Behavioral step-up

Imagine an agent that has only ever read from one repo for weeks. Today it suddenly tries to write to a different repo it has never touched. Nothing in your static rules forbids that — but it's exactly the kind of first-of-its-kind move you'd want to glance at. Behavioral step-up catches that: the first time an agent does something genuinely new, it pauses for a human, then proceeds normally once you've approved it.

Behavioral step-up routes novel and out-of-pattern agent actions to a human before they run. It is deterministic, opt-in, and escalate-only: it can turn an allow into a step_up, and it can never grant an allow or soften a deny. It is not anomaly detection, machine learning, or a risk score — it answers one exact question: "has this agent executed this before?"

This implements two of Axtary's step-up triggers: an action that is novel for an agent/tool/resource combination, and an action that forms an unusual tool sequence.

When to use it

Turn it on when you want a human in the loop the first time an agent does something new — a tool it has never used, a resource it has never touched, or a tool transition it has never made — without hand-writing a rule for every case. It is most useful for agents whose "normal" behavior you are still learning, or for high-stakes tenants where first-of-its-kind actions deserve a glance.

The two signals

For each action Axtary derives two booleans, scoped to (tenant, agent):

  • First-seen combination — this agent has never executed this tool on this resource before. Emits the reason code behavior_first_seen.
  • Abnormal sequence — the transition from the agent's last executed tool to this one has never happened before. Emits behavior_abnormal_sequence.

Both are exact-match memory, not statistics. The store records only tool and resource identifiers and the agent's last tool — never payloads or secrets.

How an action becomes "known"

This is the most important part of the model:

  1. Before policy, Axtary reads the store (read-only) and derives the signals for the current action.
  2. If a signal fires and the base decision was allow, the action is escalated to step_up.
  3. Only after an action actually executes — an allow, or a step_up that a human approved and that then ran — is it recorded as known.

So a novel action that is denied or left unapproved is never silently marked known. Novelty persists until the action is genuinely approved and executed. The store learns from real, approved behavior — you cannot launder a suspicious action by retrying it.

Step 1 — Enable it in axtary.yml

Behavioral step-up is off by default. Add a behavior block under policy:

policy:
  behavior:
    enabled: true          # opt-in
    firstSeen: true         # escalate never-seen (agent, tool, resource)
    abnormalSequence: true  # escalate never-seen prevTool -> tool transition

Set either sub-flag to false to use only one signal. There is intentionally no deny option and no weighting — the only effect this feature can have is allow → step_up.

Step 2 — Run an agent through the proxy

With the feature on, the first time an agent calls a tool on a resource you'll see the decision escalate:

$ # agent's first read of a new repo
decision: step_up
reasons:  [github_read_inside_policy, behavior_first_seen]

The action is not executed — it waits for approval (see the approvals flow). Approve it once, let it run, and the next identical call no longer escalates on novelty:

$ # same agent, same tool, same resource, after approval
decision: allow

A never-before-seen tool transition escalates the same way:

$ # agent did a read, now does its first write after that read
decision: step_up
reasons:  [github_write_inside_policy, behavior_abnormal_sequence]

Step 3 — See it in the ledger

Every escalation is recorded with its reason codes in the tamper-evident ledger, so you can audit exactly which actions were novel and when they became known. The reason codes behavior_first_seen and behavior_abnormal_sequence appear alongside the base policy reasons on the decision record.

Durability

Novelty memory is persisted (0600, lock-serialized, atomic writes) and shared across proxy / serve handlers, so it survives restarts — a process restart does not reset what an agent has already done. A brand-new agent's very first action is always first-seen.

The hard limits (by design)

  • Escalate-only. It never authorizes and never denies. A behavioral signal can only raise an allow to step_up; a deny stays a deny.
  • Deterministic. No scoring, no ML, no baselining. It is exact first-seen memory, not anomaly detection, and it makes no probabilistic claim.
  • Identifiers only. It records tool/resource identifiers, never payload content or secrets.
  • Per agent/tenant. Signals are scoped to (tenant, agent); there is no global or cross-tenant baseline.

For the exact contract and reason codes, see the behavioral step-up profile.