Prepare and perform account actions under verified customer identity, scoped authority, idempotency, approval, and customer-visible evidence.
Key takeaways
- Primary risk: Wrong-customer action, unauthorized account change, duplicate financial effect, misleading communication, and privacy disclosure.
- Keep authoritative domain state outside model memory.
- Measure task outcome, safe failure, and evidence—not output fluency alone.
Problem
Prepare and perform account actions under verified customer identity, scoped authority, idempotency, approval, and customer-visible evidence.
Principal risk: Wrong-customer action, unauthorized account change, duplicate financial effect, misleading communication, and privacy disclosure.
Why runtime layers are needed
A single model invocation cannot reliably own identity, authorization, durable state, external side effects, recovery, or evidence. The runtime composes the necessary compiler/inference/serving path with application controls appropriate to this use case.
Reference architecture
- Customer and agent identity verification
- Account authorization and consent boundary
- Read-only knowledge and account tools
- Separated write, financial, and communication tools
- Policy and human-review gate
- Idempotent domain transaction API
- Customer-visible confirmation plus internal evidence
Request flow
- Verify the support agent, customer, account, and communication channel.
- Classify the request and separate information from requested action.
- Retrieve account state and applicable policy using read-only tools.
- Generate a proposed resolution and customer-facing explanation.
- Validate eligibility, limits, side effects, and required disclosures.
- Require approval for refunds, credits, cancellation, identity changes, or ambiguous consent.
- Execute one idempotent domain transaction.
- Confirm authoritative state and produce customer-visible evidence.
- Store only permitted support memory and close the case.
Contracts
- Request contract includes account reference, verified identities, channel, case ID, action class, risk, consent, and retention.
- Write tool contracts declare financial/high-impact side effects, operation keys, limits, and compensation.
- Communication tool contract requires approved template or reviewed content and records recipient/channel.
Use the runtime request, tool, policy and approval, evidence, and trace schemas as versioned reference boundaries.
Failure modes
- Customer identity cannot be verified
- Agent has access to the wrong account or tenant
- Policy source is unavailable or stale
- Refund times out after provider submission
- Duplicate retry creates a second credit
- Customer-facing message is sent before transaction commits
- Memory retains unnecessary sensitive account data
Security considerations
- Separate read and write credentials.
- Re-authenticate for high-risk actions.
- Apply account-resource authorization at execution time.
- Use out-of-band approval for sensitive identity or payment changes.
- Mask sensitive data in model input and traces.
Observability
Correlate request, model route, context sources, tool operations, policy decisions, approvals, artifacts, failures, recovery, and domain outcome. Apply redaction and retention before exporting traces.
Evaluation and metrics
- Correct-action rate
- Duplicate financial-effect rate
- Unauthorized attempt rate
- Approval and resolution time
- Compensation success
- Customer correction rate
- Sensitive-data exposure rate
- Evidence completeness
Implementation checklist
- Map every action to owner, limit, approval, and compensation.
- Use operation IDs supported by the system of record.
- Verify state after ambiguous timeouts.
- Separate transaction commit from customer communication.
- Test wrong-account and expired-consent scenarios.
- Use rules and forms when policy fully determines the action.