Risk Scoring¶
ARX computes a dynamic risk score between 0 and 100 for every agent connector call. The score drives policy verdicts: low scores are permitted, moderate scores may trigger escalation, and high scores lead to denial or mandatory human review. Risk scores are recorded in the audit log alongside every action, providing a continuous quantitative measure of agent risk exposure.
Scoring Algorithm¶
The risk score is the sum of four independent factors, capped at 100:
risk_score = min(operation_risk + connector_sensitivity + session_frequency + target_sensitivity, 100)
Each factor is computed from static lookup tables and runtime context. There are no machine-learning components; the algorithm is deterministic and auditable.
Factor 1: Operation Risk¶
The operation string (e.g., host:isolate, ticket:read) is parsed to extract the verb. If the operation uses colon-delimited syntax (noun:verb), the verb is the segment after the last colon. Otherwise, the first segment before an underscore is used.
| Verb | Risk Weight |
|---|---|
read |
10 |
list |
10 |
get |
10 |
search |
15 |
create |
25 |
write |
30 |
update |
30 |
execute |
40 |
isolate |
45 |
contain |
45 |
delete |
50 |
remove |
50 |
quarantine |
50 |
Operations with unrecognized verbs receive a default weight of 20.
The weights reflect the blast radius of each operation type. Read operations are low-risk because they do not alter state. Write and update operations carry moderate risk. Destructive operations (delete, remove, quarantine) and containment actions (isolate, contain) carry the highest weight because they can cause immediate operational impact.
Factor 2: Connector Sensitivity¶
Each connector has a static sensitivity weight reflecting the criticality of the system it interfaces with:
| Connector | Sensitivity Weight |
|---|---|
okta |
35 |
palo_alto |
35 |
crowdstrike |
30 |
sentinel |
25 |
wiz |
20 |
splunk |
15 |
servicenow |
15 |
jira |
10 |
pagerduty |
10 |
slack |
5 |
Connectors not in the table receive a default weight of 15.
Identity providers (Okta) and network security tools (Palo Alto) carry the highest sensitivity because unauthorized changes to these systems can compromise the entire security posture. Collaboration tools (Slack, Jira) carry the lowest sensitivity.
Factor 3: Session Frequency¶
The number of actions the agent has performed in the current session adds incremental risk. This factor detects runaway loops, compromised agents, or unexpected behavioral patterns.
| Session Action Count | Frequency Weight |
|---|---|
| 0-10 | 0 |
| 11-20 | 5 |
| 21-50 | 10 |
| 51+ | 20 |
Session context is passed via the session_context parameter on every intercept call. The SDK tracks the action count for the current execution session and includes it automatically.
Factor 4: Target Sensitivity¶
The sensitivity classification of the target resource adds a context-dependent risk component:
| Sensitivity | Weight |
|---|---|
low |
0 |
medium |
10 |
high |
20 |
critical |
35 |
Target sensitivity is determined by the caller based on the specific resource being accessed. For example, an agent reading a low-sensitivity Jira ticket contributes 0 points, while an agent modifying a critical Okta admin group contributes 35 points.
Unrecognized sensitivity values receive a default weight of 10.
Score-to-Verdict Mapping¶
The policy engine uses the risk score in two ways:
Per-Policy Threshold¶
Each policy rule has a configurable risk_threshold (default: 70). When an allow-type policy rule matches an action and the computed risk score meets or exceeds the threshold, the verdict is upgraded to ESCALATE. This allows administrators to set fine-grained tolerance levels per connector and action pattern.
Default Thresholds¶
When no policy rule matches, the engine applies fixed thresholds:
| Risk Score Range | Default Verdict |
|---|---|
| 0-49 | PERMIT |
| 50-79 | ESCALATE |
| 80-100 | DENY |
These defaults cannot be changed through the API. They serve as a safety net for agents and connectors that have not yet been covered by explicit policy rules.
Worked Examples¶
Example 1: Low-Risk Read¶
An agent reads a Jira ticket with low sensitivity, 5 prior session actions:
| Factor | Value | Weight |
|---|---|---|
Operation (read) |
-- | 10 |
Connector (jira) |
-- | 10 |
| Session frequency (5 actions) | -- | 0 |
Target sensitivity (low) |
-- | 0 |
| Total | 20 |
Verdict (default thresholds): PERMIT.
Example 2: High-Risk Containment¶
An agent isolates a CrowdStrike host with high sensitivity, 25 prior session actions:
| Factor | Value | Weight |
|---|---|---|
Operation (isolate) |
-- | 45 |
Connector (crowdstrike) |
-- | 30 |
| Session frequency (25 actions) | -- | 10 |
Target sensitivity (high) |
-- | 20 |
| Total (capped) | 100 |
Verdict (default thresholds): DENY. Even with an allow policy at risk_threshold: 70, this would escalate.
Example 3: Moderate Write¶
An agent creates a ServiceNow ticket with medium sensitivity, 8 prior session actions:
| Factor | Value | Weight |
|---|---|---|
Operation (create) |
-- | 25 |
Connector (servicenow) |
-- | 15 |
| Session frequency (8 actions) | -- | 0 |
Target sensitivity (medium) |
-- | 10 |
| Total | 50 |
Verdict (default thresholds): ESCALATE. An allow policy with risk_threshold: 60 would permit this action instead.
Example 4: Okta User Deletion¶
An agent deletes an Okta user with critical sensitivity, 3 prior session actions:
| Factor | Value | Weight |
|---|---|---|
Operation (delete) |
-- | 50 |
Connector (okta) |
-- | 35 |
| Session frequency (3 actions) | -- | 0 |
Target sensitivity (critical) |
-- | 35 |
| Total (capped) | 100 |
Verdict: DENY under any threshold configuration.
Tuning Risk Scores¶
Risk scores are not directly tunable -- the operation weights and connector sensitivity tables are compiled into the application. The primary tuning mechanism is the risk_threshold field on policy rules.
To make a connector more permissive, create an allow policy with a high risk_threshold (e.g., 90). To make a connector more restrictive, create an allow policy with a low risk_threshold (e.g., 30) or use an escalate rule to bypass scoring entirely.
If the built-in weights do not match your organization's risk profile, contact your ARX deployment team to discuss custom weight tables.
Audit and Observability¶
Every risk score is recorded in the audit log as part of the connector.called event metadata. The score is available in the metadata.risk_score field. Use the audit log API to query historical risk scores for trend analysis, anomaly detection, or compliance reporting.