aws2Agentic Workspace Security Standard
Agentic workspace profile

aws2 | Agentic Workspace Security Standard

A workspace security profile for AI agents that can touch the business.

AI risk changes when an agent leaves the chat window and starts reading files, calling tools, using connectors, running commands, and preparing business actions. aws2 gives leaders and technical teams one practical review unit: what the workflow can reach, what it can do, what must pause, and what evidence remains.

See the risk modelRead the primerSee an applied example

Workflow-scoped

One inspectable system

Reach-aware

Files, apps, tools

Action-gated

Pause risky steps

Evidence-ready

Reviewable trail

Why this exists

An AI agent is no longer just a chat answer.

Once an AI system can read shared work, call tools, draft messages, update records, or run commands, the business is no longer reviewing only model output. It is reviewing a workflow with authority, access, side effects, and evidence gaps.

Executive question

If this workflow goes wrong, can the business explain what the agent was allowed to see, what it was allowed to do, who approved important actions, and what record was left behind?

Reach is unclear

The agent may see files, repositories, tickets, apps, browser sessions, or customer data beyond the workflow leaders had in mind.

Authority is ambiguous

Actions can run through a user account, connector, service account, or workflow identity without a clear approval owner.

Actions happen too early

External messages, record changes, data exports, shell commands, and production paths need policy gates before business impact.

Context steers the work

Retrieved documents, memory, tool descriptions, old notes, and generated handoffs can influence the agent like instructions.

Evidence creates a new leak

Logs and review packets can copy secrets, private records, source code, or customer material unless evidence is minimized.

What aws2 helps teams do

Make one agentic workflow visible before it becomes normal business process.

aws2 is a workspace security profile for the operating layer around AI agents. It connects model security, identity, endpoint, privacy, legal, and governance teams around one real workflow boundary they can inspect together.

Name the scoped system

Start with one bounded agentic workflow, its owners, allowed resources, excluded systems, and review period.

Classify business actions

Separate read-only work from actions that change, send, export, trigger, delete, or affect production systems.

Preserve useful evidence

Keep reviewable receipts for decisions, approvals, source state, validation, and exceptions without raw sensitive payloads.

Generated illustration of an agentic workspace boundary with policy, identity, tools, files, and evidence nodes

Why existing buckets are not enough

aws2 sits in the overlap where real agent work crosses several control domains.

Existing standards and programs are useful. The gap is the review unit. An agentic workflow crosses model behavior, workspace permissions, connectors, shell access, identity, logging, sensitive data, and governance in one action path.

AI governance

Policy, accountability, risk management, and oversight.

AppSec and model security

Prompts, tools, model behavior, testing, and abuse paths.

Endpoint, identity, and logs

Accounts, devices, shells, SaaS actions, telemetry, and retention.

Privacy, legal, and assurance

Data handling, obligations, evidence use, and executive review.

aws2

Workspace security profile

A scoped, evidence-backed layer around agentic workflows.

Familiar reference points

Built for the gap between AI standards and real agent workspaces.

If your team already works with AI governance, AppSec, risk, audit, or legal frameworks, aws2 gives that conversation a concrete target: one scoped agentic workflow, its reach, its actions, and its evidence trail.

OWASP AISVSOWASP LLM Top 10CSA AARMCSA MAESTRONIST AI RMFNIST AI 600-1ISO/IEC 42001ISO/IEC 23894EU AI ActMITRE ATLASAIUC-1Five Eyes guidance

What makes aws2 different

aws2 starts where broad AI standards usually stop: the live workflow.

Most AI standards look at model behavior, governance policy, application security, privacy, or broad organizational controls. aws2 focuses on the messy operating layer where agents create business risk: reach, authority, tools, approvals, memory, evidence, and handoffs inside one scoped workspace system.

Workflow-first

Review one real agentic workflow instead of starting with an abstract enterprise AI program.

Workspace-aware

Include files, apps, repositories, shells, tools, connectors, memory, and communication paths.

Action-focused

Separate reading and drafting from actions that send, change, export, delete, trigger, or affect production.

Evidence-ready

Leave a profile that leaders, DevOps, security, and engineering can inspect and improve.

That is the gap aws2 fills: a practical security profile for AI agents already operating inside the business.

Scoped agentic workspace system

The profile model is simple: scope, control, evidence, decision.

Start narrow enough to inspect. A short, honest profile for one workflow is more useful than a broad AI policy nobody can apply to the real tools and data in use.

01

Scope

What workflow, resources, identities, tools, and data are in or out?

02

Control

What can the agent read, change, send, trigger, or run, and what must pause?

03

Evidence

Which receipts, logs, validations, owners, and exceptions remain after the work?

04

Decision

What should move forward, pause, narrow, or go through a stronger review path?

Applied example

See how aws2 turns one AI workflow into something leaders can review.

The docs walk through a release-assistant agent because it is concrete: real files, real tools, draft communications, approval points, and evidence that can be reviewed without exposing every private detail.

View the full example

01

Release assistant

One agent helps prepare release notes and internal change summaries for a bounded engineering workflow.

02

Named reach

It reads selected tickets, pull requests, changelog fragments, test results, and release-planning documents.

03

Action gates

It can draft updates, but customer-facing text pauses for human approval and external sending stays out of scope.

04

Useful record

The profile keeps scope, policies, approvals, denied actions, validation findings, and exceptions reviewable.

aws2 families

Ten families, each tied to a question a reviewer can ask.

The families are intentionally practical. They help managers understand ownership and help security, DevOps, and engineering teams know which evidence to collect.

AWS2-SCP

Scope, inventory, ownership

What is the workflow boundary and who owns it?

AWS2-DEL

Delegation and authority

Whose account, role, or approval lets the agent act?

AWS2-WSB

Workspace boundaries

Which files, apps, shells, systems, and data are reachable?

AWS2-RUN

Runtime action control

Which actions are allowed, denied, paused, or approved?

AWS2-SRC

Source and tool trust

Can you trust the skills, tools, connectors, and updates?

AWS2-CTX

Context and memory

Which instructions, retrieval sources, and memories can steer work?

AWS2-SEC

Secrets and sensitive data

What must not be exposed, stored, exported, or copied?

AWS2-LOG

Receipts and traceability

Can reviewers reconstruct the important action path?

AWS2-VAL

Validation and review

Which controls, denials, and evidence paths were tested?

AWS2-GOV

Governance and change

Who accepts exceptions and when does the profile need rework?

Adoption path

Levels make the next step obvious.

Use levels to see where a workflow is today: unmapped, mapped, controlled, or evidence-backed. They help leaders decide what can move forward, what needs gating, and where technical teams should focus.

Level 0

Unclear boundary

The team cannot yet explain what the workflow can reach, do, prove, or exclude.

Level 1

Mapped workflow

Scope, owners, resources, authority, action classes, and exclusions are visible.

Level 2

Controlled slices

Selected high-impact actions have policy gates, receipts, and named evidence.

Level 3

Evidence-backed profile

The workflow has tested controls, retest triggers, exception handling, and owner review.

Build the standard with us

Agentic work is becoming infrastructure. Its security profile should be shaped in the open.

aws2 is for the teams already asking the hard questions: what can this agent touch, what can it change, who approves the risky steps, and what record is left behind? If you are integrating AI into business workflows, your edge cases are exactly what can make the standard useful.

Read docsBrowse family guidesRead the standard
  • Start with the plain-language primer if you are deciding whether this problem applies to your business.
  • Use the applied example to see how one scoped AI workflow becomes reviewable.
  • Browse family guides when a specific control area needs more operational detail.
  • Read the formal standard when you need scope, terms, levels, evidence, and governance language.
Generated illustration of redaction-safe evidence packets and approval receipts

Make agent reach, authority, and side effects visible before access expands.

It complements existing buckets by defining the agentic workspace profile around them.

Start with one workflow, one evidence packet, and a decision the business can understand.