# Agent Governance ## Overview Every infrastructure change the agent makes goes through the same governance layer as the rest of Bluebricks. This page covers how approval flows, policies, and permissions work in conversation. ## The approval flow When you ask the agent to make a change, the conversation follows a consistent cycle: 1. **You describe the change**: "Scale the EKS cluster in staging to 5 nodes" 2. **The agent runs a plan**: it generates the proposed changes and shows the plan output inline, including what will be created, updated, or destroyed 3. **You review**: read the plan directly in the conversation. For changes that open a pull request, see [Reading a Bluebricks PR](/docs/agent/reading-a-bluebricks-pr.md) for how to interpret the output 4. **You approve or reject**: tell the agent to proceed or cancel 5. **The agent applies or stops**: on approval, the changes are applied. On rejection, nothing happens The agent never auto-approves. Even when no policies require explicit approval, the agent presents the plan and wait for your confirmation before applying. ## How collection policies surface [Collections](/docs/orchestration/collections.md) and [blueprints](/docs/orchestration/packages/blueprints-overview.md) are part of the Bluebricks [orchestration](/docs/orchestration/orchestration.md) layer: collections group cloud providers with governance rules, and blueprints are the deployable units of infrastructure code. Collection owners and administrators can attach [policies](/docs/orchestration/collections/policies.md) to collections that control what can be deployed and under what conditions. When the agent plans a change, these policies are evaluated automatically. If a policy blocks or pauses the run, the agent explains what happened directly in the conversation. ### Owner Approval When a collection requires owner approval, the agent pauses after the plan and tells you that a collection owner must approve before the changes can be applied. If you are an owner, you can approve in the conversation. If not, the agent tells you who can. ### Cost Limit If the projected cost of a change exceeds the collection's cost limit, the agent shows the estimated cost and explain that the limit was exceeded. The change can still proceed with owner approval. ### Allowed Blueprints If you request a deployment using a blueprint or version that is not allowed in the target collection, the agent explains which constraints apply and which blueprints are available. {% hint style="info" %} For full details on configuring collection policies, see [Policies](/docs/orchestration/collections/policies.md). {% endhint %} ## RBAC in conversation The agent inherits your permissions. It cannot do anything you could not do yourself through the Bluebricks app or CLI. * If you lack permission to approve a run, the agent tells you and identifies who can approve * If you lack permission to deploy to a collection, the agent explains why the request was blocked * The agent never escalates privileges or bypasses role restrictions For details on roles and permission configuration, see [Roles and Permissions](/docs/organization-and-security/roles-and-permissions.md). ## Audit trail Every approval, rejection, and action taken through the agent is recorded. The task history captures the full conversation, including the plan output, your decision, and the result. This complements the run-level audit trail in the orchestration platform, giving you a complete record across both interfaces. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bluebricks.co/docs/agent/governance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.