How We Built a Three-Tier Security Model for IT Automation

A three-tier security model for IT automation is a risk-based governance framework that categorizes automated operations into three levels based on their potential impact: Tier 1 (read-only operations, auto-executed), Tier 2 (state-changing operations, requiring admin enablement), and Tier 3 (privileged operations, requiring explicit confirmation per execution). This model ensures that IT automation operates within defined safety boundaries while maintaining a full audit trail.

The pitch for IT automation is simple: let software handle repetitive tasks so your team can focus on complex problems. The pitch is also incomplete. It glosses over a critical question: what happens when the automation does something wrong? A human analyst who resets the wrong user's MFA methods gets a talking-to. An automation system that resets MFA for a dozen users because of a classification error creates a security incident.

This is the core tension of IT automation: the actions that save the most analyst time are also the actions that carry the most risk. Password resets, license changes, group membership modifications, mailbox permissions — these are not read-only operations. They change the state of your identity and access infrastructure. Without guardrails, automation becomes a liability.

This article explains the three-tier security model we built for Support Team and why each tier exists. Whether you build or buy your automation, this framework will help you design governance that your security team can actually approve.

The Problem: Automation Without Boundaries

Most IT automation tools offer a binary choice: on or off. Either the automation is allowed to execute actions, or it is not. This forces IT teams into an uncomfortable trade-off:

• Full automation — Every qualifying ticket gets resolved automatically. Fast, efficient, and terrifying for security teams. One misclassification and the system takes action on the wrong account.
• Suggestion-only mode — The AI suggests actions but never executes. Safe, but the analyst is still in the loop for every ticket. You get faster triage but not fewer hours spent.

Neither option is right. The correct answer depends on what action is being taken. Checking a user's license status is zero risk — read-only, no state change. Assigning an E3 license is low risk — reversible, limited blast radius. Deleting an admin account is extreme risk — irreversible (within a time window) and potentially catastrophic. Treating these the same is a design failure.

The Three-Tier Model

The three-tier model assigns every automation action to a risk tier, and each tier has different execution rules. This is not a new concept in security — it mirrors how cloud IAM systems handle permissions (viewer, editor, admin). Applied to IT automation, it looks like this:

Tier 1: Read-Only / Auto-Execute

Tier 1 actions are read-only or trivially reversible. They execute automatically with no human approval required. The automation reads the ticket, takes the action, and updates the ticket — all within seconds.

Examples of Tier 1 actions:

• Looking up a user's license assignments, group memberships, or sign-in status
• Checking mailbox permissions or mail flow rules
• Retrieving service health status for Microsoft 365
• Password reset with forceChangePasswordNextSignIn (user must change immediately, temporary password has a short lifetime)
• Adding a user to a standard security or distribution group (non-privileged groups)

Why these are Tier 1: Either no state change occurs (read-only), or the state change is immediately reversible and does not elevate privileges. A password reset is reversible because the user must set a new password on next login. Adding someone to a distribution group is reversible with a single API call.

Tier 2: State-Changing / Admin-Enabled

Tier 2 actions change the state of a user's account or access in ways that carry moderate risk. They are not automatically executed — an admin must enable these action types for the tenant, and depending on configuration, individual executions may require approval.

Examples of Tier 2 actions:

• Assigning or removing a paid license (E3, E5, Visio, Project) — financial impact and potential feature loss
• Resetting a user's MFA methods — temporarily lowers account security posture
• Modifying shared mailbox permissions (granting Full Access or Send As) — access to potentially sensitive email data
• Enabling or disabling a user account — blocks or restores all access
• Modifying mail flow rules or transport rules — affects email routing for potentially many users

Why these are Tier 2: These actions have a meaningful blast radius. Removing someone's license can delete their data after a retention period. Granting mailbox access exposes confidential information. Resetting MFA without proper identity verification is a common attack vector. These actions need an approval step or at minimum a deliberate admin decision to enable them.

Tier 3: Privileged / Explicit Confirmation

Tier 3 actions are high-privilege operations that require explicit confirmation for every execution. Even if the automation is confident in the classification, it stops and waits for a human to approve the specific action on the specific account.

Examples of Tier 3 actions:

• Deleting a user account from Azure AD
• Modifying administrative role assignments (Global Admin, Exchange Admin, etc.)
• Changing conditional access policies
• Bulk operations affecting more than a configurable threshold of users (e.g., more than 10)
• Any action on accounts flagged as VIP, executive, or service accounts
• Cross-tenant operations in MSP environments

Why these are Tier 3: The consequences of a mistake are severe and potentially irreversible within normal business operations. Deleting an admin account or modifying conditional access policies can lock out entire departments. These actions should always require a human in the loop, regardless of automation confidence.

Per-Tenant Governance

In multi-tenant environments — MSPs managing dozens of clients, or enterprises with separate tenants for different business units — governance must be independently configurable per tenant. What is acceptable for one client is unacceptable for another.

Per-tenant governance means:

• Each tenant defines which action types are enabled and at which tier
• Each tenant has its own approval chain — who can approve Tier 2 and Tier 3 actions
• Each tenant has isolated audit logs — one tenant's administrator cannot see another tenant's activity
• Automation can be paused or disabled per tenant without affecting others
• Security policies (e.g., "never auto-execute MFA resets for executive accounts") are scoped to the tenant

This isolation is not just a feature — it is a compliance requirement. SOC 2 Type II, ISO 27001, and most client contracts require demonstrable data and access isolation between tenants. If your automation tool shares configuration or data across tenants, you have a compliance gap.

Audit Trail Design

An audit trail for IT automation needs to answer five questions for every action taken:

• What triggered the action? — The source ticket ID, the ticket description, and the classification result
• What was the action? — The specific operation performed (e.g., "Reset password for user john.doe@contoso.com with forceChangePasswordNextSignIn=true")
• Who approved it? — For Tier 2 and 3 actions, the identity of the approver and the timestamp of approval
• What was the result? — Success or failure, including the API response code and any error message
• What can be done about it? — For reversible actions, a link or reference to undo the change

Every audit record should be immutable — once written, it cannot be edited or deleted, even by administrators. This is a hard requirement for SOC 2 and most security frameworks. In Support Team, audit logs are written to an append-only data store with retention policies configurable per tenant.

Building Trust with Security Teams

Security teams are the gatekeepers for any automation that touches identity and access. Getting their sign-off requires more than a feature demo — it requires addressing their specific concerns:

• Concern: "What if the AI misclassifies a ticket?" — Response: Tier 2 and 3 actions have human approval. Tier 1 actions are limited to low-risk, reversible operations. Misclassification at Tier 1 has minimal impact.
• Concern: "Who has access to the automation credentials?" — Response: App registration credentials are managed by the platform, not individual admins. Access to modify automation configuration requires MFA and role-based access control.
• Concern: "Can we see everything the automation has done?" — Response: Full audit trail, immutable logs, exportable to SIEM (Splunk, Sentinel, etc.), with retention configurable per compliance requirements.
• Concern: "Can we shut it off immediately?" — Response: Kill switch per tenant, per action type. Disabling one action type does not affect others. No data loss on shutdown — pending tickets are re-routed to human queues.
• Concern: "What about privilege escalation?" — Response: The automation's app registration has exactly the permissions needed and no more. Tier 3 actions require separate, explicit approvals even if the automation has the technical capability to execute them.

Implementing the Model

Whether you build your own automation or use a managed platform, the three-tier model is straightforward to implement. The key design decisions are:

• Define your action catalog — List every action your automation can take and assign a default tier
• Build the approval engine — Tier 1 executes immediately. Tier 2 checks for admin enablement (and optionally per-action approval). Tier 3 always waits for explicit human approval.
• Design the audit schema — Include trigger source, action details, approver identity (if applicable), execution result, and rollback reference
• Create the governance UI — Tenant administrators must be able to view enabled actions, change tier assignments, and configure approval chains without touching code
• Test with escalation — Run all actions at Tier 3 (explicit confirm) for the first 30 days. Promote to Tier 2 or Tier 1 only after you are confident in the classification accuracy

Support Team implements all five of these design decisions out of the box. Each tenant has a governance dashboard where administrators configure which actions are enabled, at which tier, and who approves. The audit trail feeds into the reporting dashboard and can be exported to external SIEM tools. And the staged rollout is built into the onboarding process — every new tenant starts with conservative settings and promotes actions to lower tiers as confidence builds.

Frequently Asked Questions

Why not just require approval for everything?

Requiring approval for every automated action defeats the purpose of automation. If a read-only user lookup needs approval, your queue fills with approval requests and analysts spend time clicking "approve" instead of resolving complex issues. The three-tier model concentrates human oversight where it matters — state-changing and privileged operations — while allowing safe operations to execute freely.

How do I decide which tier an operation belongs to?

Ask two questions: Is this operation reversible? And what is the blast radius if it goes wrong? Read-only operations (Tier 1) have zero blast radius. State-changing operations like license assignment (Tier 2) are reversible with limited impact. Privileged operations like account deletion (Tier 3) are irreversible or high-impact. When in doubt, place it one tier higher — you can always move it down after gaining confidence.

Can tenants customize which operations are enabled?

Yes. Per-tenant governance means each customer organization independently controls which Tier 2 and Tier 3 operations are active. One tenant might enable license assignment automation while another keeps it manual. This is critical for multi-tenant SaaS because each customer has different risk tolerance and compliance requirements.