Skip to main content
Framework
7 min
March 25, 2026

Designing a Risk Tiering Framework for AI Agent Actions


Not All Actions Are Equal


A file read and a wire transfer are both "agent actions." But treating them the same is either dangerously permissive or uselessly restrictive.


Risk tiering solves this by classifying every agent action into tiers that determine the governance process. Here's a practical framework.


The Three-Tier Model


T0 — Reversible / Low-Stakes

*Auto-approved. No operator intervention.*


Examples:

  • Reading a file or database
  • Checking service status
  • Internal logging or reasoning
  • Querying an API (GET requests)

    • Why auto-approve? These actions are read-only or easily reversible. Requiring approval would create bottlenecks without adding safety. The governance pipeline still records them in the audit trail.


    T1 — Moderate Stakes

    *Requires operator approval. Single-party.*


    Examples:

  • Restarting a service
  • Updating configuration
  • Writing to a database
  • Sending an internal notification
  • Creating a support ticket

    • Why require approval? These actions have real-world effects that could cause disruption if wrong, but a single informed operator can assess the risk.


    T2 — Irreversible / High-Impact

    *Requires multi-party approval. Time-limited warrants.*


    Examples:

  • Production deployments
  • Financial transactions
  • Deleting data
  • Sending external communications (emails, campaigns)
  • Legal filings
  • Infrastructure changes (scaling, region migration)

    • Why multi-party? The blast radius of errors is high and consequences may be irreversible. Multiple reviewers reduce single-point-of-failure in approval.


    Implementing Risk Tiers


    Step 1: Classify your agent actions

    List every action your agents can perform. For each one, ask:

  • Is it read-only or does it change state?
  • Is it reversible?
  • What's the blast radius if it goes wrong?
  • Are there regulatory implications?

    • Step 2: Map actions to tiers

    Use the answers above to assign each action to T0, T1, or T2. When in doubt, tier up — you can always relax later.


    Step 3: Define approval workflows

  • T0: Auto-approve, log only
  • T1: Single operator approval, 15-minute warrant TTL
  • T2: Multi-party approval, 5-minute warrant TTL, mandatory rollback plan

    • Step 4: Monitor and iterate

    Review your tier assignments quarterly. Actions that consistently auto-approve without issues can potentially move down a tier. Actions that cause incidents should move up.


    Common Mistakes


    Over-tiering everything. If every action requires approval, operators get alert fatigue and start rubber-stamping. Be disciplined about what's actually T1/T2.


    Under-tiering financial actions. Money movements should always be T2, regardless of amount. The reputational risk of an unauthorized transfer outweighs the friction cost.


    Ignoring the compound effect. A single T0 action might be safe, but 1,000 T0 actions in rapid succession could be an attack. Consider rate limiting and anomaly detection alongside tiering.


    In Vienna OS


    Vienna OS implements this framework natively. The Policy Engine assigns risk tiers based on configurable rules. The Intent Gateway routes actions through the appropriate approval workflow. And the Verification Engine confirms execution stayed within the warranted scope.



    Set up your risk tiers in under 5 minutes. Read the docs →


    Ready to govern your agents?

    Start with the free tier. No credit card required.

    Get Started Free

    Stay Updated

    Get notified about Vienna OS updates and new governance features.

    Join 200+ developers • No spam • Unsubscribe anytime