title: "Policies overview"
description: "Learn how to define and manage conditional security and usage policies for your MCP gateway."

# Policies overview

Policies in AgentLink let you **enforce guardrails** that control how AI agents interact with your connected tools and APIs.

Each policy defines one or more conditions (based on user attributes, tool parameters, or context) and an **action** that determines how the request is handled — for example, **Deny**, **Request approval**, or **Step up authentication**.

## Key concepts

| Concept | Description |
|  --- | --- |
| **Policy** | A rule that governs whether a specific action is permitted, denied, or requires additional verification. |
| **Conditions** | Logical expressions that define when the policy applies. |
| **Actions** | The outcome applied when conditions are met — Deny, Step up, or Request approval. |
| **Approval flow** | A predefined flow of approvers configured under the *Approval Flows* tab. |
| **Policy targeting** | Defines the scope — which users, roles, or contexts the policy applies to. |


## Example use cases

- Deny creating expenses above a certain threshold.
- Require approval for sensitive tool actions (e.g., `delete_customer`).
- Enforce stronger authentication (step-up MFA) for external API access.
- Restrict data operations to specific user roles or departments.


## How policies work

When an AI agent attempts to execute a tool:

1. The MCP Gateway evaluates all active policies matching that tool.
2. Each policy’s conditions are checked using attributes based on the tool's schema such as:
  - `user.role`
  - `amount` //Deny creating expenses above a certain threshold, the tools's schema accept 'amount' as a parameter
3. If a policy matches, the defined **action** is applied.


Example flow:
AI Agent → MCP Gateway → Policy Engine → Tool

## Actions

| Action | Description |
|  --- | --- |
| **Deny** | The request is blocked and an error is returned to the agent. |
| **Request approval** | The request is paused until an approver approves or rejects it, using the defined approval flow. |
| **Step up** | The user must re-authenticate or complete a stronger verification step. |


## Related topics

- [Creating Policies](/agent-link/policies/creating-policies)
- [Conditional Expressions](/agent-link/policies/conditional-expressions)
- [Approval Flows](/agent-link/policies/approval-flows)