Governance
RBAC, the audit log, lineage tracking, and how to demonstrate agentic workflow governance to a COO or auditor.
Last updated: 2026-04-30
Governance
Agentic automation introduces a new governance challenge: automated systems make decisions and take actions. Those decisions and actions must be auditable, attributable, and reversible where possible. This page covers the governance primitives Flexor provides and how to use them.
The audit log
Every agent run produces an audit log entry. The entry records:
| Field | Value |
|---|---|
run_id | Unique identifier for this agent run |
agent_name | Name of the agent |
trigger_type | schedule, event, webhook, or manual |
trigger_at | UTC timestamp when the trigger fired |
tasks_executed | Ordered list of skills invoked |
outputs | Summary of agent outputs (configurable redaction for PII) |
decisions | Conditional branches taken and the values that drove each decision |
duration_ms | Total execution time |
status | success, partial, failed |
errors | Array of errors encountered (if any) |
Querying the audit log:
# Last 50 runs for an agent
flexor audit --agent feed-monitor --limit 50
# All runs between two dates
flexor audit --from 2026-04-01 --to 2026-04-30
# Failed runs only
flexor audit --status failed
# Export to CSV for reporting
flexor audit --from 2026-04-01 --to 2026-04-30 --format csv > audit-april.csvRBAC - role-based access control
Flexor uses four built-in roles:
| Role | Can view agents | Can deploy agents | Can edit L2 vault | Can manage API keys |
|---|---|---|---|---|
viewer | Yes | No | No | No |
operator | Yes | Sandbox only | No | No |
admin | Yes | Yes (all envs) | Yes | No |
owner | Yes | Yes | Yes | Yes |
Assigning roles:
flexor access grant --user alice@fund.com --role operator --vault company
flexor access grant --user bob@fund.com --role viewerRoles are scoped to a vault. A user can be an operator on the company vault and a viewer on a project vault simultaneously.
Data lineage
Flexor records lineage for every data access: which agent, which skill, which data source, and which record was read or written.
Query lineage for a specific data record:
flexor lineage --record "plexifact://prod/catalog/equity-prices/2026-04-30"Output:
Record: equity-prices / 2026-04-30
├── Read by: feed-monitor [run: a1b2c3] at 2026-04-30 14:00 UTC
├── Read by: weekly-nav-report [run: d4e5f6] at 2026-04-28 08:05 UTC
└── Included in: recon-summary [run: g7h8i9] at 2026-04-28 08:10 UTCLineage is retained for the period defined in vault.json (audit.retention_days). For compliance-sensitive environments, set this to at least 365.
Demonstrating governance to an auditor
The three questions an auditor or COO typically asks about automated workflows:
1. “What decisions did this system make and why?”
Answer with the audit log. Each run entry includes the decisions field - a record of every conditional branch taken and the input values that triggered it.
2. “Who authorized this automation to run?”
Answer with the deployment log. Every flexor deploy command is attributed to the authenticated user who ran it, with timestamp. Access to deploy production agents is controlled by RBAC and requires the admin or owner role.
3. “Can this be stopped if something goes wrong?”
Answer with the pause/kill controls. Pausing an agent prevents future triggers without removing its configuration:
flexor agents pause --agent feed-monitor --env productionStopping a running agent immediately:
flexor agents kill --run <run_id>Compliance configuration
For regulated environments, enable enhanced logging in vault.json:
{
"audit": {
"enabled": true,
"retention_days": 365,
"include_inputs": true,
"include_outputs": true,
"pii_redaction": true,
"destination": "vault://audit-log/",
"secondary_destination": "s3://your-compliance-bucket/flexor-audit/"
}
}pii_redaction: true applies the configured PII patterns to audit log entries before writing. Configure patterns under vault.json > audit.pii_patterns.
Was this page helpful?