Permissions & Access Controls

Permissions, enforced at
runtime.

Your existing access model - already in Active Directory, Workday, and your source systems.
Leena AI enforces it on every AI Colleague, on every step, before the action lands.

What it is

The control layer for what
an AI Colleague can
know and do.

Permissions mirror your org. Roles, directories, app access - all of it. If a person can't do it, neither can their agent. Leena AI calls your system of record. We don't rebuild it.

Observability shows what the agent did. This is the layer that kept it inside the lines in the first place.

How it works

Six layers. All enforced
before the agent acts.

The surface view. Each layer goes deeper — we'll walk you through it in a demo.

Source permissions, inherited

200+ enterprise integrations carry their access models with them. Permissions stay in the source system - no second table to manage, no second table to drift.

RBAC that mirrors your organisation

Directory sync from Active Directory and your HRIS. Role-based controls at the AI Colleague level, the AOP level, and the individual skill level.

Four-layer guardrails at runtime

Enforced at the model, the AI Colleague, the execution path, and the prompt. Out-of-policy actions are blocked — not flagged after the fact.

Deterministic tools, not improv

Every tool knows its target system and validated fields. High-risk actions sit behind explicit approvals — record updates, provisioning, money movement.

Tenant isolation by design

Public cloud, single-tenant, or private VPC. 14+ deployment regions. Pick the model that fits your risk profile and data residency requirements.

Encrypted, certified, evidenced

AES-256-GCM at rest. TLS 1.2+ in transit. SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, HIPAA, GDPR. Pentest reports and compliance artifacts in the Trust Center.

Why it matters

Read-only chat leaks an answer. An autonomous worker moves money.

AI Colleagues act. That changes the math.

Records get updated. Access gets granted. Money moves — at machine speed, across systems, without a human in the loop on every step. This is the layer that lets a CISO say yes to scaling AI Colleagues across HR, IT, Finance, and Procurement without multiplying the attack surface. Every action is attributable to the user it was taken for. Every guardrail fires before the call lands, not after.

When AI takes action, bad permissioning isn't a UX problem. It's an audit finding.

What's different

Permissions in the architecture,
not in the SKU.

Inherited, not duplicated

200+ enterprise integrations carry their access models with them. There's no second permissions table to maintain — and no second table to fall out of sync with the source.

Built for restricted data from day one

The platform was designed for PII and PHI workloads, not retrofitted. Healthcare and financial services customers run on the same architecture you'll deploy.

Enforced at runtime, not reviewed retroactively

Guardrails fire before the AI Colleague acts. Continuous enforcement, not a quarterly access review that finds the problem three months late.

Defense in depth, not a single checkpoint

Five enforcement surfaces stacked: RBAC, tenant isolation, source-system inheritance, four-layer runtime guardrails, and a full trace log. Failing one doesn't compromise the others.

Fast to deploy, still fully governed

Pre-indexed knowledge, pre-built connectors, security groups intact from the source. Live in days, governed from the first run.

Breakdown

Inside the Agentic AI architecture

Touchpoints

Your people work in Teams, Slack, email, voice, browsers, portals. AI Colleagues show up there. Not somewhere else.

8+ channels. Zero context switching.

Same agent, same memory, every surface

Talks back. Reaches out. Doesn't wait to be asked.

Orchestrator

The brain. Reads the request, builds the plan, calls the right AI Colleague, routes between models on the fly. Model-agnostic by design - runs on Claude Opus 4.8, WorkLM™️, GPT 5.5, Llama 4, or Gemini 3.5.

Plans are built, not pre-coded

Breaks complex asks into doable subtasks

Hands off cleanly between agents over A2A

AI Colleagues

Level 3 digital workers, each grounded by Agent Operating Protocols (AOPs), equipped with Tools to act in enterprise apps, powered by Context Graph and Memory, and managed via a Workbench.

Always on. 24/7. No human trigger.

Gets smarter with every interaction via the Context Graph

Handle exceptions like a person would. No "I didn't understand."

Studios

Three no-code studios that let business users design, assemble, and ground AI Colleagues in plain English. AOP Studio writes the process. Workflow Studio wires in the tools. Knowledge Studio connects the truth.

Kickoff to live in days, not months

Business users own and iterate without engineering

1000+ pre-built tools across 200+ enterprise systems

Permissions and Access Controls

AI Colleagues only see and do what their role allows - across every system you connect. Permissions stay tied to your existing tools.

Inherits from your IdP. No re-mapping.

Every action audit-logged and identity-bound

Safe for multi-team, multi-tenant deployments

Integrations

200+ pre-built enterprise connectors across ServiceNow, Workday, SAP, Oracle, Salesforce, UKG, SharePoint, Snowflake, and more — via APIs, MCP, A2A, and browser/RPA.

200+ live on day one

Connect in minutes, no custom code

API + RPA + browser fallback. Nothing's "we can't integrate."

Observability and Governance

Responsible AI layer, built into every AI Colleague. See every step, govern every action. Dashboards for execs, ops, and risk.

Full trace: what the agent did, why, what it read

Guardrails at every layer - enforced before execution

Eval Suite catches regressions. Quality trends up, not sideways

Trust and Security

Agentic AI security built into the architecture, not bolted on. SOC 2, ISO 27001, HIPAA, AES-256-GCM.

AES-256 at rest, TLS 1.2+ in transit, AWS KMS-managed keys

Shared, single-tenant, or private VPC across 14+ regions

SSO, MFA, and RBAC for staff and customer admins

Pick your next stop

Hand-picked next reads — short on filler, long on what matters.

Agentic AI Architecture

The platform Fortune 500s use to build, govern, and run enterprise AI Colleagues.

8 Years of Integrations

One integration layer, 200+ systems of record, battle-tested in 500+ enterprises over 8 years.

Avoid Vendor Lock-In

No OEM money. No vested interest. No vendor lock-in. We connect to all of them.

Leena AI Documentation

Your reference for configuring, deploying, and managing AI Colleagues at scale.

Frequently asked questions

How does Leena AI handle permissions for AI Colleagues?

Leena AI inherits your existing access model from 200+ source systems — Active Directory, Workday, SAP, ServiceNow, Salesforce, and the rest. Permissions are pulled live, not copied into a second table. If a person can't access something, neither can their AI Colleague.

What's the difference between AI observability and AI access controls?

Observability shows you what the agent did. Access controls decide what it's allowed to do. One reports. The other prevents. You need both — but only access controls stop a bad action before it happens.

Are Leena AI's AI Colleagues safe for handling PII and PHI?

Yes. The platform was built for restricted data from day one — not retrofitted. SOC 2 Type II, ISO 27001/27017/27018/27701, HIPAA, and GDPR. AES-256-GCM encryption at rest, TLS 1.2+ in transit. Pentest reports and compliance artifacts are available in the Trust Center.

Are guardrails enforced at runtime, or after the fact?

Pre-execution, at every layer. Out-of-policy actions get blocked before they touch a downstream system — not flagged in next quarter's audit.

Can Leena AI be deployed in a private VPC?

Yes. Public cloud (multi-tenant), single-tenant, or private VPC. 14+ deployment regions across North America, Europe, APAC, and the Middle East — pick the residency that fits your compliance requirements.

Will an AI agent ever take an action my employees can't?

No. RBAC syncs live from Active Directory or your HRIS. The agent acts as a delegate of the user behind it — never as an exception to the policy. If the user can't approve a $50K invoice, the agent can't either.

How long does it take to deploy AI Colleagues with proper access controls?

Days, not quarters. Pre-configured connectors for 200+ systems, pre-indexed knowledge, and guardrails enabled by default. Most enterprise deployments are live within a week, fully governed from the first run.

What approvals are required for high-risk AI agent actions?

Record updates, access provisioning, financial transactions, and script execution sit behind explicit approvals — either a manager-only audience or a human-in-the-loop step. The Colleague never improvises a high-risk action.

What happens if a user's permissions change in the source system?

The change propagates automatically. When a user is promoted, deprovisioned, or moves teams in Active Directory or the HRIS, the AI Colleague's effective permissions update on the next run. No manual reconciliation.

How does Leena AI handle service accounts and non-human triggers?

Workflows triggered by schedules, MCP, or A2A calls run under named service accounts with explicit scopes. Every action is attributable, and the same RBAC and guardrails apply — non-human triggers don't get a permissions bypass.

Is the audit log immutable?

Yes. Trace logs are write-once and tamper-evident. Compliance teams can query them through the Transparency Dashboard or export them for SIEM ingestion.

Permissions, enforced at runtime.

The control layer for what an AI Colleague can know and do.

Six layers. All enforcedbefore the agent acts.