This guide walks you through creating a new policy in Agen for SaaS. Policies define conditional rules that are evaluated when AI agents invoke tools, allowing you to enforce deny, step-up, or approval actions based on request attributes.
- Navigate to the Policies section in the control plane (accessible from the Guardrails area of the pipeline view, or from the left sidebar).
- Click Create policy.
- Fill in the policy form fields described below.
- Click Create policy to save.
A descriptive name for the policy. Use a naming convention that indicates the action and context (e.g., "Step-up: Create expense", "Deny: External IP access").
A brief explanation of the policy's purpose. Maximum 160 characters.
Placeholder: "Enter policy description"
Assign the policy to specific tools. The policy only evaluates when one of the assigned tools is invoked.
- Click the dropdown and select one or more tools.
- Selected tools appear as chips with an X button to remove them (e.g.,
Update_expense).
Placeholder: "Select policy tools"
Define the conditional expression that determines when the policy action is triggered.
Specify the policy attribute and value, and detail the manner in which the policy is applied
Each condition follows the format: IF [Attribute] [Operator] [Value]
| Component | Description | Examples |
|---|---|---|
| Attribute | The request attribute to evaluate. Free-text field. | IP, amount, country, user_role |
| Operator | The comparison operator. Dropdown selection. | Contains, In, Equals, Greater than, Less than |
| Value | The value(s) to compare against. Can be a single value or multiple values (shown as chips). | 192.168, United States, 10000 |
To add multiple conditions, click + and. All conditions must be true (AND logic) for the policy to trigger.
To remove a condition, click the minus icon next to it.
Select the enforcement action when all conditions match:
| Action | Behavior | Additional configuration |
|---|---|---|
| Deny | Block the tool call. | None. |
| Step up | Require additional authentication. | None. |
| Request approval | Pause the tool call and route to an approval flow. | A dropdown to select the approval flow (e.g., "Approve from admins"). |
Click Create policy to save, or Cancel to discard.
Scenario: Require step-up authentication when creating an expense with an amount greater than 10,000.
- Click Create policy.
- Set Name to "Step-up: Create expense".
- Select
Create_a_new_expensein Policy tools. - In Policy attributes, set: IF
amountGreater than10000. - Select Step up as the Policy action.
- Click Create policy.
Result: When an AI agent calls Create_a_new_expense with an amount exceeding 10,000, the user is prompted for additional authentication before the tool call proceeds.
Scenario: Require manager approval when updating expenses from internal network IPs.
- Click Create policy.
- Set Name to "Approval: Internal IP updates".
- Select
Update_expensein Policy tools. - In Policy attributes, set: IF
IPContains192.168. - Select Request approval as the Policy action.
- Select "Approve from admins" from the approval flow dropdown.
- Click Create policy.
Result: When an AI agent calls Update_expense from an IP containing 192.168, the request is paused and routed to the "Approve from admins" flow for human review.
Use the toggle in the Status column of the policies list. Active policies are evaluated during tool calls; inactive policies are preserved but not enforced.
Use the Action filter dropdown to show only policies with a specific action type (Deny, Step up, Request approval) or set to "All" to see everything.
Click the three-dot menu on a policy row and select edit. You can modify the name, description, tools, conditions, and action.
Click the three-dot menu and select delete to permanently remove the policy.