D
Dezifi.ai
Policies

Policy scopes and inheritance

Every agent run is governed by the union of three scopes. The most restrictive rule wins — there is no override that loosens a parent.

What you'll learn
  • The three scopes and what they govern
  • How inheritance composes the effective rule set
  • How conflicts resolve when scopes disagree
  • When to author at each scope

The three scopes

Each scope owns a different governance surface. Author rules at the scope where they belong.
  1. 1

    Platform

    System-wide rules set by Dezifi or your platform operator. Applies to every tenant. Used for residency, model bans, and absolute spend ceilings.
  2. 2

    Tenant

    Workspace-level rules set by a workspace admin. Applies to every agent in the workspace. Used for default tool allow-lists, per-day cost caps, and shared data-access boundaries.
  3. 3

    Agent

    Per-agent rules set by the agent owner. Applies only to that agent. Used for narrow tool restrictions, output schemas, and agent-specific rate limits.

Inheritance chain

The effective rule set for an agent run is the union of Platform, Tenant, and Agent policies. An Agent policy cannot grant access that a Tenant or Platform policy denies. The chain is deny-by-precedence: any deny anywhere in the chain wins.

Conflict resolution

When two scopes disagree, the resolver applies these rules in order.
  1. 1

    Most restrictive wins

    If Platform denies and Agent allows, the action is denied. There is no way for a child scope to widen a parent.
  2. 2

    Quantitative limits take the lowest

    For rate, cost, and time limits, the effective cap is the minimum of the matching rules across scopes.
  3. 3

    Explicit allow at a higher scope is not a grant

    An allow at Platform is the absence of a deny — it does not override a deny added later at Tenant or Agent.

Where to author

Author at the highest scope that still expresses the rule cleanly. A tenant-wide PII boundary belongs at Tenant, not duplicated on every agent. An agent-specific output schema belongs at Agent, not pushed up.

Frequently asked questions

Can I override a Platform policy at Tenant?
No. Platform rules are floor constraints. Tenants and agents can only add restrictions, never remove them.
What if two policies at the same scope conflict?
The resolver applies the most restrictive interpretation. For tool allow / deny, deny wins. For numeric limits, the lowest cap applies.
How do I preview the effective rule set for an agent?
Open the agent detail page, click Policies. The panel shows the merged effective set with the scope each rule came from.
Do scopes apply to workflow runs the same way?
Yes. A workflow inherits the Tenant scope and applies the Agent scope of whichever agent is currently executing. Platform rules apply uniformly.

Related

Policies overview
Read more
Create a policy
Read more
Admin
Workspace and tenant administration.
Read more