Policy Categories & Templates
Waxell ships with 49 policy categories grouped by what they govern. Categories define what kind of governance you want; templates provide ready-to-use configurations for common scenarios.
Operational Guardrails
Limits on agent execution itself — rate, cost, duration, errors, scheduling.
| Category | What it controls | Actions |
|---|---|---|
| Rate Limit | Request rates and concurrency per agent, user, or team | warn, throttle, block |
| Budget | Token & dollar budgets (per-run, daily, monthly) | warn, throttle, block |
| Chargeback Attribution | Cost-center / business-unit tagging for chargeback billing | warn, block |
| Scheduling | Allowed operation hours and days | warn, block |
| Time-of-Day Gating | Business-hours enforcement with timezone awareness | warn, block |
| Safety | Step limits, tool call limits, execution depth | warn, block |
| Kill Switch | Emergency stop based on error rates or anomalies | block |
| Audit | Audit logging behavior, retention, detail levels | allow, warn |
| Operations | Timeouts, retry limits, concurrency settings | warn, block |
| LLM | Model allowlists/blocklists, provider restrictions | warn, block |
| Quality | Output quality thresholds, stability checks | warn, block |
| Content | Input/output scanning for PII, credentials, injection patterns | warn, redact, block |
| Spawn Limit | Tenant-wide ceiling on concurrent agent spawns | warn, throttle, block |
Data & Security Boundaries
What agents can touch — data sources, network destinations, code execution, blast radius.
| Category | What it controls | Actions |
|---|---|---|
| Data Access | Which data sources agents can read/write, record limits | warn, block |
| Network | Outbound domain allowlists/blocklists, protocol restrictions | warn, block |
| Scope | Blast radius limits — records modified, files changed, transaction amounts | warn, block |
| Code Execution | Allowed languages, paths, commands, sandbox requirements | warn, block |
| Input Validation | Inbound data schema validation, size limits, sanitization | warn, block |
| Output Egress Format | OWASP LLM05: block exfiltration-shaped outputs (base64, external URLs, data URIs) | warn, block |
Cognitive Governance
Quality of reasoning and grounding — preventing hallucination, ensuring explainability.
| Category | What it controls | Actions |
|---|---|---|
| Grounding | Source grounding, citation minimums, abstention thresholds | warn, block |
| Provenance Required | OWASP LLM09b: strict per-claim citation enforcement | warn, block |
| Retrieval | RAG quality — relevance scores, source age, diversity | warn, block |
| Reasoning | Decision explainability, bias detection, logical consistency | warn, block |
| Recursion Bound | OWASP LLM10c: cap reasoning depth, tool calls, delegation | warn, block |
| Prompt Injection Guard | OWASP LLM01: prompt-injection detection (heuristic + classifier) | warn, block |
Agent Action Control
Gates on what agents are allowed to do — approvals, delegation, communication.
| Category | What it controls | Actions |
|---|---|---|
| Approval | Human-in-the-loop gates for high-stakes actions | block, warn |
| Delegation | Multi-agent trust — delegation depth, allowed delegates | warn, block |
| Cross-Agent Isolation | Memory/scratchpad isolation between sibling agents | warn, block |
| Communication | Output channel governance — allowed channels, disclaimers | warn, block |
| Domain Governance | Connect domain-endpoint allow/block lists | warn, block |
| Signal Governance | Agent-emitted signal constraints | warn, throttle, block |
Allowlists (Phase 1.5)
Positive-list governance for what agents can call.
| Category | What it controls | Actions |
|---|---|---|
| Tool Allowlist | Which tools an agent is allowed to invoke | warn, block |
| MCP Server Allowlist | Which MCP servers an agent can register | warn, block |
| Prompt Allowlist | Which named prompt templates can be used | warn, block |
| Tool Argument Schema | OWASP LLM06a: JSON schema validation for tool arguments | warn, block |
| Agent Service Account Scope | OWASP LLM06b: SaaS service-account restrictions | warn, block |
Trust, Privacy & Compliance
Regulatory and trust controls — GDPR, HIPAA, ISO, NIST.
| Category | What it controls | Actions |
|---|---|---|
| Privacy | Data minimization, consent, residency, purpose limitation | warn, block |
| Identity | AI disclosure requirements, impersonation prevention | warn, block |
| Memory | Session isolation, cross-session memory, retention limits | warn, block |
| Compliance | Regulatory profile validation (HIPAA, SOC 2, PCI-DSS, GDPR) | warn, block |
| Context Management | Conversation length, context window utilization | warn, block |
| Data Residency | ISO 42001 A.8.4: pin execution to approved regions | warn, block |
| Data Erasure | GDPR Art-17 / CCPA: erasure request SLA enforcement | warn, block |
| Breach Notification | GDPR Art-33 / HIPAA: breach notification SLAs | warn, block |
| Bias Trend | NIST AI RMF MS-3.1: fairness monitoring over rolling windows | warn, block |
| Model Card Required | OWASP LLM03 / NIST AI RMF GV-1.1: supply-chain model cards | warn, block |
End-User Identity (Phase B)
Per-end-user governance for agents that serve many users via sub-user identity.
| Category | What it controls | Actions |
|---|---|---|
| End-User Budget | Per-WaxellUser monthly cost cap | warn, block |
| End-User Rate Limit | Per-end-user / per-group rate limiting | warn, throttle, block |
| End-User Suspension | Block runs for suspended end-users | warn, block |
Policy Actions
When a policy evaluates, it returns one of these actions:
| Action | Effect |
|---|---|
allow | Execution proceeds normally |
warn | Execution proceeds, warning recorded in trace |
redact | Sensitive content masked with ##TYPE## placeholders, execution proceeds |
throttle | Execution delayed (rate-limited) |
block | Execution stopped, PolicyViolationError raised |
skip | Execution skipped silently (no error raised) |
retry | Execution retried with backoff |
Policies are evaluated in priority order. The first blocking result stops evaluation. Warnings and redactions accumulate across all matching policies.
Policy Scoping
Every policy can be scoped to specific targets. Scopes are combined with AND logic — a policy scoped to agent support-bot AND user group enterprise only applies to enterprise users running support-bot.
| Scope | What it filters |
|---|---|
agents | Agent names |
agent_ids | Specific agent UUIDs |
agent_groups | Agent group names (BALLER cross-agent isolation) |
users | User IDs |
user_groups | User group names |
teams | Team names |
workflows | Workflow names |
tools | Tool names |
models | LLM model names |
sub_user_ids | End-user IDs (Phase B identity) |
end_user_groups | End-user group names (Phase B) |
subscription_tiers | Subscription tier names (Phase B) |
Unscoped policies (no filters) apply globally to all executions within the tenant.
Enforcement Phases
Policies are checked at multiple points during execution:
| Phase | When | Typical action |
|---|---|---|
before_workflow | Run starts | block, warn |
before_llm_call | Each LLM call | block, redact, warn |
before_domain_call | Each domain/tool call | block, warn |
mid_execution | Each record_step() (if mid_execution_governance=True) | block, warn |
on_tool_call | Tool dispatch | block, warn |
after_workflow | Run completes | warn (records analytics) |
import waxell_observe as waxell
waxell.init()
@waxell.observe(
agent_name="support-bot",
enforce_policy=True, # before_workflow + on_tool_call + before_llm_call
mid_execution_governance=True, # mid_execution
)
async def handle_query(query: str) -> str:
response = await call_llm(query)
waxell.step("process", output={"status": "done"})
return response
Standards Mapping
Each category maps to one or more industry standards:
| Standard | Categories |
|---|---|
| OWASP LLM Top 10 | prompt-injection-guard (LLM01), model-card-required (LLM03), output-egress-format (LLM05), tool-argument-schema (LLM06a), agent-service-account-scope (LLM06b), provenance-required (LLM09b), recursion-bound (LLM10c) |
| GDPR | data-erasure (Art-17), breach-notification (Art-33), privacy, data-residency |
| HIPAA | breach-notification (§164.404), audit, content, privacy |
| ISO 42001 | data-residency (A.8.4), audit, model-card-required |
| NIST AI RMF | bias-trend (MS-3.1), model-card-required (GV-1.1), reasoning |
| SOC 2 | audit, safety, kill-switch, operations, content |
| CCPA | data-erasure, privacy |
| PCI-DSS | content (credentials), audit, network |
Creating Policies
Via Dashboard
- Navigate to Governance > Policies
- Click New Policy (or From Template for a pre-built config)
- Select a category and configure rules
- Set scope (agents, users, workflows, etc.)
- Enable
Via API
# List all categories
curl -H "Authorization: Bearer $TOKEN" \
https://acme.waxell.dev/waxell/v1/policy-categories/
# List available templates
curl -H "Authorization: Bearer $TOKEN" \
https://acme.waxell.dev/waxell/v1/policy-templates/
# Create a policy
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
https://acme.waxell.dev/waxell/v1/policies/ \
-d '{
"name": "Production Rate Limit",
"category": "rate-limit",
"rules": {"max_per_minute": 100, "max_concurrent": 10},
"scope": {"agents": ["support-bot"]},
"enabled": true
}'
Via Platform Assistant
Ask the assistant to create a policy in natural language:
"Create a rate limit policy for my support-bot, max 100 requests per hour, throttle on excess"
The assistant renders an interactive policy card you can review and confirm before it's created. See Platform Assistant for details.
Next Steps
- Governance — Policy enforcement in your agent code
- Approval Workflows — Human-in-the-loop for blocked actions
- Recommendations — Automated policy suggestions
- Platform Assistant — Create and manage policies via chat