Skip to main content

Further reading (external)

Curated third-party writing on policy enforcement, authorization, and agent runtimes, complementary to the PGAR Blueprint series.

HOW TO USE THIS PAGE

Start with Policy engines & PEP/PDP, then jump to the section matching what you are building.

Policy engines & PEP/PDP

ResourceWhy read it
Open Policy Agent (OPA)Rego policies, decoupled PDP, JSON decision API
Amazon CedarAuthorization policy language, entity-based access
Auth0 FGA / Zanzibar modelsRelationship-based access for fine-grained entitlements
NIST ABAC guide (SP 800-162)Attribute-based access control vocabulary

Identity & token boundaries

ResourceWhy read it
OAuth 2.0 RFC 6749Token flows, client vs resource owner
OpenID Connect CoreID tokens, claims, session binding
RFC 8693 Token ExchangeDelegation patterns for agent acting-on-behalf-of

Agents & tool authorization

ResourceWhy read it
Model Context Protocol specTool surface conventions (still need PEP for side effects)
OWASP LLM Top 10Injection, excessive agency, supply chain

On this site

TopicPage
Executive PGARPolicy-Governed Agent Runtime
PGAR + RAGPGAR with RAG
Eval Action planeEval plane Action
Agent principlesG.A.I.N Agents

Series map

PlaybookExternal anchor
Policy contractsOPA input JSON shape
PEP enforcementXACML PEP/PDP separation
PDP surfacesCedar / Rego policy modules
Step-upOAuth step-up / MFA patterns
Audit & replayImmutable audit log design
Domain: RAGRAG Is Not a Database

← PGAR Blueprint · Policy-Governed Agent Runtime