AI Risk Engine
Tool execution guardrails, approval history, and analytics
Guardrail Tier Matrix
Auto-Execute (Read-Only)
Read-only operations that execute automatically without any approval or logging overhead.
Auto-Execute + Audit
Low-risk mutations that execute automatically but are logged to the audit trail.
Manage Alerts (Acknowledge)— Acknowledge alerts
Manage Alerts (Resolve)— Resolve alerts
Manage Alerts (Suppress)— Suppress alerts temporarily
Manage Notification Channels (Test)— Test notification channel
Manage Services (List)— List services on device
Acknowledge Network Device— Acknowledge network device
Configure Network Baseline— Configure network baseline
Manage Dns Policy— DNS policy management
Take Screenshot— Capture device screenshot
Analyze Screen— Analyze captured screenshot
Set Device Context— Set brain device context
Resolve Device Context— Resolve brain device context
Detect Log Correlations— Log correlation detection
Set Agent Log Level— Set agent log level
Apply Configuration Policy— Assign config policy
Remove Configuration Policy Assignment— Remove config assignment
Manage Configuration Policy (Activate/Deactivate)— Toggle policy status
Test Webhook— Test webhook delivery
Manage Tags (Add/Remove)— Add or remove device tags
Manage Saved Filters (Create/Delete)— Create or delete saved filters
Manage Deployments (Pause/Resume)— Pause or resume deployments
Manage Patches (Approve/Decline/Defer)— Patch approval decisions
Manage Groups (Add/Remove Devices)— Manage group membership
Manage Maintenance Windows (Create/Update)— Create or update maintenance windows
Manage Automations (Enable/Disable)— Toggle automation status
Manage Alert Rules (Create/Update)— Create or update alert rules
Generate Report (Create/Update/Delete/Generate)— Report management
Requires Approval
Destructive or mutating operations that require explicit user approval before execution.
Manage Services (Start/Stop/Restart)— Mutate device services
Manage Processes (Kill)— Terminate a running process
Manage Startup Items (Enable/Disable)— Manage startup items
Manage Scheduled Tasks (Run/Disable/Enable/Delete)— Mutate scheduled tasks
Execute Command— Execute system commands on device
Run Script— Run scripts on up to 10 devices
Computer Control— Send input actions to device
Create Remote Session— Create remote terminal or file session
Security Scan (Quarantine/Remove/Restore)— Threat management actions
Manage Software Policy— Software policy management
Remediate Software Violation— Remediate software violations
File Operations (Write/Delete/Mkdir/Rename)— Mutate files on device
Disk Cleanup (Execute)— Execute disk cleanup
Registry Operations (Set/Create/Delete)— Modify Windows registry
Network Discovery— Network discovery scan
Execute Playbook— Execute self-healing playbook
Trigger Backup— Initiate on-demand backup
Restore Snapshot— Restore a backup snapshot
Manage Monitors (Create/Update/Delete)— Create, update, or delete monitors
Trigger Agent Upgrade— Queue agent upgrade
Manage Configuration Policy (Create/Update/Delete)— Create, update, or delete config policies
Manage Deployments (Create/Start/Cancel)— Create, start, or cancel deployments
Manage Patches (Scan/Install/Rollback)— Scan, install, or rollback patches
Manage Groups (Create/Update/Delete)— Create, update, or delete device groups
Manage Maintenance Windows (Delete)— Delete maintenance windows
Manage Automations (Create/Update/Delete/Run)— Manage automation lifecycle
Manage Alert Rules (Delete)— Delete alert rules
Blocked
Operations that are never allowed, such as cross-organization data access or unknown tools.
Cross-Org Access— Any operation targeting resources outside the current organization
Unknown Tools— Any unregistered tool invocation is blocked