Behavioral step-up
Imagine an agent that has only ever read from one repo for weeks. Today it suddenly tries to write to a different repo it has never touched. Nothing in your static rules forbids that — but it's exactly the kind of first-of-its-kind move you'd want to glance at. Behavioral step-up catches that: the first time an agent does something genuinely new, it pauses for a human, then proceeds normally once you've approved it.
Behavioral step-up routes novel and out-of-pattern agent actions to a
human before they run. It is deterministic, opt-in, and escalate-only: it
can turn an allow into a step_up, and it can never grant an allow or
soften a deny. It is not anomaly detection, machine learning, or a risk score
— it answers one exact question: "has this agent executed this before?"
This implements two of Axtary's step-up triggers: an action that is novel for an agent/tool/resource combination, and an action that forms an unusual tool sequence.
When to use it
Turn it on when you want a human in the loop the first time an agent does something new — a tool it has never used, a resource it has never touched, or a tool transition it has never made — without hand-writing a rule for every case. It is most useful for agents whose "normal" behavior you are still learning, or for high-stakes tenants where first-of-its-kind actions deserve a glance.
The two signals
For each action Axtary derives two booleans, scoped to (tenant, agent):
- First-seen combination — this agent has never executed this
toolon thisresourcebefore. Emits the reason codebehavior_first_seen. - Abnormal sequence — the transition from the agent's last executed tool
to this one has never happened before. Emits
behavior_abnormal_sequence.
Both are exact-match memory, not statistics. The store records only tool and resource identifiers and the agent's last tool — never payloads or secrets.
How an action becomes "known"
This is the most important part of the model:
- Before policy, Axtary reads the store (read-only) and derives the signals for the current action.
- If a signal fires and the base decision was
allow, the action is escalated tostep_up. - Only after an action actually executes — an
allow, or astep_upthat a human approved and that then ran — is it recorded as known.
So a novel action that is denied or left unapproved is never silently marked known. Novelty persists until the action is genuinely approved and executed. The store learns from real, approved behavior — you cannot launder a suspicious action by retrying it.
Step 1 — Enable it in axtary.yml
Behavioral step-up is off by default. Add a behavior block under policy:
policy:
behavior:
enabled: true # opt-in
firstSeen: true # escalate never-seen (agent, tool, resource)
abnormalSequence: true # escalate never-seen prevTool -> tool transition
Set either sub-flag to false to use only one signal. There is intentionally
no deny option and no weighting — the only effect this feature can have is
allow → step_up.
Step 2 — Run an agent through the proxy
With the feature on, the first time an agent calls a tool on a resource you'll see the decision escalate:
$ # agent's first read of a new repo
decision: step_up
reasons: [github_read_inside_policy, behavior_first_seen]
The action is not executed — it waits for approval (see the approvals flow). Approve it once, let it run, and the next identical call no longer escalates on novelty:
$ # same agent, same tool, same resource, after approval
decision: allow
A never-before-seen tool transition escalates the same way:
$ # agent did a read, now does its first write after that read
decision: step_up
reasons: [github_write_inside_policy, behavior_abnormal_sequence]
Step 3 — See it in the ledger
Every escalation is recorded with its reason codes in the tamper-evident
ledger, so you can audit exactly which actions were novel and when they became
known. The reason codes behavior_first_seen and behavior_abnormal_sequence
appear alongside the base policy reasons on the decision record.
Durability
Novelty memory is persisted (0600, lock-serialized, atomic writes) and shared
across proxy / serve handlers, so it survives restarts — a process
restart does not reset what an agent has already done. A brand-new agent's very
first action is always first-seen.
The hard limits (by design)
- Escalate-only. It never authorizes and never denies. A behavioral signal
can only raise an
allowtostep_up; adenystays adeny. - Deterministic. No scoring, no ML, no baselining. It is exact first-seen memory, not anomaly detection, and it makes no probabilistic claim.
- Identifiers only. It records tool/resource identifiers, never payload content or secrets.
- Per agent/tenant. Signals are scoped to
(tenant, agent); there is no global or cross-tenant baseline.
For the exact contract and reason codes, see the behavioral step-up profile.