Agent Scope and Task Boundaries
Define and enforce the boundaries of what an AI agent is permitted to do, preventing it from expanding its activity beyond its intended purpose.
Objective
Prevent scope creep in autonomous agent workflows by establishing explicit task boundaries and detecting deviations at runtime.
Maturity Levels
Initial
Agent scope is informally described in natural language with no enforced boundaries.
Developing
Scope limitations exist in the system prompt but are not enforced structurally and can be overridden by model reasoning.
Defined
Agent scope is enforced through a combination of system prompt constraints, permission restrictions, and output validation.
Managed
Scope deviations are detected and alerted in production; patterns are reviewed to identify systematic boundary weaknesses.
Optimizing
Scope enforcement is continuously tightened based on observed deviation patterns and new threat intelligence.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Scope definition document for each agent, version-controlled and signed by AI Platform Lead and CISO at each release
- —Permission configuration records confirming scope is enforced at the permission layer, not solely via system prompt
- —Scope violation alert logs showing deviations detected, blocked, and responded to within defined SLA
- —Adversarial scope expansion test results: attempts to instruct agent beyond its defined boundaries, with pass/fail outcome
- —Scope change records showing formal review whenever agent capabilities were modified or extended
Implementation Notes
Key steps
- Define task boundaries structurally, not just verbally — if an agent should only read emails (not send), enforce this at the permission level, not solely through instructions.
- Implement output monitoring to detect actions that are syntactically valid but semantically out of scope for the agent's defined task.
- Run adversarial tests specifically targeting scope expansion: attempt to instruct the agent to act beyond its boundaries and verify that boundaries hold.
- Review scope definitions when agent tasks evolve — scope creep often happens incrementally through small capability additions.
Example Implementation
Enterprise deploying an AI agent for Tier 1 customer support ticket triage and response
Scope Definition — Customer Support Triage Agent
Permitted actions:
- Read open tickets assigned to support queue
- Classify ticket by issue type and priority
- Draft a response (stored as draft, not sent)
- Add internal notes to a ticket
- Escalate ticket to a named human agent
Explicitly prohibited actions (enforced at permission layer, not prompt):
- Send any communication to a customer (all drafts require human approval)
- Access tickets outside the designated support queue
- Modify ticket ownership or SLA settings
- Access billing, account management, or CRM systems
- Invoke any tool not on the above permitted list
Scope deviation monitoring: Any tool call to a resource outside the permitted list is logged as a scope violation, blocked at the framework layer, and triggers an alert to the AI Platform team within 15 minutes
Scope review: Scope definition reviewed and re-signed by AI Platform Lead and CISO at each quarterly agent version release
Control Details
- Control ID
- AGT-007
- Domain
- Agentic AI
- Typical owner
- AI Engineering / AI Governance Team
- Implementation effort
- Medium effort
- Agent-relevant
- Yes