Skip to content

Core concepts

The read/write access map

How Olivares AI models agent access as a typed read/write graph, diffs permitted against observed, and stays honest about coverage and attribution.

The read/write access map is the data structure everything else hangs off. If you understand it, you understand the product.

Nodes and typed edges

The map is a graph. Agents are nodes. The resources they can reach — databases, object stores, MCP servers, APIs, queues — are nodes. Every edge is a typed access relationship: R (the agent can read the resource) or RW (the agent can read and write it).

Typing each edge read-vs-write is deliberate. Least-privilege and incident blast-radius are both functions of write access, not mere connectivity. A reporting agent that can only read a warehouse and a deployment agent that can rewrite it are not the same risk, and a flat “has access” list hides exactly that.

Permitted vs Observed

The map carries two layers and continuously diffs them:

  • Permitted — what the agent is allowed to do, derived from grants and policy.
  • Observed — what it has actually been seen doing, derived from telemetry and native audit trails.

The diff is where the value is:

  • Unexpected access — an edge that was observed but not expected. This is the finding a security team actually wants surfaced.
  • Unused grants — an edge that is permitted but never exercised. This is your concrete least-privilege cleanup list, not a vague “review your IAM” nag.

The live product tour shows this overlay on a real capture.

Fidelity is tiered — and shown

The map is only as good as what a source can prove, and it says so rather than bluffing. Two independent axes are surfaced per edge:

  • Coverage of read-vs-write:
    • clean — native audit makes R/RW unambiguous (PostgreSQL via pgAudit, object storage via CloudTrail, warehouses and lakes).
    • lossy — partial signal, e.g. some document and vector stores.
    • opaque — cannot be reconstructed passively (Redis, SQLite, D1). The edge is marked unknown rather than guessed.
  • Attribution:
    • firm — the source carries per-agent identity.
    • approximate — a shared service account hides which agent acted.

Because both axes travel with the edge, a confidently-known relationship and a barely-seen one are never rendered as if they were equally certain.

Read-first by design

Building this map is an observation activity, not an interception one. Olivares AI does not sit in the request path between an agent and its resources; it ingests telemetry and native audit out of band. Viewing the map is itself a privileged, tenant-scoped and fully audited action. The product observes and governs first; where it can act, it does so deny-closed — never as a blanket executor.