Skip to main content
ClawQL
SecurityTraining · Part 30/30

Agentic AI security curriculum · Security overview

Human Operator Security: Admin Controls, Separation of Duties, Break-Glass Access, and External API Hygiene

Admin Controls, Separation of Duties, Break-Glass Access, and External API Hygiene

Hello and welcome to Module 30!

Modules 1–29 have secured the entire technical stack — from supply chain to runtime enforcement, memory integrity, multi-tenancy, disaster recovery, and compliance. But the highest-value target in any system is not the code or the agents. It is the human operator who can modify Panguard rules, define ATR roles, approve skills, and control the WORM audit pipeline.

A single compromised operator account gives an attacker the power to change the rules themselves, not just bypass them. The insider threat is usually the compromised employee (phishing, credential theft, or social engineering), not the malicious insider. In this final module we apply the same zero-trust principles we built for agents to the humans who operate the platform: least privilege, continuous verification, separation of duties, and audited emergency access. By the end you will have operator security that matches the rigor of every other layer in the curriculum.

The Human Operator as the Highest-Value Target

An operator with the right permissions has broader access and greater blast radius than any individual agent.

They can:

  • Modify Panguard rules

  • Define or expand ATR roles

  • Approve and deploy skills

  • Control the WORM audit pipeline

Compromise of one operator account lets an attacker modify controls rather than merely circumvent them. Zero trust must therefore apply to humans: the same least-privilege and continuous verification principles that govern agents must govern operators. Phishing and credential theft are the primary attack paths.

Admin Access Controls: Who Can Modify What

We define named, documented admin roles with explicit, mutually exclusive capability boundaries.

  • Panguard rule author: Can write draft rules but cannot deploy them.

  • Panguard rule deployer: Can promote reviewed rules but cannot write drafts.

  • ATR role admin: Can modify ATR role definitions after approval but cannot deploy Panguard rules.

  • Vault admin: Can manage Vault policies but is explicitly prohibited from deploying Panguard rules.

Enforcement is structural:

  • Kyverno admission policy rejects any operator resource that combines prohibited roles.

  • All admin access is granted via short-lived Vault tokens derived from the operator’s mTLS certificate — no static admin credentials exist.

  • On operator termination, the mTLS certificate is immediately revoked and all derived tokens are invalidated within one TTL cycle.

Separation of Duties

We enforce SoD at both role and action levels:

  • Skill approver ≠ skill deployer

  • ATR rule author ≠ ATR rule deployer

Monthly automated SoD report flags any individual who performed two mutually exclusive actions in the same week.

In small teams where role overlap is unavoidable, mandatory 4-eyes review compensates. SoD violations are reviewed by the security team lead within 5 business days and escalated to the compliance officer if unresolved.

4-Eyes Controls for High-Risk Configuration Changes

High-risk changes require two distinct approvers:

High-risk categories include:

  • Vault root token use

  • CA rotation

  • Panguard global rule disable

  • ATR scope expansion for Tier 1 agents

  • WORM retention policy change

  • Cluster admission policy change

  • Multi-tenant isolation policy change

Enforcement:

  • A ValidatingWebhookConfiguration rejects any resource lacking two distinct security-team approver annotations.

  • 24-hour approval expiry: a change not deployed within 24 hours of second approval requires re-approval.

  • Both approver identities are permanently recorded in the WORM audit trail as part of the deployment record.

Break-Glass Emergency Access

For true emergencies we maintain a sealed break-glass credential:

  • Vault token sealed under Shamir secret sharing that requires two physical HSM tokens to be presented simultaneously.

  • Every invocation automatically:

    • Pages the security team lead
      • Writes POLICY: BREAK_GLASS_INVOKED to the WORM trail
      • Opens a mandatory post-incident review ticket (48-hour deadline)

Break-glass provides expedited access to the configuration plane only — it does not disable Panguard enforcement or ATR validation. A full post-incident review is required for every use; failure to complete the review is itself a finding.

Operator Session Auditing and Insider Threat Detection

Every operator action is logged to the WORM audit trail using the same canonical security event schema as agent actions (Module 19).

SIEM correlation rules specifically target insider threats:

  • Operator accessing audit logs or Vault outside business hours

  • Operator reading a different tenant’s audit events

  • Operator modifying a Panguard rule followed by a previously-blocked action succeeding within 60 minutes

  • Operator creating an ATR role and assigning it to an agent they own (SoD violation)

Weekly automated peer-review report of all operator actions is sent to the security team lead.

Emergency Secret Rotation Runbooks

We maintain two offline runbooks tested annually:

Runbook A (agent credential compromised)

  • Identify affected systems

  • Panguard block on compromised token signature

  • Vault revoke → generate replacement → verify all agents on new credential

  • Write full incident record to WORM

Runbook B (Vault root token compromised)

  • Re-key Vault using existing unseal keys

  • Issue new short-lived root token

  • Revoke compromised root → rotate all downstream credentials

  • Verify operations → document in WORM

Both runbooks are stored offline (not only in the production cluster) so they remain available precisely when the cluster is compromised.

External API Security

Many operator tasks involve configuring external integrations. We secure these at the operator layer:

  • Webhook signature validation: All inbound webhooks are validated against an HMAC signature before the payload reaches any agent context. Unsigned webhooks are rejected at the gateway.

  • SSRF via webhook URL: Kyverno policy rejects ClawQLWebhook resources containing private-network target URLs at configuration time (not runtime).

  • Rate-limit backpressure: Exponential backoff with jitter on 429 responses; alert at 80 % of rate limit consumed; block outbound calls at 95 %.

  • Certificate pinning for critical integrations (payment processors, identity providers): pin the expected certificate chain, alert on mismatch, and include pinned certs in the certificate inventory (Module 26) with 60-day expiry alerts.

External API security is treated as an operator security concern because these integrations are configured by humans, and agent-layer controls cannot validate them.

Key Takeaways (Memorize These!)

  • Human operators have broader access and greater blast radius than any individual agent — the same zero-trust principles that govern agents must govern operators.

  • Mutually exclusive admin roles enforced by admission policy, not convention — convention fails under time pressure.

  • Break-glass provides expedited access, not unconstrained access — Panguard and ATR enforcement remain active during break-glass sessions.

  • Emergency rotation runbooks stored offline: a runbook that only exists in the production cluster is unavailable precisely when it is most needed.

  • External API security (webhook validation, SSRF, rate limiting, certificate pinning) is an operator security concern — these integrations are configured by humans and the agent-layer controls cannot validate them.

You have now completed the full 30-module security curriculum. Every layer — from supply chain to human operators — is secured with defense-in-depth, zero-trust principles, and continuous verification. The platform is ready for production use in the most demanding environments.

Thank you for completing the course. You now possess a complete, production-grade security architecture for agentic AI platforms.