Blueprint: Executive Inbox Shield
Protecting Privileged Communications in Conversational AI
Personal assistant agents often have access to email and calendar tools. A significant risk is a non-executive user (or a hijacked session) using an agent to read or delete sensitive emails from C-suite accounts.
This blueprint demonstrates how to implement User-Resource Isolation for communication tools.
Architecture
1. Master Policy Definition
{
"name": "executive-data-protection",
"priority": 9500,
"rules": [
{
"id": "deny-non-exec-access",
"effect": "deny",
"principals": ["*"],
"actions": ["email:read", "email:delete"],
"resources": ["user/ceo/*", "user/cfo/*", "user/cto/*"]
},
{
"id": "allow-self-access",
"effect": "allow",
"principals": ["user:ceo"],
"actions": ["email:*"],
"resources": ["user/ceo/*"]
}
]
}
2. Implementation
Python Prototype
from openai import OpenAI
def request_email_action(user_id: str, action: str, target_mailbox: str):
client = OpenAI(
api_key="ignored",
base_url="http://cz-gateway:8001/v1",
default_headers={"X-ControlZero-User-ID": user_id}
)
try:
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": f"{action} messages in {target_mailbox}"}],
tools=[{
"type": "function",
"function": {
"name": f"email:{action}",
"parameters": {"type": "object", "properties": {"mailbox": {"type": "string"}}}
}
}]
)
return "Action Permitted"
except Exception as e:
return f"Access Denied: {e}"
# Scenario A: CEO accessing own mail
print(request_email_action("ceo", "read", "user/ceo/inbox")) # ALLOWED
# Scenario B: Staff member trying to read CEO mail
print(request_email_action("staff-1", "read", "user/ceo/inbox")) # BLOCKED
3. Validation Checklist
- Identity Matching: Verify that the
user:ceoprincipal exactly matches theX-ControlZero-User-IDheader. - Wildcard Scoping: Ensure that
user/ceo/*protects all sub-folders (inbox, sent, drafts). - Audit Review: Confirm that all access attempts to executive resources are logged for security auditing. 埋