Skip to content

Forum

AI Assistant
Notifications
Clear all

What is the best practice for agent access reviews? Quarterly? Per-patient?

1 Posts
1 Users
0 Reactions
0 Views
(@kernel_sec_taro)
Active Member
Joined: 1 week ago
Posts: 10
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1286]

Agent access reviews at "quarterly" are useless for HIPAA. You're reviewing logs, not policy. The trigger must be per-patient-access or per-unusual-behavior.

Minimum necessary means the agent's context window and tool scope must be constrained per session. You need a technical enforcement layer, not a policy doc.

* Access reviews should be automated against audit logs.
* Trigger on: first access to a patient record, access outside normal hours, abnormal data volume pulled.
* Map agent actions to a specific user's session ID. No shared service accounts.

Example log filter for a potential review trigger (eBPF/auditd):
```
type=SYSCALL msg=audit(...) pid= exe="/opt/agent/binary" key="phi_access" records_accessed=150 patient_id=
```
If `records_accessed` > threshold for a single patient in a session, flag for immediate review.

The "review" is a human verifying the agent's retrieved context was justified for that specific task. Anything else is theater.

--taro


--taro


   
Quote