Configuring System Policies
AxonFlow ships with a built-in governance baseline so teams do not have to design their entire policy layer before sending the first governed request.
Today that baseline is:
- 73 pattern-based system policies on the Agent
- 10 condition-based system policies on the Orchestrator
- 83 total built-in system policies
This guide covers the public configuration surface for system policies. Tenant-policy management is covered elsewhere in the policy docs.
Configuration Model
The public environment-variable model is split by execution surface:
| Surface | What it governs | Prefix |
|---|---|---|
| MCP | connector and SQL-style data access | MCP_* |
| Gateway / Proxy | governed LLM requests through the Agent | GATEWAY_* |
Mode-specific settings override the global action defaults.
Global Defaults
PII_ACTION=redact
SQLI_ACTION=block
DANGEROUS_QUERY_ACTION=block
SENSITIVE_DATA_ACTION=warn
HIGH_RISK_ACTION=warn
These are the defaults most teams adjust first.
MCP-Specific Overrides
MCP_STATIC_POLICIES_ENABLED=true
MCP_PII_ACTION=log
MCP_SQLI_ACTION=warn
MCP_DANGEROUS_QUERY_ACTION=warn
MCP_STATIC_POLICIES_SKIP_CATEGORIES=pii-global,pii-us
Use MCP-specific overrides when connector and data-access flows need different behavior from user-facing LLM traffic.
Gateway-Specific Overrides
GATEWAY_STATIC_POLICIES_ENABLED=true
GATEWAY_PII_ACTION=block
GATEWAY_SQLI_ACTION=block
GATEWAY_STATIC_POLICIES_SKIP_CATEGORIES=pii-india
This is the right place to make gateway/proxy responses stricter than internal data flows.
Precedence
The order of precedence is:
mode-specific override -> global action -> engine default
For example:
PII_ACTION=block
MCP_PII_ACTION=log
This means MCP requests log PII findings while gateway/proxy requests still block them.
Common Operating Patterns
Relax MCP During Local Development
MCP_PII_ACTION=log
MCP_SQLI_ACTION=warn
Strict Global Posture
PII_ACTION=block
SQLI_ACTION=block
DANGEROUS_QUERY_ACTION=block
SENSITIVE_DATA_ACTION=block
HIGH_RISK_ACTION=block
Disable MCP Static System Policies
MCP_STATIC_POLICIES_ENABLED=false
This disables MCP-side static system-policy evaluation. It does not mean the broader policy and governance story disappears everywhere else.
Skip Categories
The *_STATIC_POLICIES_SKIP_CATEGORIES variables let you suppress specific system-policy categories.
Common categories include:
| Category | Purpose |
|---|---|
pii-global | global PII patterns such as email or phone |
pii-us | US-specific PII |
pii-india | India-specific PII |
pii-eu | EU-oriented PII |
pii-singapore | Singapore-specific PII |
security-sqli | SQL injection detection |
sensitive-data | secrets and credential-like content |
code-secrets | hard-coded secret patterns in code |
code-unsafe | unsafe code patterns |
code-compliance | code-governance and compliance patterns |
Enterprise Note
Licensed tiers expand the operating model around policy management, especially for organization-level workflows and broader portal-based governance. But the public/community environment-variable surface above is the right place to start when you want to tune the built-in system-policy baseline.
