Clyra

System object

What is an action-control graph?

An action-control graph maps how an AI-assisted workflow moves from human owner to agent, tool, credential, action, target, approval, policy, and evidence.

Last updated: May 12, 2026

AI-assisted software delivery risk is not contained in one tool. It crosses repos, PRs, CI/CD, MCP tools, package scripts, credentials, cloud paths, approvals, and evidence. The action-control graph connects those pieces so security and platform teams can see where delegated authority becomes a consequential action.

The graph Clyra maps first

human owner -> agent/workflow -> task -> tool -> credential -> repo/PR -> CI/CD -> action -> target -> approval/policy -> evidence

This is not a model inventory. It is not a log stream. It is the operating map for what can act, through which path, with whose authority, against which system, and with what evidence afterward.

How it relates to an Agent Action BOM

The Agent Action BOM is the first artifact a team can review. The action-control graph is the living structure behind that artifact.

Agent Action BOM

A buyer-readable snapshot of actor, owner, repo, workflow, credential, reachable action, target, approval rule, and evidence coverage.

Action-control graph

The connected system view that shows how those paths relate, where authority enters, what changed, and which path to govern first.

What the graph should contain

  • Human owner or accountable team.
  • Agent, workflow, CI bot, MCP-connected tool, or internal automation.
  • Task, repo, branch, PR, workflow file, config, package script, or release path.
  • Credential source, identity, token, OAuth grant, cloud role, or service account.
  • Reachable action class: read, write, execute, deploy, publish, delete, access secret, or modify workflow.
  • Target system: repo, CI/CD job, package registry, cloud account, database, internal API, tool, or release workflow.
  • Approval rule, policy decision, validation result, timestamp, outcome, and evidence location.

What decisions it supports

Know

Which AI-assisted paths can change software delivery systems, and which owners are accountable for them.

Control

Which actions should be allowed, approval-required, blocked, or moved toward temporary scoped authority.

Prove

Which evidence pack exists for action, approval, credential use, validation, target system, and outcome.

Prioritize

Which action path should security and platform teams govern first because it carries the clearest blast radius.

What it is not

The action-control graph is not the category name. It is the system object. The near-term category is AI Software Delivery Control: visibility, control, and evidence for AI-assisted engineering actions across software delivery.

It also does not replace IAM, PAM, NHI management, SAST, secret scanning, CI/CD policy, or runtime gateways. Those controls still matter. The graph connects their signals into the delegated action path.

Start with the software delivery graph.

Clyra maps two to three repos or workflows and returns an action-control graph, Agent Action BOM, and evidence pack your security and platform teams can review.

Request assessment