The Access Graph provides a unified organizational view of how access is defined, granted, and enforced across all agentic workflows in the enterprise.
It answers a critical question:
Who or what can access which resources, through which Agents, and why?
By visualizing Identities, Applications, Agents, protection components, and protected Assets in a single connected graph, the Access Graph enables security, platform, and AI governance teams to understand access as an end to end system rather than as isolated Policies.
.png)
Purpose and Core Use Cases
The Access Graph supports two primary workflows:
- Organizational Visibility.
- Access Investigation.
Organizational Visibility
The graph delivers a continuously updated map of access across the organization, including:
- Identity providers and Dynamic Groups.
- Applications and AI entry points.
- Agent frameworks and individual Agents.
- Protection and enforcement components.
- Protected Assets, such as MCP servers and tools, vector databases, indexes, and data stores.
This view enables teams to evaluate agentic access across systems rather than reviewing Policies in isolation.
Access Investigation
Beyond visibility, the Access Graph enables deep investigation workflows.
Users can start from any object, whether an Identity group, Application, agent framework, individual Agent, or protected Asset, and immediately understand:
- What access exists.
- How access propagates across Applications and Agents.
- Which Policies grant that access.
- Where enforcement occurs at runtime.
This capability supports audits, incident response, and validation of policy intent.
Graph Model
The Access Graph consists of nodes and connections that represent governed objects.
Nodes
Each node represents an object in the system, such as:
- Identity Sources and Dynamic Groups.
- Applications.
- Agent frameworks and individual Agents.
- Protection components.
- Protected Assets, such as MCP servers, tools, databases, indexes, and tables.
Nodes correspond directly to objects managed and governed by the PlainID Authorization Platform.
Connections
Connections between nodes represent:
- Access relationships: Access granted by Policy.
- Structural relationships: Hierarchical or ownership relationships, for example between an MCP server and its tools, displayed as dashed lines.
Together, these relationships provide a complete representation of how access is structured and enforced.
Context Based Exploration
Exploration in the Access Graph is context driven.
Selecting any node adds it to the context bar at the top of the screen. Once added, the graph updates to display only the access paths and permissions relevant to the active context.
Multiple nodes can be added to the context, enabling compound investigations such as:
- What a specific Identity group can access through a specific Application and Agent.
- Which Agents can reach a given Asset from a selected Application.
- How enforcement is applied for a particular access path.
This progressive scoping model enables users to move from a broad organizational view to a precise access investigation without losing clarity.
Identity View
The Identity view provides visibility into all Identity Sources connected to the PlainID Authorization Platform.
Each identity provider appears as a parent object. Selecting this parent object adds all associated Dynamic Groups to the context, enabling users to understand the full access surface of that Identity Source.
For more precise analysis, users can filter Dynamic Groups using the filter control and select specific groups to add to the context. This enables targeted investigation of how a single team, role, or service Identity propagates through Applications, Agents, and Assets.
Application View
Applications represent entry points into agentic workflows and protected systems.
This view includes all Applications onboarded and governed by the PlainID Authorization Platform. Selecting an Application node adds it to the context and scopes the graph to show:
- Which Identities can access the Application.
- Which Agents are invoked by the Application.
- Which protected Assets may be reached through those Agents.
This perspective clarifies how access originates and flows from an Application standpoint, which is often required for security reviews and onboarding validation.
Agent View
The Agent view reflects how agentic systems are structured and governed in production.
Agent frameworks, such as AgentCore or other Orchestration platforms, appear as parent objects. Selecting a framework adds all Agents under that framework to the context.
Users can refine the view by filtering and selecting specific Agents within a framework. This investigation clarifies:
- What access a single Agent has.
- Which Identities can invoke a specific Agent.
- Which Assets an Agent can reach and through which Policies.
This hierarchical filtering model mirrors real world agent architectures and makes complex environments easier to understand.
Protection and Enforcement View
Protection components represent live integration points between the PlainID Authorization Platform and customer environments.
These components are responsible for discovery, continuous synchronization, and, where applicable, access decision runtime enforcement.
Objects that actively enforce access are visually marked, clearly distinguishing where decisions are enforced from where access is defined or discovered. This helps users identify enforcement gaps and understand the operational reality of access control.
Protected Assets View
The protected Assets view represents the resources governed by the PlainID Authorization Platform.
Assets may include:
- MCP servers and individual tools.
- Vector databases and indexes.
- Relational databases and tables.
- Other supported Asset Types.
Assets may appear across multiple hierarchical levels depending on the vendor structure. Selecting a parent Asset reveals its child resources, which can then be added to the context for investigation.
Leaf Assets, the final objects in the hierarchy, are clearly indicated to show that no deeper level exists.
Inspecting Access Relationships
Selecting a connection between two nodes opens a detailed overlay that explains the relationship between them.
This view displays:
- All Policies that define access between the selected objects.
- Highlighted control points for each Policy.
- Clear visibility into how each Policy contributes to effective permissions.
From this overlay, users can navigate directly to the Policy Canvas to inspect, modify, or validate the underlying Policies.
Summary
The Access Graph is an operational model of access across agentic systems.
It enables organizations to:
- Understand complex access relationships at a glance.
- Investigate permissions with precision and confidence.
- Trace access from Identity to enforcement.
- Move seamlessly from insight to action.
By grounding Identities, Applications, Agents, protection components, and Assets in a single explorable graph, the PlainID Authorization Platform makes agentic access control both enforceable and understandable.