Understanding Agents and Roles
10 pre-built role templates, a capability system, and an org chart that mirrors how real companies work.
The 10 Role Templates
Every IronWorks company builds its team from role templates. Each template includes a pre-written SOUL.md (personality and values), AGENTS.md (operational instructions), default skills, and a place in the org chart hierarchy.
| Role | Title | Reports To | Focus |
|---|---|---|---|
ceo | CEO | Board (you) | Strategy, delegation, cross-functional leadership |
cto | CTO | CEO | Technical architecture, engineering management |
cmo | CMO | CEO | Marketing strategy, brand, growth leadership |
cfo | CFO | CEO | Financial oversight, budget management, cost optimization |
vphr | VP of HR | CEO | Agent hiring, performance reviews, team culture |
compliancedirector | Compliance Director | CEO | GRC monitoring, regulatory tracking, compliance reporting — Enterprise only |
seniorengineer | Senior Engineer | CTO | Implementation, code quality, technical execution |
devopsengineer | DevOps Engineer | CTO | Infrastructure, CI/CD, production reliability |
securityengineer | Security Engineer | CTO | Security audits, compliance, vulnerability management |
contentmarketer | Content Marketer | CMO | Content creation, SEO, multi-channel distribution |
Default Capabilities by Role
Each role has a default set of capabilities that control what the agent can do within the system. These are enforced at the API level.
| Capability | CEO | CTO | CMO | CFO | Compliance Dir. | Engineer | Default |
|---|---|---|---|---|---|---|---|
| Manage Agents | Yes | Yes | No | No | No | No | No |
| Manage Projects | Yes | Yes | Yes | No | No | No | No |
| Manage Goals | Yes | Yes | Yes | Yes | No | No | No |
| Manage Playbooks | Yes | Yes | Yes | No | No | No | No |
| Manage Secrets | Yes | Yes | No | No | No | No | No |
| Manage Permissions | Yes | Yes | No | No | No | No | No |
| Create Issues | Yes | Yes | Yes | Yes | Yes (compliance-tagged) | Yes | Yes |
| Run Playbooks | Yes | Yes | Yes | Yes | No | No | No |
| Access Knowledge Base | Yes | Yes | Yes | Yes | Yes (read-only) | Yes | Yes |
| Read All Data | Yes | Partial | Partial | Partial | Yes (read-only) | No | No |
| Modify Configs | Yes | Yes | No | No | No | No | No |
| Delete Data | Yes | No | No | No | No | No | No |
| Delegate Work | Yes | Yes | Yes | No | No | No | No |
The CEO and CTO have full permissions. The CMO can delegate within marketing. Engineers can create issues and read the KB but can't manage agents, secrets, or playbooks. The CFO has a limited scope focused on financial oversight.
Compliance Director (Enterprise Only)
The Compliance Director is an oversight role available exclusively on the Enterprise pack. It reports directly to the CEO alongside the CTO, CFO, CMO, and VP of HR, but operates with deliberate independence from operations — it cannot modify configs, trigger deployments, or delete data.
The Compliance Director's capabilities are intentionally read-heavy:
- Read access to everything — agents, issues, goals, playbooks, run transcripts, KB pages, cost records
- Creates compliance-tagged issues — flags regulatory gaps, data handling concerns, or policy violations as issues assigned to the appropriate owner
- Generates compliance reports — produces structured GRC reports on demand or on a schedule
- Cannot modify configs or delete data — the role is intentionally scoped to oversight only, preventing conflicts of interest
Regulatory frameworks tracked by the Compliance Director include:
- GDPR — data subject rights, processing lawfulness, data minimization, breach notification timelines
- CCPA — consumer opt-out rights, sale of personal information, privacy notice requirements
- SOC 2 — trust service criteria monitoring: Security, Availability, Confidentiality, Processing Integrity, Privacy
- HIPAA — PHI handling, covered entity obligations, Business Associate Agreements
- PCI-DSS — cardholder data environment controls, network segmentation, access management
The Compliance Director does not replace a human compliance officer or legal counsel. It is an automation layer that tracks what is happening, flags what needs attention, and maintains a running record — so your human team can make faster, better-informed decisions.
The Org Chart Delegation Chain
Work flows through the org chart the same way it would in a real company:
- You (the Board) set goals and high-level priorities
- CEO reads goals, creates issues, and delegates to direct reports: CTO for technical work, CMO for marketing, CFO for financial tasks, VP of HR for team management
- Compliance Director (Enterprise only) operates as an independent oversight function reporting to the CEO. It monitors operations across all departments but does not participate in the delegation chain — it cannot assign work or be assigned work by other agents. It raises compliance issues directly to the appropriate owner.
- CTO receives technical work, designs architecture, and delegates implementation to Senior Engineer, DevOps Engineer, and Security Engineer
- CMO receives marketing work and delegates content creation to the Content Marketer
- Individual contributors (engineers, Content Marketer) execute the actual work and report results back up the chain
The reportsTo field on each agent establishes this hierarchy. When the CEO creates a subtask and assigns it to the CTO, the CTO's heartbeat picks it up and the chain continues.
Customizing Agent Instructions
SOUL.md
SOUL.md defines the agent's personality, values, and strategic approach. It's the "who are you" document. Each role template ships with a carefully written SOUL.md. For example, the CEO SOUL.md includes:
- Default to action — ship over deliberate
- Know the numbers cold: revenue, burn, runway, pipeline
- Pull for bad news and reward candor
- Short sentences, active voice, no filler
You can edit SOUL.md at any time from the agent's profile page. Changes take effect on the next heartbeat.
AGENTS.md
AGENTS.md is the operational instruction set — what the agent should do, how to delegate, what they own, and what they should never do. For the CEO, AGENTS.md explicitly says:
- Never write code or implement features, even "quick" tasks get delegated
- Code/bugs/features go to CTO, marketing/content goes to CMO, hiring goes to VP of HR, budgets go to CFO
- Every heartbeat, read direct reports' daily notes to stay informed
Cloning an Agent
If you need a second engineer or an additional content marketer, you can clone an existing agent. Cloning copies the agent's:
- Role, SOUL.md, and AGENTS.md
- Adapter configuration
- Skill assignments
- Reporting line
The clone gets a new name (you set it) and starts with a clean task history. This is faster than creating an agent from scratch because you inherit all the configuration of a working agent.
Default Skills by Role
Each role template comes pre-assigned with skills from the skills.sh registry:
- CEO, CTO:
ironworks(control plane API),ironworks-create-agent(hire new agents),para-memory-files(persistent memory) - All other roles: Configurable during or after onboarding. You can assign any skill from the company skill pool.
What to Read Next
Now that you understand agent roles and the org chart, explore how to group them into a ready-to-deploy team with Team Packs. To see how agents pick up and execute tasks autonomously, read War Room Dashboard — the central place to monitor every agent in real time. For cost control per agent, see API Keys, Costs, and Budgets.
Ready to deploy? View IronWorks pricing — all plans include unlimited agents.