Skip to main content

System Policies Reference

Reference page. This is the canonical inventory of every built-in policy, its category, and its default action. Use it to look up what ships out of the box before you write a custom policy. New to policies? Start with Policy-as-Code and Policy Hierarchy.

AxonFlow ships with 79 built-in system policies:

  • 69 pattern-based system policies evaluated by the Agent for low-latency enforcement
  • 10 condition-based system policies evaluated by the Orchestrator for context-aware governance

These policies give engineers a strong production baseline for LLM security, PII protection, prompt-injection defense, secret detection, and runtime compliance controls.

System policies are immutable (tier=system) — you cannot edit or delete them, but Enterprise customers can override their action or disable them per organization (see Customizing System Policies).

Actions are governance-profile-driven

The Action column below is the default profile action — the out-of-the-box posture (ADR-036, v6.2.0+). In the default profile, SQL injection, PII, and sensitive-data detections warn (the request flows through unchanged but the detection is recorded), while the unambiguously dangerous classes block: admin-table access, Indonesian KTP, and prompt-injection ship as block. Singapore PII ships as redact.

This is deliberate (observe-first): false positives that hard-block legitimate traffic teach users to bypass the system. To harden enforcement, switch profiles or set per-category env vars — e.g. AXONFLOW_PROFILE=strict makes PII/SQLi/sensitive-data block, and PII_ACTION=redact / SQLI_ACTION=block flip individual categories. See Governance Profiles for the full dev / default / strict / compliance matrix. Enterprise customers can additionally override any single policy's action per organization.

Overview

CategoryEvaluationCountSeverity RangeDefault Action
Security - SQL Injection (security-sqli)Pattern-Based (Agent)37Critical - MediumWarn
Security - Admin Access (security-admin)Pattern-Based (Agent)4High - MediumBlock
Security - Dangerous Instructions (security-dangerous)Pattern-Based (Agent)4HighBlock
Sensitive Data / Secrets (sensitive-data)Pattern-Based (Agent)6HighWarn
PII - Global (pii-global)Pattern-Based (Agent)7Critical - LowWarn / Log
PII - United States (pii-us)Pattern-Based (Agent)2CriticalWarn
PII - European Union (pii-eu)Pattern-Based (Agent)1CriticalWarn
PII - India (pii-india)Pattern-Based (Agent)2CriticalWarn
PII - Singapore (pii-singapore)Pattern-Based (Agent)5Critical - LowRedact
PII - Indonesia (pii-indonesia)Pattern-Based (Agent)1CriticalBlock
Risk Management (dynamic-risk)Condition-Based (Orchestrator)2-Block / Warn
Compliance (dynamic-compliance)Condition-Based (Orchestrator)3-Block
Security Controls (dynamic-security)Condition-Based (Orchestrator)2-Block
Cost Management (dynamic-cost)Condition-Based (Orchestrator)2-Block / Warn
Access Control (dynamic-access)Condition-Based (Orchestrator)1-Block

Pattern-based total: 69 · Condition-based total: 10 · All system policies: 79.

"Secret/unsafe-code" detection

Generic secret detection (API keys, tokens, passwords, connection strings) ships as the sensitive-data category below. Language-specific code secret/unsafe patterns (e.g. provider-specific API-key formats, eval()/pickle) are surfaced today only as audit metadata on generated-code responses, not as enforced policies. Enforced agent-traffic code-secret/unsafe-code detection is tracked as potential net-new work, not a shipped system policy.

Pattern-Based System Policies

Security - SQL Injection (security-sqli)

37 patterns covering all major SQL injection techniques.

UNION-Based Injection (2 patterns)

IDNameSeverityAction
sys_sqli_union_selectUNION SELECT DetectionCriticalWarn
sys_sqli_union_injectionUNION Injection After TerminationCriticalWarn

Boolean-Based Blind Injection (3 patterns)

IDNameSeverityAction
sys_sqli_or_trueOR True ConditionHighWarn
sys_sqli_or_stringOR String ConditionHighWarn
sys_sqli_and_falseAND False ConditionHighWarn

Time-Based Blind Injection (4 patterns)

IDNameSeverityAction
sys_sqli_sleepMySQL SLEEP FunctionCriticalWarn
sys_sqli_waitforSQL Server WAITFOR DELAYCriticalWarn
sys_sqli_pg_sleepPostgreSQL pg_sleepCriticalWarn
sys_sqli_benchmarkMySQL BENCHMARK FunctionCriticalWarn

Error-Based Injection (3 patterns)

IDNameSeverityAction
sys_sqli_extractvalueEXTRACTVALUE FunctionHighWarn
sys_sqli_updatexmlUPDATEXML FunctionHighWarn
sys_sqli_convert_intCONVERT INT InjectionHighWarn

Stacked Queries (5 patterns)

IDNameSeverityAction
sys_sqli_stacked_dropStacked DROP StatementCriticalWarn
sys_sqli_stacked_deleteStacked DELETE StatementCriticalWarn
sys_sqli_stacked_updateStacked UPDATE StatementCriticalWarn
sys_sqli_stacked_insertStacked INSERT StatementCriticalWarn
sys_sqli_stacked_execStacked EXEC StatementCriticalWarn

Comment-Based Injection (3 patterns)

IDNameSeverityAction
sys_sqli_inline_commentInline Comment InjectionHighWarn
sys_sqli_line_comment_mysqlMySQL Line Comment InjectionHighWarn
sys_sqli_line_comment_dashDouble-Dash Comment InjectionHighWarn

Generic Patterns (9 patterns)

IDNameSeverityAction
sys_sqli_select_fromSELECT FROM After TerminationCriticalWarn
sys_sqli_admin_bypassAuthentication BypassCriticalWarn
sys_sqli_hex_encodingHex-Encoded PayloadMediumWarn
sys_sqli_char_functionCHAR Function ObfuscationHighWarn
sys_sqli_concat_selectCONCAT with Embedded SELECTHighWarn
sys_sqli_information_schemaINFORMATION_SCHEMA AccessHighWarn
sys_sqli_sys_tablesSystem Tables AccessHighWarn
sys_sqli_load_fileLOAD_FILE FunctionCriticalWarn
sys_sqli_into_outfileINTO OUTFILE/DUMPFILECriticalWarn

Dangerous Query Patterns (8 patterns)

IDNameSeverityAction
sys_sqli_drop_tableDROP TABLE StatementCriticalWarn
sys_sqli_drop_databaseDROP DATABASE StatementCriticalWarn
sys_sqli_truncateTRUNCATE TABLE StatementCriticalWarn
sys_sqli_alter_tableALTER TABLE StatementHighWarn
sys_sqli_delete_no_whereDELETE Without WHERECriticalWarn
sys_sqli_create_userCREATE USER StatementCriticalWarn
sys_sqli_grantGRANT Privileges StatementCriticalWarn
sys_sqli_revokeREVOKE Privileges StatementCriticalWarn

Security - Admin Access (security-admin)

4 patterns guarding access to sensitive administrative tables and schemas.

IDNameSeverityActionDescription
sys_admin_users_tableUsers Table AccessHighBlockAccess to users table
sys_admin_audit_logAudit Log AccessHighBlockAccess to audit logs
sys_admin_config_tableConfiguration Table AccessHighBlockSystem config access
sys_admin_info_schemaInformation Schema AccessMediumBlockSystem schema access

Security - Dangerous Instructions (security-dangerous)

4 patterns detecting indirect prompt-injection attempts in free-text that flows into the model (OWASP LLM01). These guard merchant/user-controlled fields and ship as block.

IDNameSeverityActionDescription
sys_dangerous_injection_overridePrompt Injection — Instruction OverrideHighBlock"Ignore/disregard previous instructions" and similar overrides
sys_dangerous_injection_role_overridePrompt Injection — Role ReassignmentHighBlockAttempts to reassign the assistant to a privileged/jailbreak persona
sys_dangerous_injection_system_exfilPrompt Injection — System Prompt ExfiltrationHighBlockAttempts to reveal/print/repeat the system prompt or hidden instructions
sys_dangerous_injection_bracket_markerPrompt Injection — Template/Bracket MarkerHighBlockInjected chat-template/role-delimiter markers ([system], <im_start>, ### system)

Sensitive Data / Secrets (sensitive-data)

6 patterns detecting credentials and secrets in request/response content (generic, provider-agnostic).

IDNameSeverityActionDescription
sys_sensitive_api_keyAPI Key DetectionHighWarnGeneric API-key assignment patterns
sys_sensitive_tokenToken DetectionHighWarnBearer/access tokens in content
sys_sensitive_secretSecret DetectionHighWarnGeneric secret assignment patterns
sys_sensitive_passwordPassword DetectionHighWarnPassword values in content
sys_sensitive_credentialsCredentials DetectionHighWarnCombined credential patterns
sys_sensitive_connectionConnection String DetectionHighWarnDatabase/service connection strings

PII - Global (pii-global)

7 universal patterns applicable in all regions.

IDNameSeverityActionDescription
sys_pii_credit_cardCredit Card NumberCriticalWarnVisa, MC, Amex, Discover, Diners, JCB
sys_pii_passportPassport NumberHighWarnGeneric passport format
sys_pii_dobDate of BirthHighLogCommon date formats
sys_pii_emailEmail AddressMediumLogStandard email format
sys_pii_phonePhone NumberMediumLogInternational formats
sys_pii_ip_addressIP AddressMediumLogIPv4 addresses
sys_pii_booking_refBooking ReferenceLowLogContext-anchored 6-char alphanumeric

PII - United States (pii-us)

IDNameSeverityActionDescription
sys_pii_ssnSocial Security NumberCriticalWarnXXX-XX-XXXX format
sys_pii_bank_accountBank Account NumberCriticalWarnRouting + account number

PII - European Union (pii-eu)

IDNameSeverityActionDescription
sys_pii_ibanIBANCriticalWarnInternational Bank Account Number

PII - India (pii-india)

IDNameSeverityActionDescription
sys_pii_panPAN (Permanent Account Number)CriticalWarn10-char with entity-type validation
sys_pii_aadhaarAadhaar NumberCriticalWarn12-digit UID (DPDP Act 2023)

PII - Singapore (pii-singapore)

Singapore-specific patterns support MAS FEAT-oriented governance and regional privacy controls in Community Edition. These ship as redact.

IDNameSeverityActionDescription
sys_pii_singapore_nricSingapore NRIC DetectionCriticalRedactNational Registration Identity Card pattern
sys_pii_singapore_finSingapore FIN DetectionCriticalRedactForeign Identification Number pattern
sys_pii_singapore_uenSingapore UEN DetectionHighRedactUnique Entity Number pattern
sys_pii_singapore_phoneSingapore Phone DetectionMediumRedact+65 phone numbers
sys_pii_singapore_postalSingapore Postal Code DetectionLowWarnSix-digit postal code pattern

PII - Indonesia (pii-indonesia)

Indonesia KTP/NIK detection for OJK / BI / UU PDP compliance. The Community shared engine seeds the KTP menu entry as block; the Enterprise Indonesia PII detector additionally enforces NIK, NPWP, phone, and major-bank account patterns at runtime with NIK validation.

IDNameSeverityActionDescription
sys_pii_indonesia_ktpIndonesian KTP DetectionCriticalBlock16-digit KTP/NIK (keyword-anchored, NIK-validated)

Condition-Based System Policies

Condition-based policies use context-aware rules evaluated by the Orchestrator. These provide runtime governance for risk, compliance, cost, and access control.

Policy ID Naming Convention

System policy IDs follow the pattern: sys_ + category abbreviation + specific pattern name.

PrefixMeaningExample
sys_sqli_SQL injection patternsys_sqli_union_select
sys_admin_Admin access controlsys_admin_users_table
sys_dangerous_Prompt-injection guardsys_dangerous_injection_override
sys_sensitive_Secret / sensitive-data patternsys_sensitive_api_key
sys_pii_PII detection patternsys_pii_ssn
sys_dyn_Dynamic/condition-based policysys_dyn_high_risk_block

Risk Management (dynamic-risk)

IDNameConditionAction
sys_dyn_high_risk_blockBlock High-Risk Queriesrisk_score > 0.8Block
sys_dyn_anomalous_accessAnomalous Access Detectionrisk_score > 0.6 and anomalous access patternAlert

Condition example (as returned by GET /api/v1/policies):

{
  "id": "sys_dyn_high_risk_block",
  "name": "Block High-Risk Queries",
  "type": "risk_based",
  "category": "dynamic-risk",
  "tier": "system",
  "conditions": [
    {"field": "risk_score", "operator": "greater_than", "value": 0.8}
  ],
  "actions": [
    {"type": "block", "config": {"reason": "Query risk score exceeds safety threshold"}}
  ],
  "enabled": true
}

Compliance (dynamic-compliance)

IDNameConditionAction
sys_dyn_hipaaHIPAA ComplianceHealthcare data keywords presentRedact + Log
sys_dyn_gdprGDPR ComplianceUser region in EU/EEA/UKRedact + Log
sys_dyn_financialFinancial Data ProtectionFinancial data keywords presentRedact + Log

Condition example (as returned by GET /api/v1/policies):

{
  "id": "sys_dyn_hipaa",
  "name": "HIPAA Compliance",
  "type": "compliance",
  "category": "dynamic-compliance",
  "tier": "system",
  "conditions": [
    {"field": "query", "operator": "contains_any", "value": ["patient", "diagnosis", "treatment", "medical_record", "prescription"]}
  ],
  "actions": [
    {"type": "redact", "config": {"fields": ["patient_id", "ssn", "medical_record_number"]}},
    {"type": "log", "config": {"compliance": "hipaa"}}
  ],
  "enabled": true
}

Security Controls (dynamic-security)

IDNameConditionAction
sys_dyn_tenant_isolationTenant IsolationCross-tenant tenant_id access attemptBlock
sys_dyn_debug_restrictDebug Mode Restrictiondebug query outside development environmentBlock

Cost Management (dynamic-cost)

IDNameConditionAction
sys_dyn_expensive_queryExpensive Query Limitcost_estimate > 100Alert + Log
sys_dyn_llm_costLLM Cost OptimizationLLM chat and monthly_llm_usage > 1000Add risk + Alert

Access Control (dynamic-access)

IDNameConditionAction
sys_dyn_sensitive_dataSensitive Data ControlQuery references salary, SSN, or medical recordsRedact

Querying System Policies

List All System Policies

const policies = await client.listStaticPolicies({
  tier: 'system'
});

console.log(`Total system policies: ${policies.length}`);

Filter by Category

// Get all SQL injection policies
const sqli = await client.listStaticPolicies({
  tier: 'system',
  category: 'security-sqli'
});

// Get all PII policies
const pii = await client.listStaticPolicies({
  tier: 'system',
  category: 'pii-global'
});

REST API

# All system policies
curl "http://localhost:8080/api/v1/static-policies?tier=system"

# Filtered by category
curl "http://localhost:8080/api/v1/static-policies?tier=system&category=security-sqli"

Customizing System Policies (Enterprise)

Enterprise Feature

Policy overrides require an Enterprise license.

You cannot modify system policy patterns, but you can:

  1. Disable a policy for your organization
  2. Change the action (only to more restrictive, or disable)
  3. Set an expiration for temporary overrides

Example: Disable Email Detection

await client.createPolicyOverride({
  policyId: 'sys_pii_email',
  enabledOverride: false,
  overrideReason: 'Internal tool - no customer email exposure',
});

Example: Escalate to Block

await client.createPolicyOverride({
  policyId: 'sys_pii_credit_card',
  actionOverride: 'block',  // Was 'warn'
  overrideReason: 'PCI requirement - block all credit-card exposure',
});

Rollout Checklist

Use this page as one layer of the broader governance rollout:

Last updated on