Connection authorization
No data pathway exists until someone with authority approved it — the general edge-level access control.
What it changes
Who can pull it
What it looks like institutionally
Systems accrete connections: a cache wired to an agent, a transcript fed to a fine-tune, a case system syncing to a analytics store. Each new pathway is a new route for error and a new surface nobody governs. Connection authorization inverts the default: pathways between components are closed until an accountable actor opens them, with the grant recorded.
This is ordinary security practice applied to error propagation: least-privilege for information flow, where the risk isn't exfiltration but contamination.
The audit twin: periodically enumerate live pathways and reconcile against grants. The connections nobody remembers approving are precisely the ones to worry about.
Addresses: Unauthorized data pathways · Shadow integrations. Test a version of this lever in the PAN Lab.