IT

What is the security model for workflow sub-agents?

Sub-agents are isolated by design—they only see explicitly delegated skills, cannot access parent workflow data, and cannot delegate further.

When a main workflow agent delegates a task to a sub-agent, the sub-agent runs in a restricted context. Understanding the isolation model matters for secure workflow design and trust boundaries.

What the sub-agent can and cannot see

  • Skills — main agent: all assigned agent skills. Sub-agent: only explicitly listed delegatable skills.
  • Parent workflow context — main agent: full. Sub-agent: not automatically shared.
  • Files — main agent: all workflow files. Sub-agent: only files explicitly passed by the parent.
  • Knowledge base / RAG — main agent: available (if skill enabled). Sub-agent: only if the delegatable skill includes it.
  • Employee data — main agent: available (if skill enabled). Sub-agent: only if the delegatable skill includes it.
  • Can delegate further — main agent: yes (one level). Sub-agent: no.

Data-gathering sub-agents (secure outreach)

The most restricted sub-agent type is used when the only delegatable skill is Agentic data gathering. In this mode Harriet uses a further-restricted agent that cannot access:

  • The knowledge base
  • Employee records
  • File browsing

This matters because data-gathering agents contact people outside your organization (managers, vendors, candidates). The restricted mode ensures Harriet cannot accidentally relay sensitive internal data to third parties, even if the agent's instructions attempted to.

Confirmation-gated tools

Sub-agents cannot trigger approval flows. If a tool requires human confirmation before it executes, it is unavailable to sub-agents. Actions that need oversight must live on the main agent or a separate main workflow step.

Customer isolation

Sub-agents are scoped to the same customer as their parent workflow. There is no cross-customer data access—a sub-agent cannot be instructed to access another organization's data.

Example: what to put where

A compensation review workflow contacts a manager for sign-off before updating a record.

  • Main agent (skills: HRIS lookup, update_record): orchestrates the flow, calls update_record with confirmation gate.
  • Sub-agent (delegatable skill: Agentic data gathering only): contacts the manager via Slack, waits for reply, returns confirmation summary.

The sub-agent never sees HRIS data. The update never happens without a human approving it on the main agent.

Guardrails

  • Audit the delegatable skills list with the same rigour as the main agent's skill list. Least privilege applies to both.
  • Review the allowed in sub-agent setting on MCP tools after adding new integrations—new tools default to the setting you chose, but verify it matches your intent.
  • Sub-agent runs appear in the workflow run history alongside the parent. Check both when debugging delegation failures.

Use Harriet in your organisation for searchable help, AI assistance, and your company knowledge base.

Log in to Harriet