D
Dezifi.ai
Policies

Create a policy

Five steps from blank to enforced. Stay in Draft until your rules are validated, then activate to begin enforcement on the next agent run.

What you'll learn
  • Where to author policies in the workspace
  • How to name and scope a policy correctly
  • How to compose rules of each type
  • How to validate and activate safely

Before you start

Decide which scope the rule belongs to. Tenant-wide constraints go on a Tenant policy. Agent-specific output rules go on an Agent policy. If unsure, read Policy scopes first.

Author the policy

  1. 1

    Open Policies

    In the sidebar, click Policies. The workspace list shows all Draft, Active, and Deprecated policies. Click + New Policy.
  2. 2

    Name it

    Give it a stable, descriptive name — for example "Block external email on support agents" or "Per-day spend cap 50 USD". The name appears in audit logs and violation events, so make it readable.
  3. 3

    Choose scope

    Pick Platform, Tenant, or Agent. If Agent, select the target agent. Scope is fixed after the first Active version — clone to a new scope rather than re-targeting.
  4. 4

    Add rules

    Click + Add Rule. Pick a rule type (data access, rate, output, tool, cost, time) and fill its fields. Add as many rules as the policy needs — they evaluate as an AND set.
  5. 5

    Save as Draft

    The policy lands in Draft status. It is editable and not yet enforced. Use this state to review with your team and dry-run against historical runs.

Activate

  1. 1

    Validate

    Open the policy and click Validate. The platform replays the rules against recent runs and reports any that would have been blocked — your dry-run preview.
  2. 2

    Activate

    Click Activate. The status moves to Active and the next matching run is governed by the new rules. Active policies are immutable.
  3. 3

    Monitor enforcement

    Open Monitor, filter by this policy id. Each block event shows the rule, the agent, the matching input, and the run id.

Iterate

To change an Active policy, clone it. The clone lands in Draft. Edit, validate, activate the new version, then move the old version to Deprecated. The Audit Log preserves the full version chain.

Frequently asked questions

How many rules can a single policy have?
No hard limit, but keep policies focused on one intent. Prefer many small policies over one giant policy — easier to clone, deprecate, and audit.
Can I import policies from another workspace?
Yes. Use Export on the source policy to download the JSON definition, then Import on the destination. The imported copy lands in Draft.
What if I delete a policy by accident?
Only Draft policies can be deleted, so the blast radius is limited. The deletion is logged in the Audit Log. To recover, re-create from a previous export or from a colleague's draft.
Does activating a policy affect runs already in flight?
Existing in-flight runs continue under the rule set they started with. New runs initiated after activation evaluate the new policy.

Related

Policies overview
Read more
Policy scopes
Read more
Guardrails overview
Read more
Monitor
See enforcement events on live runs.
Read more