In 90 seconds
- Stratium is an ABAC policy decision plane for AI agents, exposed over gRPC and a Python SDK. Every consequential agent action goes through it; the engine evaluates the user, the agent, and every hop in the delegation chain in a single call.
- You get back a compound decision: not just ALLOW or DENY, but who decided, at which hop in the chain, and why.
denied_at_depthtells you where the chain failed;denied_principaltells you whether it was the user’s policy, an agent’s scope, or a delegation that ran out of authority. - Stratium does not replace your IdP, your model, your orchestrator, or your tool runtime. It sits beside them and answers one question every consequential call should clear: is this user, acting through this agent chain, allowed to take this action against this resource right now?
Where Stratium Sits in Your Stack
Stratium is a set of gRPC services that run alongside your existing stack. The platform service evaluates decisions; the agent gateway brokers delegation tokens and forwards authorized calls; a key-access service ties authorization to ZTDF encryption when you need data-centric protection. Your agent runtime (Claude Code, Codex, an MCP host, your own orchestrator) calls the gateway before every consequential action.
Three integration shapes you’ll actually use:
Hook the Agent Runtime
Claude Code & Codex PreToolUse hooks (@stratium/claude-hooks) intercept every tool call without any code change in your projects. The hook calls ExecuteAction on the gateway, allows or blocks based on the response.
Wire the SDK
The Python SDK (stratium_sdk) wraps the platform and gateway gRPC calls. StratiumAgentClient.create_delegation() mints a delegation; execute_action() consults policy on every call.
Direct gRPC
PlatformService.GetDecision for direct policy evaluation, AgentGatewayService.ExecuteAction for the agent-mediated path. Use from any language with protobuf support.
The Authorization Model in One Diagram
Three first-class objects participate in every agent decision: the human user, the agent (or chain of agents), and the delegation that bounds what the agent is allowed to do on the user’s behalf. Stratium evaluates all three together and returns a compound decision.
Subject (User)
Standard ABAC attributes: sub, role, clearance, classification, department. Comes from your IdP (Keycloak or any OIDC provider).
Agent
agent_id, provider (anthropic / openai / custom), model_identifier, trust_tier (UNVERIFIED → REGISTERED → CERTIFIED → PLATFORM_TRUSTED), allowed_tools, allowed_actions. Registered in Stratium’s own agent registry.
Delegation
delegation_id, purpose, max_action_tier, classification_caps per hierarchy, resource_constraints, TTL. Minted by the gateway against a user OIDC token + an agent credential. Carries chain context (parent_delegation_id, depth) for sub-agents.
The first useful idea: the agent is not the user. Stratium evaluates both independently and intersects their permissions through the delegation. A user with SECRET clearance who delegates to a tier-1 (READ_ONLY) agent gets agent behavior capped at READ_ONLY against data the user is cleared to see — not at the user’s full authority.
A Real Decision Request
The platform’s GetDecision RPC takes four attribute maps plus optional agent and delegation context. Here’s a Python SDK call that asks “can a finance assistant agent, delegated by Alice, read this specific expense report?”
The user’s clearance (CONFIDENTIAL) is checked against the resource’s classification (INTERNAL) via the commercial hierarchy — higher clearance can read lower classifications. The agent’s trust tier (CERTIFIED) is checked against the action tier (READ_ONLY). The delegation’s classification cap (INTERNAL) is checked against the resource. All three have to pass.
The Compound Decision That Comes Back
Stratium returns GetDecisionResponse with a single decision field at the top — but for chained agent calls, the compound_decision field is where the real story lives.
Read the second response carefully. The user was allowed. The agent was allowed. The action was blocked because the delegation Alice issued to the agent didn’t cap high enough — she scoped the agent to INTERNAL but the report is CONFIDENTIAL. That’s a different remediation than a denied user (clearance issue) or a denied agent (trust-tier issue).
user_decision
The user’s ABAC policy outcome. DENY here means a clearance problem — out of scope for the user before any agent enters the picture.
agent_decision
The agent’s own policy outcome — based on trust tier, allowed tools, allowed action tiers. DENY here means the agent itself can’t do this regardless of who delegated.
delegation_decision
The delegation scope check — classification caps, action tier ceiling, allowed tools, resource constraints. DENY here is what just happened to Alice: the agent’s capabilities were narrower than this request needed.
For chains of sub-agents, compound_decision.chain_decisions returns one ChainHopDecision per hop with the same breakdown, and denied_at_depth tells you which hop — counted from the root delegation — failed. No other agent authorization product publishes per-hop attribution.
ActionTier: The Five-Tier Sensitivity Model
Every agent action has a tier between 0 and 4. Delegations cap the maximum tier the agent can attempt. The tier is enforced two ways: by the policy engine at decision time, and by the gateway’s ValidateActionPlan RPC, which detects when an agent declares a tier-1 action but is actually attempting a tier-4 one.
Tier 0 — REASONING
No tool calls. Pure model reasoning. Useful for agents that should plan but never act.
Tier 1 — READ_ONLY
Reads, lists, searches. No side effects. The safe default for new agents under evaluation.
Tier 2 — INTERNAL_MODIFY
Writes, edits, internal data changes. Bounded to internal systems.
Tier 3 — EXTERNAL_COMMS
Outbound network: email, Slack, HTTP, cloud APIs. Anything an attacker would use to exfiltrate.
Tier 4 — DESTRUCTIVE
Irreversible operations: deletes, drops, transactions, force-pushes, infrastructure changes. The places you can’t roll back. Default-deny for anything below tier-3 trust.
Built-In Classification Hierarchies
Stratium ships with three hierarchical classification models. When the subject and resource both carry a classification (or clearance or sensitivity) attribute and a matching hierarchy, the engine evaluates the hierarchy automatically — higher clearance reads lower classification.
Policies expressed in JSON, Rego, Cedar, or XACML can reference the hierarchy directly — you don’t hand-roll the ordering. STANAG 4774 attribute URIs (urn:ztdf:nato:classification:secret) are first-class.
What a Policy Looks Like
Stratium supports four policy languages, selected per-policy: JSON (the default, most accessible), Rego (OPA), Cedar, and XACML (for federal modernization paths). Here’s the JSON form for “block destructive writes against production finance data by anything but a CERTIFIED+ agent”:
Policies are managed through the Policy Administration Point (PAP UI) and persist in the platform’s PostgreSQL store. Priority ordering lets you stack deny by default against narrow allow rules without rewriting the whole library.
The Anti-Spoofing Trick: ValidateActionPlan
An agent that announces “I will perform a READ_ONLY action” and then makes a DESTRUCTIVE tool call is exactly the failure mode that pushed every recent agent-incident headline. Stratium’s AgentGatewayService.ValidateActionPlan RPC takes the agent’s declared plan and validates each step against the actual action being requested.
The agent doesn’t get to grade its own homework. Declared tier vs. actual tier is a first-class signal in every Stratium decision stream.
What Stratium Is Not
Useful to be specific about the boundaries.
Not Your IdP
Stratium pairs with Keycloak out of the box and works with any OIDC-compatible IdP for human identity (Okta, Entra, Auth0, Google Workspace, Ping). Agents are registered separately in Stratium’s own agent registry. We don’t replace Okta; we give agent identities the policy engine they don’t have today.
Not Your Agent Runtime
Claude Code, Codex, Claude Desktop, ChatGPT Desktop, MCP servers, LangChain, custom orchestrators all stay where they are. Stratium is the policy decision they consult before they act.
Not Your Model
The model can be Claude, GPT, Gemini, Llama, or anything in between — Stratium tracks the provider and model identifier as agent attributes, but the policy lives outside the model. The model can’t reason its way past a control it can’t see.
Not Your SIEM
Every decision is logged as a structured audit record (subject, agent, delegation, action, resource, decision, reason, evaluated policy, timestamp). Customers ship those logs through whatever pipeline they already run.
Where It Runs
Stratium is customer-deployed. Docker Compose for evaluation; Kubernetes (Helm) for production. Air-gapped installations are supported — the platform was built with NATO/DoD classification handling and STANAG 4774 compliance, so it’s comfortable in environments where SaaS isn’t an option. Key Manager supports HSM-backed key storage for high-assurance deployments.
How Teams Start
Day 1–7: Stand Up the Stack, Wire One Agent
docker compose up. Register one agent (Claude Code is the easiest start — install @stratium/claude-hooks). Mint a delegation. Watch the audit log fill in with real ALLOW / DENY decisions as the agent runs.
Day 8–14: Policy Library and Classification Wiring
Add JSON policies for the highest-blast-radius paths. Tag your resources with classification + hierarchy attributes. The PAP UI lets a non-engineer maintain the rule library; the gateway enforces them.
Day 15–30: Coverage for One Production Agent
Every consequential action by one production agent flows through Stratium. The audit stream is your system of record. Compound decisions tell you when the user, the agent, or the delegation was the limiting factor. Onboard the next agent next month.
The 90-Second Summary
Stratium is the gRPC-served, ABAC-enforced, compound-decision policy plane for AI agent authorization. The pieces are real, the SDKs ship, and the differentiation that matters in 2026 — per-hop attribution across delegation chains, anti-spoofing on declared action tiers, hierarchical classification matching with NATO/DoD/commercial out of the box, and ZTDF integration when data-centric encryption is on the table — lives in this one platform.
See It in 20 Minutes
The fastest way to evaluate Stratium is to watch a compound decision happen end-to-end — the same agent action evaluated against the user, the agent, and the delegation, with per-hop attribution coming back. We’ll bring a live Claude Code session under @stratium/claude-hooks; you bring an agent surface you’re trying to secure.
Read Next
- Stratium, “The Load-Bearing Wall of the Agentic Stack: Authorization” — the thesis for why the decision plane exists.
- Stratium, “Defense in Depth Needs a Floor” — why one shared engine matters more than per-handler enforcement.
- Stratium, “Zero Trust for AI Agents: A Capability Map for Anthropic’s Framework” — how Stratium maps to the published Zero Trust tiers.
- Stratium, “Confidentiality Is Not Agent Security” — why the decision plane is the primitive most security programs are missing.