Agents (Admin)
The Agents admin page is where you create, configure, monitor, and retire AI agents that operate inside your Company. Each Agent is a first-class IAM principal — bound to Roles, Policies, and an audit trail just like a User.
Open from Admin → IAM → Agents.
For the underlying concepts (sources, types, providers, autonomy levels), see AI Agents.
What's shown per row
- Name + slug
- Type — Queue Intake / Service Assist / Workflow Phase
- Source — MANAGED / CUSTOM (EXTERNAL is reserved for future external proxy agents)
- Status — ACTIVE / INACTIVE / ERROR
- Provider + model — e.g.
anthropic / claude-sonnet - Last invocation — when it last ran, and whether it succeeded
- Actions — open detail, activate / deactivate, view activity log
Creating an Agent
- Click New Agent
- Pick Type — what role the agent will play
- Pick Source:
- MANAGED — start from a Nembl-provided template (
inbox-triage,phase-advisor,service-assist). The prompt and tools are maintained by Nembl; you supply provider + vault. - CUSTOM — define your own prompt and tool list
- MANAGED — start from a Nembl-provided template (
- Pick Provider + Model (Anthropic, OpenAI, or Bedrock)
- Bind the Nembl Vault holding your API key (BYOK)
- Set the default Autonomy Level — Suggest, Act with approval, or Fully autonomous
- Save — the agent starts as INACTIVE
To make the agent actually do work:
- Bind it to its scope — a Queue (for Queue Intake), a Service (for Service Assist), or assign it as a Responsibility on a Workflow Phase (for Workflow Phase agents)
- Flip the agent to ACTIVE
Per-Agent Roles and Policies
Open the agent's detail page → Roles tab to grant Roles. Even Fully Autonomous agents are bound by the policy engine — Deny policies create hard guardrails that no autonomy level can override.
Recommended starting Roles by type:
| Type | Suggested Roles |
|---|---|
| Queue Intake | queue-triage (read intake, accept/reject) |
| Service Assist | service-helper (read service catalog, suggest fields) |
| Workflow Phase | Scoped to the Workflows the agent should act on |
Activity & Monitoring
The agent detail page surfaces:
- Activity log — last N invocations with input / output / decision / status
- Policy denials — high counts here usually mean the agent has tools enabled that its Role doesn't allow; tighten the agent's tool list rather than loosening the Role
- Provider errors —
API_KEY_UNAUTHORIZEDmeans the bound vault is rejected; rotate it in Vaults - Cost & token usage — also rolls up into Analytics
Deactivating vs deleting
- Deactivate stops new invocations but preserves the agent row and history. Reversible.
- Delete removes the agent and detaches it from any scopes. Activity logs are retained (anonymized to "Deleted agent") for audit.
You can also rotate the bound vault without touching the agent itself — useful for key rotation without changing behavior.
Related
- AI Agents (concepts) — sources, types, providers, autonomy
- BYOK Setup — how to provision the API-key vault
- Roles & Permissions — what Roles grant
- Audit Trail — who did what (agents included)