger, contract, source map, or rollout plan that makes the decision visible.
Chooser shelf
Start with the operational question the meeting is really asking. Each shelf points to concrete worksheets, posts, and a contact path that keeps the request artifact-specific.
What may the agent, workflow, field, account, or tool call reach?
Artifact examples
What does a human need before approving the action?
Artifact examples
Can the team reconstruct what the workflow saw, decided, changed, and still needs?
Artifact examples
What keeps agent-built work reviewable before it merges, runs, or migrates production systems?
Artifact examples
Which source, field, credential, query, package, or handoff could become the incident?
Artifact examples
What keeps the pilot from expanding before the team has evidence, rollback, and ownership?
Artifact examples
What public facts, sources, crawler rules, documents, or customer promises will assistants read and repeat?
Artifact examples
Quick chooser by symptom
| If the team says... | Point them to... | Why |
|---|---|---|
| “We do not know what the agent can touch.” | Permission and access maps | The first artifact should name reach before behavior expands. |
| “The reviewer is guessing.” | Review and approval packets | The work needs source evidence, proposed action, risk flags, owner, and rollback hint before approval. |
| “Nobody can tell what happened last time.” | Receipts, ledgers, and source-of-truth records | The system needs a reconstructable record, not a longer transcript. |
| “The agent can write code or run scripts.” | Build, release, and sandbox controls | Execution needs a sandbox contract, receipt, tests, and rollback before merge or run permission expands. |
| “This could expose data or credentials.” | Security and data-boundary drills | The risk sits in sources, fields, queries, credentials, packages, and handoffs. |
| “The pilot worked once; can we expand it?” | Operational rollout and resilience plans | Expansion needs shadow evidence, pause rules, rollback, and ownership. |
| “Assistants may read or repeat the wrong public fact.” | Public web and AI-search artifacts | The source trail needs a stable owned path and machine-readable terms. |
Recent posts by artifact family
This first map covers more than twenty recent posts. It shows where a future CTA or related link can point without sending every reader to the same broad page.
Future supporting target: Compare boundary artifacts.
Future supporting target: Copy the access matrix.
Future supporting target: Map the text-field action boundary.
Future supporting target: Compare permission leases.
Future supporting target: Map the broader access boundary.
Future supporting target: Choose the approval-packet fields.
Future supporting target: Route the review queue.
Future supporting target: Tune the threshold lane.
Future supporting target: Map the storefront approval path.
Future supporting target: Set the spend circuit breaker.
Future supporting target: Copy the model facts register.
Future supporting target: Copy the metric source register.
Future supporting target: Map a failure population ledger.
Future supporting target: Keep the field fact receipt.
Future supporting target: Add the dispatch ledger.
Future supporting target: Review the agent state map.
Future supporting target: Draft the sandbox contract.
Future supporting target: Use the PR harness.
Future supporting target: Pair with the migration bench.
Future supporting target: Use the fleet contract.
Future supporting target: Write the no-fly list.
Future supporting target: Build the vulnerability desk.
Future supporting target: Track query spill.
Future supporting target: Bench risky skills.
Future supporting target: Map prompt-bearing fields.
Future supporting target: Build the agent BOM.
Future supporting target: Plan the shadow week.
Future supporting target: Write the rollback plan.
Future supporting target: Use the pause note.
Future supporting target: Build the portability packet.
Future supporting target: Map the AI-search source trail.
Future supporting target: Set machine visitor terms.
Future supporting target: Draft the AI-readable briefing page.
Future supporting target: Inventory customer promises.
Future supporting target: Hand off generated documents.
How this fits the controls guide
Use this page when the reader remembers the artifact noun but not the path. Use the controls guide when the team is ready to walk one workflow through boundary, data, policy, shadow week, queue, receipts, tests, observability, and rollback.
If the team can name the workflow but not the work product, bring the question. BaristaLabs can help choose the access map, review packet, receipt, ledger, contract, source map, or rollback plan that should come first.
Choose the first artifact together