Skip to main content
A policy is the reusable enforcement profile attached to one or more Averta API keys. Each runtime decision uses the policy attached to the API key that made the request.

What Policies Control Today

The current dashboard has live controls for:
  • request policy
  • tool exposure policy
The policy editor may also display sections for tool-call, tool-result, and output policy. Treat those sections as inactive controls unless your team has explicitly enabled them. The live dashboard controls documented here are request policy and tool exposure.

Access

Policies are visible only to roles with policy permissions:
RolePolicy access
OwnerView and manage policies.
AdminView and manage policies.
UserNo policy management access.

Policy List

The policies list shows one row per policy, including:
  • policy name
  • request policy summary
  • request protection status
  • number of attached API keys
  • last updated time
Use this page to create a policy or open a policy editor.

Create a Policy

When creating a policy, set:
  • policy name
  • request risk threshold
The current request policy model is intentionally simple:
  • default action is allow
  • a binary block rule evaluates request risk
  • the request is blocked when the score is greater than or equal to the threshold
If you do not change it, the default threshold starts at 0.90.

Request Policy

Request policy controls the first checkpoint: the request before provider execution. From the policy editor, you can:
  • rename the policy
  • change the binary threshold
  • save updates
  • enable or disable request protection
Disabling request protection affects every API key attached to that policy. Do not use it as a casual debugging switch in production.

Tool Exposure Policy

Tool exposure is also configured inside a policy. It removes tools before they are shown to the model. Use tool exposure to:
  • hide high-impact tools on riskier requests
  • allow safer tools without blocking the whole request
  • respond to newly discovered tools
  • degrade agent capability before a hard block
Detailed rule semantics live in Tool exposure policy.

Lifecycle Safeguards

The policy detail view shows:
  • current status
  • current threshold
  • number of attached API keys
  • last updated time
Deletion is blocked while API keys are attached. That is the right safeguard: deleting a policy that still backs live credentials would break or change runtime enforcement.
ScenarioRecommendation
Production and staging differUse separate policies and separate API keys.
Agents have different toolsUse separate policies per agent boundary.
One tool is high impactAdd selective tool exposure rules before broad request blocking.
A new tool appears in eventsReview discovered tools and map it intentionally.
A policy feels noisyInspect events before changing thresholds.

Tool exposure policy

See rule semantics, discovered tools, and rollout guidance.

API Keys

Attach policies to organization-owned credentials.

Events

Confirm policy behavior from runtime decisions.