Kubiya LogoKubiya Developer Docs
Concepts

Security & Governance

Learn about Kubiya's security features, access controls, and governance capabilities

Security & Governance

Kubiya provides comprehensive security and governance features to ensure your agents operate within defined boundaries and comply with your organization's security policies.

Security Architecture

Kubiya's security architecture is designed with multiple layers of protection:

flowchart TD
  User([Users]) --- |Authentication| Auth[Authentication Layer]
  Auth --- |Identity Verification| RBAC[Role-Based Access Control]
  Auth --- |API Keys| API[API Access]
  Auth --- |SSO/OIDC| SSO[Identity Providers]
  
  RBAC --- |Permission Check| Resources[Resource Access]
  API --- |Token Validation| Resources
  SSO --- |Identity Federation| RBAC
  
  Resources --- |Tool Access| Tools[Tool Execution]
  Resources --- |Agent Access| Agents[Agent Operations]
  Resources --- |Data Access| Data[Knowledge Sources]
  
  Tools --- |Approval Required?| Approval{Approval Workflow}
  Approval --- |Yes| ApproverCheck[Approver Validation]
  Approval --- |No| Execution[Direct Execution]
  ApproverCheck --- |Approved| Execution
  
  Execution --- |Containerized| Sandbox[Isolated Environment]
  Sandbox --- |Monitoring| Audit[Audit & Logging]
  
  subgraph "Security Controls"
    Audit
    Encryption[Data Encryption]
    Monitoring[Activity Monitoring]
  end
  
  Data --- |Encryption| Encryption
  Agents --- |Activity| Monitoring
  Monitoring --- |Records| Audit
  
  classDef user fill:#f9f9f9,stroke:#333,stroke-width:2px
  classDef auth fill:#e6f7ff,stroke:#1890ff,stroke-width:2px
  classDef resource fill:#f6ffed,stroke:#52c41a,stroke-width:2px
  classDef execution fill:#fff7e6,stroke:#fa8c16,stroke-width:2px
  classDef security fill:#f9f0ff,stroke:#722ed1,stroke-width:2px
  
  class User user
  class Auth,RBAC,API,SSO auth
  class Resources,Tools,Agents,Data resource
  class Approval,ApproverCheck,Execution,Sandbox execution
  class Audit,Encryption,Monitoring security

Authentication & Identity

Kubiya supports various authentication methods to secure agent access:

  • Single Sign-On (SSO): Integration with common identity providers (Okta, Azure AD, Google)
  • OAuth/OIDC: Standard authentication protocols for secure access
  • API Keys: Secure programmatic access
  • MFA Support: Additional security layer for sensitive operations

Agents inherit the permissions of the authenticated user, ensuring actions are tied to user identity.

Authorization & Access Control

Fine-grained authorization controls determine what actions users and agents can perform:

Role-Based Access Control

  • Administrator: Full platform management
  • Developer: Create and modify agents and tools
  • Operator: Use agents and view results
  • Viewer: View-only access to specific resources

Resource-Level Permissions

  • Control which users can access specific agents
  • Restrict tool availability to certain agents
  • Limit knowledge source access to authorized agents
  • Enforce department or team-based separation

Approval Workflows

For sensitive operations, Kubiya provides built-in approval mechanisms:

approval_policy:
  name: production-infrastructure-changes
  description: "Controls changes to production infrastructure"
  triggers:
    - tool: aws-resource-manager
      operations: ["delete", "stop", "modify"]
      resource_filters: ["env=production"]
  approvers:
    - group: infrastructure-admins
      required_count: 1
    - user: ops-manager@company.com
  timeout: 24h
  auto_reject_on_timeout: true
  notification:
    channels: ["#ops-approvals", "email"]

Secure Tool Execution

Tools operate with strict security controls:

  • Isolated Execution: Containerized environments separate tool operations
  • Least Privilege: Tools use the minimum permissions required
  • Secret Management: Secure handling of credentials and tokens
  • Network Controls: Restricted network access based on need

Audit & Compliance

Comprehensive tracking of all agent and user activities:

  • Detailed Audit Logs: Record all actions, changes, and approvals
  • Usage Analytics: Track agent usage patterns and request types
  • Conversation Logging: Option to retain full conversation history
  • Compliance Reports: Export logs for regulatory requirements

Data Protection

Kubiya implements several data protection measures:

  • Data Encryption: Encryption for data at rest and in transit
  • Data Retention: Configurable retention policies for conversations and logs
  • PII Handling: Tools for identifying and protecting personal information
  • Data Sovereignty: Options for regional data processing and storage

Security Best Practices

When setting up and using Kubiya:

  1. Follow the principle of least privilege: Grant minimal permissions needed
  2. Implement approval flows for destructive or sensitive operations
  3. Regularly review access rights and remove unused accounts
  4. Audit tool actions periodically to verify proper usage
  5. Test security controls as part of agent deployment

Always verify tools handle sensitive information appropriately, especially when integrating with critical systems.

Governance Features

Beyond basic security, Kubiya provides governance capabilities:

Usage Quotas

  • Limit API calls per user or team
  • Control resource consumption
  • Prevent abuse or runaway processes

Content Policies

  • Filter sensitive information in responses
  • Prevent sharing of confidential data
  • Enforce appropriate language and tone

Operational Control

  • Centrally manage agent deployments
  • Standardize tool configurations
  • Control agent model versions

Enterprise Security Features

For enterprise environments, Kubiya offers additional security capabilities:

  • SAML Integration: Enterprise identity provider support
  • Private Deployments: Fully isolated Kubiya environments
  • Custom Security Modules: Integration with existing security tools
  • VPC Connectivity: Secure connection to private networks
  • Compliance Certifications: Documentation for common compliance frameworks

Security Response

Kubiya's approach to security incidents includes:

  • Automated detection of unusual patterns
  • Immediate notification of security concerns
  • Ability to revoke access or disable components
  • Regular security updates and patches

Next Steps