Teams
Agents are owned by teams, not individuals. Each team has its own model allowlist, tool extensions, and approval policy.
| Team | Members | Agents | Approval Policy | Identity |
|---|---|---|---|---|
Customer Operations team-cust-ops | 8 | 4 | approval-required | Cognito User Pool · SAML federated (Okta) |
Claims team-claims | 5 | 2 | approval-required | Cognito User Pool · SAML federated (Okta) |
Marketing Lab team-marketing | 3 | 0 | self-service | Cognito User Pool · SAML federated (Okta) |
Roles
- Platform Admin — sets org allowlists (models, tools, skills), manages teams, controls upgrade cadence.
- Team Admin— narrows the team's allowlists, registers team tools, sets approval policy. Cannot exceed org-level permissions.
- Agent Builder— designs and tests agents through interview sessions. Sees only their team's allowlists.
- End User — the human an agent serves at runtime. Identified by an
end_user_idissued by the per-team End User Directory. Never logs into the platform.
Approval policy
Approval policy is set per-team and applied to every deployment — first deploy, upgrades, and rollbacks alike. self-service requires only a passing eval scorecard; approval-required additionally requires sign-off from a designated reviewer in the platform UI.
Both modes write a DeploymentApproved audit record to the object-locked S3 bucket — the eval scorecard, the reviewer identity (or self-attestation), and the resulting stamp version.