Software Design Catalog
Agentic AI
Back to Catalog
Agentic AI Safety & Control

Policy-as-Code Gate

Evaluate every proposed agent action against externally-managed machine-readable policies before dispatch, so compliance authorship lives outside t...

Intent & Description

🎯 Intent

Evaluate every proposed agent action against externally-managed machine-readable policies before dispatch, so compliance authorship lives outside the prompt and outside the agent code.

📋 Context

A team runs an agent in a regulated or compliance-sensitive domain — banking, insurance, public-sector, critical infrastructure — where the set of permitted actions is determined by policy documents that compliance, legal, or security functions own and update. The agent has a non-trivial action surface (transfers, account changes, external API calls of varying risk) and the rules over that surface change more often than the agent code. The people who write the rules are not the same people who write the prompts or deploy the agent.

💡 Solution

Maintain policies as code (OPA/Rego, Cedar, or equivalent) in a repository owned by compliance, optionally generated by a policy compiler that translates prose policy documents into the rule language. Before any tool dispatch, the agent emits a structured action proposal (tool, arguments, caller context, retrieved data fingerprints) to an external policy decision point. The engine returns allow, deny, or allow-with-obligations together with a policy hash and rule id. The agent dispatches the tool only on allow; on deny the agent surfaces the rule id to the user or escalates. Policies are versioned, signed, and ship through a separate pipeline from the agent. Evaluation results are logged with the policy hash so any decision can be re-checked against the exact rule version that fired.

Real-world Use Case

  • Governance rules are owned by a compliance, legal, or security function distinct from agent engineering.
  • Policies change more often than the agent or model.
  • Auditors require a signed, replayable rule version for each agent action.
  • The action surface is non-trivial and contains operations that vary in risk.

Source

View Original Source →
Advantages
  • Compliance owns the rules in their native form; engineering owns the agent.
  • Policy changes ship without touching prompts or model weights.
  • Every allow/deny carries a signed policy version that an auditor can replay.
  • Deterministic rule evaluation removes the LLM from the enforcement path.
  • Prose-to-code compilation reduces translation drift between policy documents and runtime checks.
Disadvantages
  • Adds a synchronous decision point to every tool call; latency and availability of the policy engine become production concerns.
  • Rule language (Rego, Cedar) is itself a skill the compliance team must acquire or be supported in.
  • Prose-to-code compilation can introduce its own translation errors; the compiled output still needs human review.
  • Policies that depend on free-text content (intent, tone) cannot be fully expressed as code and fall back on classifier obligations.
  • Action proposals must serialise enough context for the policy to evaluate, which expands the agent’s structured-output surface.
Previous
234 of 322
Next