Home / Features / Sequence policies

Sequence policies: enforce the order your AI agents act in

A refund only after the customer record was verified. Egress only after a safety scan ran. Kynara makes workflow order a policy condition — evaluated deterministically, outside the model, against the session's tamper-evident history.

The attack: application flow perturbation

Agents don't just make bad calls — manipulated agents skip steps. A prompt-injected support agent jumps straight to payments.refund.issue without ever reading the customer record. Every step looked individually authorized; the sequence was the exploit. The OWASP AI Exchange #OVERSIGHT control names this and prescribes "rule-based sanity checks during steps."

The control: preceded_by

One condition in a Kynara policy makes ordering enforceable:

{
  "op": "and",
  "args": [
    { "op": "preceded_by", "args": ["crm.contacts.read", 30] },
    { "op": "lte", "args": ["ctx.resource.attrs.amount_cents", 10000] }
  ]
}

This allows a refund only if the same agent was allowed a crm.contacts.read within the last 30 minutes of the same session (context.session_id). Patterns support globs (kyc.check.*). No session, no history — fail-closed.

The ordering check reads Kynara's hash-chained audit log — the same record your auditors see. A compromised agent can't fabricate a prior step, because the decision happens outside the LLM. Prompt injection can change what the model wants; it can't rewrite what was allowed.

What teams enforce with it

Why not do this in the agent framework?

You can hard-code step order into one agent's graph. But the rule then lives in that agent's code, invisible to security, different in the next agent, and gone after a refactor. As a Kynara policy it's centralized, versioned, applies to every framework (LangChain, CrewAI, MCP, raw SDK), and every violation lands in the audit chain.

Make step-skipping a policy violation

Free plan: 3 seats, 10k decisions/month. One decorator or one MCP gateway URL to integrate.

Get started freeOWASP controls coverageApproval-fatigue management →