Agentic Entitlement Review Pack
What this is. SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. This pack adds the access-lifecycle layer: which agent identity has which MCP scope right now, when that authority expires, who must review it, and what kills the session.
The product bet
The next enterprise reviewer question is not only “which agent can act?” It is:
Does this agent still have this permission right now?
The Agentic Entitlement Review Pack turns static non-human identity contracts into expiring permission leases. It makes agent authorization operational enough for IAM, AI platform, MCP gateway, SOC, GRC, and procurement teams:
- Identity - the registered agent identity and human owner.
- Scope - the MCP namespace and access mode being requested.
- Lease - the active permission grant, expiry, and lease id.
- Review - current, due, overdue, or suspended access-review state.
- Authorization - MCP authorization, audience, resource, and scope evidence.
- Receipt - run, tenant, correlation, approval, and receipt fields needed to reconstruct the decision.
That is a high-value control surface. The open project can publish the model; a production MCP server can sell hosted lease issuance, continuous access review, step-up approval receipts, revocation webhooks, and IdP/SIEM integrations.
What was added
data/assurance/agentic-entitlement-review-profile.json- source contract for entitlement tiers, review cadences, lease TTLs, standards alignment, reviewer views, and trusted-source path.data/evidence/agentic-entitlement-review-pack.json- generated entitlement pack for MCP clients, CI drift checks, and reviewer diligence.recipes_agentic_entitlement_review_pack- MCP lookup by entitlement, identity, workflow, namespace, risk tier, or access mode.
Evaluate an active scoped branch-write entitlement:
Evaluate an expired lease:
What is inside
| Section | Purpose |
|---|---|
entitlement_review_summary |
Entitlement count, workflow count, identity count, access-mode mix, risk-tier mix, approval-required count, and failure count. |
review_contract |
Default fail-closed state, required runtime fields, evidence sources, and allow / hold / deny / kill decision ladder. |
entitlements |
One lease-ready entitlement per identity, workflow, MCP namespace, and access mode. |
workflow_entitlement_rollups |
Per-workflow access summaries for quarterly reviews and platform intake. |
runtime_policy |
Lease status values, review status values, step-up triggers, and kill indicators. |
source_artifacts |
Hashes and paths for the identity, MCP authorization, connector, handoff, action runtime, telemetry, and receipt packs used to build the model. |
MCP examples
Get the executive summary and workflow rollups:
{}
Find entitlements for one workflow:
{
"workflow_id": "vulnerable-dependency-remediation"
}
Find entitlements for one identity:
{
"identity_id": "sr-agent::vulnerable-dependency-remediation::codex"
}
Evaluate one entitlement use:
{
"identity_id": "sr-agent::vulnerable-dependency-remediation::codex",
"workflow_id": "vulnerable-dependency-remediation",
"agent_class": "codex",
"namespace": "repo.contents",
"requested_access_mode": "write_branch",
"lease_id": "lease-123",
"lease_status": "active",
"lease_expires_at": "2099-01-01T00:00:00Z",
"review_status": "current",
"authorization_decision": "allow_authorized_mcp_request",
"run_id": "run-123",
"tenant_id": "tenant-a",
"correlation_id": "corr-123",
"receipt_id": "receipt-123",
"policy_pack_hash": "sha256:policy"
}
Why it is review-ready
Enterprise agent fleets will not scale on prompt text. They need access lifecycle controls that look familiar to IAM and GRC teams but are adapted for autonomous systems:
- agent permission leases,
- quarterly and event-driven access review,
- MCP scope and audience binding,
- step-up authorization for privileged scopes,
- A2A handoff and Agent Card trust evidence,
- action-runtime and catastrophic-risk linkage,
- revocation and kill-session decisions,
- run receipts and telemetry fields for audit.
That makes the project easier to buy, integrate, and diligence. It also creates a natural hosted-ready surface: hosted entitlement review APIs between agent hosts, IdPs, MCP gateways, approval systems, and SIEMs.
Industry alignment
The pack is anchored in current primary guidance:
- OWASP Top 10 for Agentic Applications 2026 for identity abuse, tool misuse, insecure inter-agent communication, cascading failures, and rogue-agent containment.
- MCP Authorization for protected resource metadata, resource indicators, token audience binding, PKCE, scope challenges, and token handling.
- A2A Protocol Specification for Agent Card discovery, Agent Card signing, authentication, authorization, and extended Agent Card access control.
- Microsoft Agent 365 for the market move toward centralized agent registry, access control, observability, governance, security, analytics, and role-specific oversight.
- OpenAI Safety in Building Agents for structured outputs, tool approvals, guardrails, trace grading, and eval evidence around agent workflows.
- NIST AI RMF Generative AI Profile for governance, monitoring, measurement, incident response, and risk treatment.