generated: '2026-07-15' method: generated source: openapi/istio-extensions-api-openapi.yml, openapi/istio-networking-api-openapi.yml, openapi/istio-security-api-openapi.yml, openapi/istio-telemetry-api-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 60 by_action_class: connected: 24 acting: 36 by_consequence: read: 24 write: 36 human_in_the_loop_required: 0 operations: - path: /namespaces/{namespace}/wasmplugins method: get operationId: listWasmPlugins x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/wasmplugins method: post operationId: createWasmPlugin x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/wasmplugins/{name} method: get operationId: getWasmPlugin x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/wasmplugins/{name} method: put operationId: replaceWasmPlugin x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/wasmplugins/{name} method: delete operationId: deleteWasmPlugin x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/virtualservices method: get operationId: listVirtualServices x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/virtualservices method: post operationId: createVirtualService x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/virtualservices/{name} method: get operationId: getVirtualService x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/virtualservices/{name} method: put operationId: replaceVirtualService x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/virtualservices/{name} method: delete operationId: deleteVirtualService x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/destinationrules method: get operationId: listDestinationRules x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/destinationrules method: post operationId: createDestinationRule x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/destinationrules/{name} method: get operationId: getDestinationRule x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/destinationrules/{name} method: put operationId: replaceDestinationRule x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/destinationrules/{name} method: delete operationId: deleteDestinationRule x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/gateways method: get operationId: listGateways x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/gateways method: post operationId: createGateway x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/gateways/{name} method: get operationId: getGateway x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/gateways/{name} method: put operationId: replaceGateway x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/gateways/{name} method: delete operationId: deleteGateway x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/serviceentries method: get operationId: listServiceEntries x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/serviceentries method: post operationId: createServiceEntry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/serviceentries/{name} method: get operationId: getServiceEntry x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/serviceentries/{name} method: put operationId: replaceServiceEntry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/serviceentries/{name} method: delete operationId: deleteServiceEntry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/sidecars method: get operationId: listSidecars x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/sidecars method: post operationId: createSidecar x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/sidecars/{name} method: get operationId: getSidecar x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/sidecars/{name} method: put operationId: replaceSidecar x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/sidecars/{name} method: delete operationId: deleteSidecar x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/workloadentries method: get operationId: listWorkloadEntries x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/workloadentries method: post operationId: createWorkloadEntry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/workloadentries/{name} method: get operationId: getWorkloadEntry x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/workloadentries/{name} method: put operationId: replaceWorkloadEntry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/workloadentries/{name} method: delete operationId: deleteWorkloadEntry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/workloadgroups method: get operationId: listWorkloadGroups x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/workloadgroups method: post operationId: createWorkloadGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/workloadgroups/{name} method: get operationId: getWorkloadGroup x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/workloadgroups/{name} method: put operationId: replaceWorkloadGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/workloadgroups/{name} method: delete operationId: deleteWorkloadGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/authorizationpolicies method: get operationId: listAuthorizationPolicies x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/authorizationpolicies method: post operationId: createAuthorizationPolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/authorizationpolicies/{name} method: get operationId: getAuthorizationPolicy x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/authorizationpolicies/{name} method: put operationId: replaceAuthorizationPolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/authorizationpolicies/{name} method: delete operationId: deleteAuthorizationPolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/peerauthentications method: get operationId: listPeerAuthentications x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/peerauthentications method: post operationId: createPeerAuthentication x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/peerauthentications/{name} method: get operationId: getPeerAuthentication x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/peerauthentications/{name} method: put operationId: replacePeerAuthentication x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/peerauthentications/{name} method: delete operationId: deletePeerAuthentication x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/requestauthentications method: get operationId: listRequestAuthentications x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/requestauthentications method: post operationId: createRequestAuthentication x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/requestauthentications/{name} method: get operationId: getRequestAuthentication x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/requestauthentications/{name} method: put operationId: replaceRequestAuthentication x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/requestauthentications/{name} method: delete operationId: deleteRequestAuthentication x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/telemetries method: get operationId: listTelemetries x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/telemetries method: post operationId: createTelemetry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/telemetries/{name} method: get operationId: getTelemetry x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /namespaces/{namespace}/telemetries/{name} method: put operationId: replaceTelemetry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /namespaces/{namespace}/telemetries/{name} method: delete operationId: deleteTelemetry x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required