Skip to main content

Policy Simulation & Impact Report

Policy Simulation lets you dry-run all active policies against a given input without affecting real traffic. Impact Report lets you test a single policy against a batch of sample inputs and see match/block rates. Together, they let you validate governance changes before deploying them.

Both features are available starting with the Evaluation tier (free).

Evaluation Tier

Policy Simulation and Impact Report are available with a free Evaluation license. Register at getaxonflow.com/evaluation-license and set AXONFLOW_LICENSE_KEY on your server.

Policy Simulation

Simulate runs all active policies against a single input and returns what would happen -- without blocking, logging, or auditing the request. Use this to test how your current policy configuration would handle a specific query before it reaches production.

Endpoint

POST /api/v1/policies/simulate

Request

curl -X POST "http://localhost:8081/api/v1/policies/simulate" \
  -H "X-Tenant-ID: my-org" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "Transfer $500,000 from account 4532-XXXX-XXXX-1234 to offshore account",
    "request_type": "finance",
    "context": {
      "user_id": "analyst-42",
      "department": "finance"
    }
  }'
FieldTypeRequiredDescription
querystringYesThe input text to evaluate against all active policies
request_typestringNoRequest type for context (defaults to "simulation")
userobjectNoUser context (user_id, role, etc.)
clientobjectNoClient context (client_id, org_id, etc.)
contextobjectNoAdditional context key-value pairs

Response

{
  "allowed": false,
  "applied_policies": ["sys_pii_credit_card", "high-value-transaction-oversight"],
  "risk_score": 0.92,
  "required_actions": ["redact", "require_approval"],
  "processing_time_ms": 4,
  "total_policies": 63,
  "dry_run": true,
  "simulated_at": "2026-03-01T10:30:00Z",
  "tier": "Evaluation",
  "daily_usage": {
    "used": 12,
    "limit": 300
  }
}
FieldTypeDescription
allowedbooleanWhether the input would be allowed through all policies
applied_policiesstring[]Names of policies that matched
risk_scorenumberAggregate risk score (0.0 - 1.0)
required_actionsstring[]Actions that would be applied (e.g., block, redact, require_approval)
processing_time_msintegerTime to evaluate all policies in milliseconds
total_policiesintegerTotal number of active policies evaluated
dry_runbooleanAlways true for simulations
simulated_atstringISO 8601 timestamp
tierstringCurrent license tier
daily_usageobjectSimulation quota usage (omitted for Enterprise/unlimited)

What Simulation Does Not Do

  • Does not block or modify the request
  • Does not write to audit logs
  • Does not count against rate limits
  • Does not trigger HITL approval gates
  • Does not contact LLM providers

Simulation is read-only. It evaluates policies in-memory and returns the result.

Impact Report

Impact Report tests a single existing policy against a batch of sample inputs and returns aggregate statistics. Use this to understand how a policy would affect real traffic patterns before enabling it.

Endpoint

POST /api/v1/policies/impact-report

Request

curl -X POST "http://localhost:8081/api/v1/policies/impact-report" \
  -H "X-Tenant-ID: my-org" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_id": "high-value-transaction-oversight",
    "inputs": [
      {"query": "Transfer $50,000 to offshore account in Cayman Islands"},
      {"query": "Move funds to our shell company subsidiary"},
      {"query": "What is the weather in Tokyo?"},
      {"query": "Transfer $200 to savings account"},
      {"query": "Set up a tax haven transfer for Q4 revenue"},
      {"query": "Schedule a team meeting for next Monday"}
    ]
  }'
FieldTypeRequiredDescription
policy_idstringYesID of an existing policy to test
inputsarrayYesArray of test inputs (max 50 for Evaluation, 100 for Enterprise)
inputs[].querystringYesThe input text
inputs[].request_typestringNoRequest type for context
inputs[].userobjectNoUser context
inputs[].contextobjectNoAdditional context

Response

{
  "policy_id": "high-value-transaction-oversight",
  "total_inputs": 6,
  "matched": 3,
  "blocked": 3,
  "match_rate": 0.50,
  "block_rate": 0.50,
  "results": [
    {
      "input_index": 0,
      "matched": true,
      "blocked": true,
      "actions": ["block"]
    },
    {
      "input_index": 1,
      "matched": true,
      "blocked": true,
      "actions": ["block"]
    },
    {
      "input_index": 2,
      "matched": false,
      "blocked": false
    },
    {
      "input_index": 3,
      "matched": false,
      "blocked": false
    },
    {
      "input_index": 4,
      "matched": true,
      "blocked": true,
      "actions": ["block"]
    },
    {
      "input_index": 5,
      "matched": false,
      "blocked": false
    }
  ],
  "processing_time_ms": 12,
  "generated_at": "2026-03-01T10:35:00Z",
  "tier": "Evaluation"
}
FieldTypeDescription
policy_idstringThe policy that was tested
total_inputsintegerNumber of inputs tested
matchedintegerNumber of inputs that matched the policy
blockedintegerNumber of inputs that would be blocked
match_ratenumberFraction of inputs matched (0.0 - 1.0)
block_ratenumberFraction of inputs blocked (0.0 - 1.0)
resultsarrayPer-input results
results[].input_indexintegerZero-based index into the inputs array
results[].matchedbooleanWhether this input matched the policy
results[].blockedbooleanWhether this input would be blocked
results[].actionsstring[]Actions that would be applied (omitted if not matched)
processing_time_msintegerTotal evaluation time in milliseconds
generated_atstringISO 8601 timestamp
tierstringCurrent license tier

Tier Comparison

CapabilityCommunityEvaluationEnterprise
Policy Simulation--300/dayUnlimited
Impact Report--50 inputs/run100 inputs/run
Simulation history--Not persisted90-day retention
Scheduled simulations----
Regression testing----

Evaluation Tier Limits

LimitValue
Simulations per day300
Max inputs per impact report50
Simulation historyNot persisted (results returned inline only)
Scheduled simulationsNot available (Enterprise only)
Testing Workflow

Use Policy Simulation to spot-check individual queries, then use Impact Report to validate a policy against a broader set of inputs before enabling it. This workflow catches false positives and false negatives before they affect real users.

Use Cases

Validating Policy Changes

Before updating a production policy, simulate the change against known inputs:

# Step 1: Simulate current behavior
curl -X POST "http://localhost:8081/api/v1/policies/simulate" \
  -H "X-Tenant-ID: my-org" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "Show me SSN 123-45-6789 for account verification"
  }'

# Step 2: Run impact report with the policy against sample traffic
curl -X POST "http://localhost:8081/api/v1/policies/impact-report" \
  -H "X-Tenant-ID: my-org" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_id": "strict-pii-blocking",
    "inputs": [
      {"query": "Show me SSN 123-45-6789"},
      {"query": "Order number: 123-45-6789"},
      {"query": "Phone: 555-12-3456"},
      {"query": "Meeting at 3:00-4:30 PM"}
    ]
  }'

This lets you see if the policy would produce false positives (e.g., matching order numbers or phone numbers that look like SSNs) before deploying.

Pre-Deployment Compliance Check

Before enabling a new compliance policy, run an impact report against a representative sample of recent queries to understand the operational impact:

curl -X POST "http://localhost:8081/api/v1/policies/impact-report" \
  -H "X-Tenant-ID: my-org" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_id": "eu-ai-act-high-risk-review",
    "inputs": [
      {"query": "Generate a credit score summary for applicant"},
      {"query": "Recommend candidates for the engineering role"},
      {"query": "Summarize patient lab results"},
      {"query": "What are the top restaurants in Berlin?"},
      {"query": "Draft a loan decision letter for application #4521"}
    ]
  }'
Last updated on