Identities and Agents

In this section, we introduce the first two Policy building blocks: Identities and Agents. Together, they define who is allowed initiate AI interactions in your Application.

Defining Identities

Identities answer a fundamental question:

Who is allowed to start this interaction?

Identities represent the entities that initiate an interaction with the AI system. These may include:

• Human users, such as employees or partners.
• Non-human Identities (NHIs), such as service accounts or system Identities.

In practice, Identities are defined using Dynamic Groups (DGs) sourced from your Identity providers. For more information, see Managing Dynamic Groups.

Prerequisites

To use Dynamic Groups in a Policy, they must already exist in the PlainID Authorization Platform. This can be achieved by:

• Integrating with an external Identity Provider (IdP), such as Okta.
• Defining Dynamic Groups manually in the custom Identity Workspace.

Once available, these groups can be referenced directly within Policies.

Adding Identities to a Policy

You can add Identities through the Policy Canvas or by using the AI assistant.

To add Identities using the Policy Canvas:

1. In the Policies section, choose the relevant Workspace,
2. Open an existing Policy or create a new one by clicking the plus (+) button.
3. In the Policy Canvas, click the plus (+) icon under Identities.
4. Select an Identity Provider (IdP) from the dropdown list.
   
5. In the side panel, review the available Dynamic Groups under the selected IdP.
6. Select one or more groups by checking the corresponding boxes. Use the search field to locate specific groups.
   
7. Confirm your selection. The selected groups appear under the corresponding IdP widget in the Identities section.

To include groups from another Identity Provider (IdP):

1. Click the plus (+) icon under Identities again.
2. Select a different IdP.
3. Choose additional Dynamic Groups.

All selected groups are displayed under their respective IdP widgets.

Defining Agents

After defining Identities, the next step is selecting which Agents they are permitted to access.

Agents represent the AI execution layer, including models, runtimes, or agent instances running on supported frameworks. Identities do not access data or tools directly. All access is mediated through Agents.

Together, Identities and Agents define who can invoke specific AI capabilities and establish the foundation for downstream access to tools, databases, and other organizational Assets.

Adding Agents to a Policy

Adding Agents follows a similar flow to adding Identities and supports both visual and AI-assisted interaction.

To add an Agent:

1. In the Policies section, choose the relevant Workspace,
2. In the Policy Canvas, click the plus (+) icon under Agents.
3. Select an agent framework from the list of integrated frameworks, such as AWS AgentCore or Google Vertex.
   
4. In the side panel, review the available Agents under the selected framework. Use the search field to locate specific Agents or select them directly from the list.
   
5. Confirm your selection. The selected Agents appear under the corresponding framework widget in the Agents section.

To include Agents from another framework:

1. Click the plus (+) icon under Agents again.
2. Select a different agent framework.
3. Choose the relevant Agents.

At this stage, you have defined who can initiate an interaction and which Agents they are authorized to access.
Next, proceed to Controls and Guardrails, where you define what data, tools, and constraints apply to those interactions.