HumanikOS

Products

Company

Security & Access Control

Security & IAM.

Enterprise access control from day one. Not bolted on later.

Every API request is evaluated against your roles and policies. Custom roles, scoped permissions, encrypted secrets, and bring-your-own-keys. You decide who can access what. Down to the individual office.

IAM console. Manage roles, policies, and assignments from one place.

HumanikOS IAM Console

The Problem

AI without access control is a liability.

Giving an AI agent access to your data and APIs without fine-grained permissions is like giving every employee the admin password. It works until it does not. The more agents you run, the more critical this becomes.

Common security gaps in AI platforms

  • Most AI platforms have no role system. Everyone gets the same access.
  • Credentials shared across agents. One compromise exposes everything.
  • No audit trail. You can not see what an agent accessed or when.
  • Scaling means duplicating permissions manually for every new user.
  • LLM API keys hardcoded in config files. No isolation, no rotation.
  • No way to restrict an agent to a specific workspace or office.

Roles & Policies

AWS-style access control. Built for AI workforces.

Every request is evaluated against your policies. Actions span every domain in the platform. Custom roles with multi-statement policies. Wildcard patterns for flexible resource matching. Deny-first evaluation. If it is not explicitly allowed, it is denied.

Built-in roles

Full Admin

Complete access to everything.

Console + Workspace

Workspace Admin

Full control over offices, data, agents, and group chats.

Workspace

Office Operator

Manage a single office. Secrets, sessions, and messaging.

Office

Viewer

Read-only across the entire workspace.

All

Console Admin

IAM, members, settings, billing at the org level.

Console

Office Agent

Machine identity for VMs. Minimal permissions.

Workspace

Custom roles and policies

Built-in roles cover the common cases. When you need more control, create custom roles with your own policies. Each policy contains statements with an effect (allow or deny), a list of actions, and a list of resource patterns. Attach multiple policies to a single role. Assign roles to users scoped to a specific workspace, office, or globally.

Scope hierarchy

Permissions are scoped to a resource boundary. A workspace admin for Workspace A can not access Workspace B. An office operator for Office 3 can not see Office 4. Boundaries stack. Global access requires explicit wildcard assignment.

console

workspace/{id}

office/{id}

namespace/{id}

Deny-first evaluation

A single deny statement anywhere overrides all allows. No exceptions. If no policy explicitly allows the action, it is denied by default. Owner bypass exists only for the tenant creator.

Secrets & Encryption

Credentials are never stored in plaintext.

API keys, tokens, and credentials are encrypted at rest (AES-256-GCM) in Humanik Cloud's per-office vault. They are decrypted only at boot time, injected as scoped environment variables into the agent subprocess, and never written to disk, never logged, and never visible to other offices.

Learn how offices handle secrets

Per-office vault

Every office has its own encrypted secrets. Nothing shared between employees.

Runtime-only decryption

Secrets decrypted at boot. Injected as env vars. Ephemeral.

LLM proxy isolation

LLM keys injected server-side through a localhost proxy. Agent never sees them.

Environment whitelist

Only approved variables visible to the agent. Infrastructure secrets blocked.

Service account keys

API keys in hsk_/hss_ format. SHA-256 hashed. Shown once. Never retrievable.

Bearer token auth

Internal tool calls authenticated per request. No unauthenticated access.

Service Accounts

Programmatic access with the same IAM controls.

Create service accounts for automated workflows and external integrations. Generate API keys, assign roles, and control access the same way you would for a human user. Service accounts authenticate via API key and are evaluated by the same IAM engine on every request.

How it works

API key generation

Keys in hsk_/hss_ format. The secret is shown once at creation and never retrievable again. Stored as a SHA-256 hash.

Role assignment

Assign any built-in or custom role to a service account. Same scoping rules as human users. Workspace, office, or global boundaries.

Key lifecycle

Enable, disable, rotate, and revoke keys without deleting the account. Instant enforcement on the next request.

Control everything. Trust nothing by default.

Enterprise-grade access control ready from your first AI employee.

BYOK vs Credits