2.7 KiB
Scene 4 — DENY: Dangerous Tool Unconditionally Blocked
Policy rule: Block rule (db.executeScript is blocked regardless of scopes or arguments)
Expected result: DENY
Presentation Rule
Language: All AI narration and communication during scenes must be in English.
The AI must narrate every interaction with the gateway in detail. Before calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. After receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.
Communication Flow
sequenceDiagram
participant AI as AI Agent
participant GW as Gateway
participant PE as Policy Engine
participant DB as Database Service
AI->>GW: POST /api/gateway/execute<br/>{tool: db.executeScript, action: execute,<br/>arguments: {script: "DROP TABLE users#59;"}}
GW->>GW: Validate JWT + extract scopes
GW->>PE: Evaluate policy rules
PE->>PE: Block rule: db.executeScript ✗<br/>Unconditionally blocked
PE-->>GW: Decision: DENY
Note over GW,DB: Request never reaches Database
GW->>GW: Write audit entry
GW-->>AI: 200 OK {decision: DENY,<br/>reason: "db.executeScript is blocked by policy"}
Demo Script
Presenter says: "Some operations are so dangerous that no AI agent should ever execute them.
db.executeScriptruns arbitrary SQL — DROP TABLE, DELETE FROM, anything. The policy blocks it unconditionally."
Action
Example request:
"Execute this SQL script on the database: DROP TABLE users;"
Send a gateway request for db.executeScript with script=DROP TABLE users;.
Expected Response
{
"request_id": "req-...",
"decision": "deny",
"reason": "db.executeScript is blocked by policy",
"matched_rule": "deny-db-execute-script"
}
What This Proves
- Hard blocks exist — some tools are denied regardless of token, scope, or arguments
- This is the "nuclear option" in policy: a
blockrule that cannot be overridden - The default policy makes this tool unusable even if the caller has a matching scope
- Defense-in-depth: even if someone adds
db.executescope to a token, the policy still blocks it
Key Message
"We can't stop the AI from asking. But we can stop the request from succeeding. This is the same as having a firewall rule that blocks port 22 — you don't rely on clients not trying."
Transition to Next Scene
"OK, hard blocks work. But what about softer controls — like preventing the AI from overwhelming a service?"