AI Agent Safety on Park Graph

Agents are about to do a lot of the work humans currently do at parking lots: searching, comparing, holding sessions, extending, and paying. That is good for drivers and good for operators, but it also concentrates a lot of authority in systems whose prompts we do not control. The defence is to enforce permissions on the API side, not in the agent's prompt, and to publish exactly what those permissions are so everyone — agent vendors, operators, drivers, and AI safety researchers — can see them.

The matrix below is the canonical answer to "what can the agent do?" Every Park Graph integration honours it. There is no enterprise SKU that loosens it, no support flag that disables it.

Agents can call public Park Graph endpoints to search for lots near a location, fetch availability, and read price. These calls are rate-limited per agent IP and are scoped to public information only; they do not require any driver consent. This is the surface a driver-assistant agent uses when a driver asks "where is the closest parking?".

Park Graph welcomes this traffic. We sign well-known agents at the edge so they get the higher of two rate limits, and we publish a structured data feed at parkgraph.com that AI agents can consume without scraping HTML.

Holding a session for a driver (no payment yet) is a write action. The agent must present a consent token issued to it by the driver inside the agent's own UI ("Yes, I authorise the agent to reserve a parking spot for me at lot X"). The token is short-lived, scoped to the lot and time window, and single-use. Without it, the request is rejected.

Holds expire after 10 minutes by default — we picked an intentionally short window so an agent that abandons mid-flow does not block the lot for a paying driver.

Paying for a session requires three things: a valid consent token, a stored PaymentMethod the driver has pre-authorised, and an amount cap that the agent cannot exceed. The cap is enforced server-side; an agent that requests a charge above the cap is rejected and the attempt is flagged. Per-session caps survive prompt-injection attacks because the cap lives in the driver's session record, not in the agent's prompt.

Auto-extension is its own consent. A driver who consents to "park for one hour" has not consented to "extend if the meeting runs over"; the agent must ask again for the extension. If the driver pre-authorises auto-extension, the agent gets a separate per-extension cap and the extension trigger condition is logged with the agent action.

Some actions are off-limits to agents regardless of any token they could obtain. Changing a lot's price, creating an operator account, moving operator payout funds, and approving another agent's actions all sit in this tier. There is no permission flag that turns them on; the API does not have an endpoint that an agent could even attempt to call.

This is a deliberate constraint. Operators are the owners of their lots and their funds, and humans on operator accounts are the only actors who can change those things. If an agent vendor needs an operator-side workflow for a future use case, we will design it with verified operator approval and publish the new tier here before the API ships.

Park Graph does not run the agent's prompt. That is the agent vendor's responsibility — OpenAI, Google, Anthropic, and so on. What Park Graph controls is the API surface, and we treat every API request as untrusted input regardless of which agent claims to be sending it. A prompt-injection attack that convinces ChatGPT to "spend $500 instead of $20" still has to send the $500 request to Park Graph, which compares against the cap stored on the driver's session and returns 403.

We also publish the API surface and its constraints in this page and in the machine-readable rules at /ai-rules so agent vendors can pre-test their integrations against the actual guardrails rather than discovering them in production.

A common reflex when AI agents started crawling commerce sites was to block them at the edge — robots.txt entries, user-agent allowlists, or aggressive bot detection. Park Graph took the opposite path: agents are first-class consumers of the platform, but they operate under an explicit permission model with per-action gates, per-session caps, and an audit log that ties every action back to a consent token. A robots.txt would have shut out the legitimate use case (drivers asking ChatGPT or Gemini to find and pay for parking) while doing nothing to stop a determined adversary.

The permission model also gives operators a lever they would not otherwise have: they can choose to allow agent payments on their lots or not, and they can choose to allow agent extensions or not. Those toggles are operator-controlled in the dashboard, with a default that errs on the safer side for new operators (read-only agent access until the operator opts in to agent payments). The audit log surfaces every agent action against a lot to the operator's session list, so an operator can quickly check whether an unusual payment came from a human, an agent, or a payment retry.

Prompt injection is the most active attack surface against AI agents that take action on behalf of users. Park Graph assumes the agent will be the target of injection attempts and defends in three places. First, the action surface is narrow: agents can read availability and pay; they cannot modify pricing, refund a session, or change an operator's payout account. Second, every payment is capped by a per-session driver-set amount. An injection that tries to convince the agent to pay an inflated price hits the cap before reaching the operator. Third, every action requires a fresh consent token; the agent cannot replay an older consent.

The audit log captures the prompt context (a hash, not the raw prompt) along with the action. If a pattern of injected actions emerges, the agent vendor is notified, the relevant consent tokens are revoked, and the affected drivers receive a notification with a refund offer where appropriate. The response timeline mirrors the security incident SLA on /trust/security.