Access & permissions
Role- and division-scoped permissions for every person — and every agent. Least privilege by default, and every action stays on the record.
Per-client isolation Every action audited
The worry
“We run five clients out of one place. I need to know — for certain — that the wrong person, or the wrong automation, can’t open the wrong client’s file.”
16%
of organisations can actually govern what their AI touches
2026 CISO AI Risk Report
40%
of business apps will have an AI agent inside by end of 2026
Gartner
Every action
on the record — person or agent
How it works
Not a wall of checkboxes. A role, a division, and a traceable answer for every person.
Owner, admin, member — or a custom role. Permissions are action-level: view, create, edit, delete, export.
Group people and work by client or team. Acme’s division can’t see Globex’s — by default.
One view shows what a person can actually do, and the role or division each permission came from.
New people start with the minimum. You grant up — you don’t walk back.
Your AI, governed
Put the AI on a task and it works inside the same access rules as a person: it can only touch what that work needs, everything it does lands on the audit log, and you still review and merge.
On a project, like any teammate
Same role + division limits as a person
Every action logged · you reviewIt opens a PR — you merge
Role and division scope apply to the agent, too.
No standing access to everything — just the resources for the job.
You can always see what it did, and where.
Every meaningful action — by a person or an agent — is logged with who, what, and when. Searchable when you need it.
Verifiable, not theater
No badge soup. Here’s what’s true today:
Enforced on every resource — for people and agents alike.
Credentials encrypted at rest and scoped per organisation and per project.
Connekz gets the keys for the job — not the whole keychain.
Who did what, when — person or agent. Always answerable.
We publish what we actually do — and we’ll add certifications when we’ve genuinely earned them, not before. What Connekz can’t do
No identity vendor to wire up, no auth project, no extra seat cost. Access control is part of CNEX-Flow from the first login — for your team and your AI.
Roles, divisions and audit are there from your first login.
No SSO project or authorization layer to build and maintain.
It’s part of the platform — not a separate line item.
Most teams bolt access on later — and pay for it twice.
Three hard rules
You decide what Connekz handles and what needs your sign-off. It works inside your existing rules — never around them.
Refactor payment webhook handler
+312 / -48 · 18 tests passing
Awaiting your approval
Review every change, or let the work you trust ship on its own. You set the rules — Connekz follows them.
running as your seatSign in and Connekz acts with your exact permissions — if your login can't see it, neither can Connekz. Every teammate gets their own scoped Connekz.
Connekz · 2 min agoon #t9821Need: which Stripe webhook secret to use here? The vault has stripe_webhook_prod and stripe_webhook_test. Reply with the env and I'll continue.
Awaiting your reply
Tuned to ask instead of assume. Hit something ambiguous? Connekz comments on the task and waits.
Want the longer version? Read the build story →
Start your free month. See what your team does with Connekz working alongside.