Unified Policy Management

AxonFlow provides a unified policy management system that combines both static policies (system-managed security patterns) and dynamic policies (customer-managed governance rules) in a single view.

Policy Types

Static Policies

Static policies are pre-configured security patterns managed by AxonFlow. They protect against common threats:

Category	Description	Example
sql_injection	Detects SQL injection attempts	SELECT * FROM; DROP TABLE
pii_detection	Identifies personally identifiable information	SSN, email, phone patterns
dangerous_queries	Blocks potentially harmful operations	Mass deletions, schema changes
admin_access	Restricts administrative operations	System configuration changes

Characteristics:

• Read-only (cannot be modified via API)
• Applied globally across all tenants
• Managed through database migrations
• Always enabled for security compliance

Dynamic Policies

Dynamic policies are customer-managed rules created through the API or Customer Portal UI:

Type	Use Case
content	Filter/modify LLM responses
user	Role-based access control
risk	Risk scoring and alerts
cost	Token limits and cost controls

Characteristics:

• Full CRUD operations via REST API
• Tenant-scoped isolation
• Version history tracking
• Real-time enable/disable toggle

API Endpoints

Static Policies (Agent)

# List all static policies
GET /api/v1/static-policies
X-Tenant-ID: your-tenant-id

# Get a specific static policy
GET /api/v1/static-policies/{policy_id}
X-Tenant-ID: your-tenant-id

Dynamic Policies (Orchestrator)

# List dynamic policies
GET /api/v1/policies

# Create a policy
POST /api/v1/policies
Content-Type: application/json

{
  "name": "block-pii-in-responses",
  "description": "Redact PII from LLM responses",
  "type": "content",
  "priority": 100,
  "enabled": true,
  "conditions": [
    {"field": "response", "operator": "contains", "value": "@"}
  ],
  "actions": [
    {"type": "redact", "message": "PII detected"}
  ]
}

# Update a policy
PUT /api/v1/policies/{id}

# Delete a policy
DELETE /api/v1/policies/{id}

# Test a policy
POST /api/v1/policies/{id}/test

Policy Conditions

Dynamic policies support flexible condition matching:

Operator	Description	Example
equals	Exact match	user.role equals admin
not_equals	Negation	user.role not_equals guest
contains	Substring match	query contains SELECT
not_contains	Negation	response not_contains password
regex	Pattern match	query regex ^DROP\s+TABLE
greater_than	Numeric comparison	risk_score greater_than 0.8
less_than	Numeric comparison	cost_estimate less_than 100
in	List membership	user.department in [engineering, sales]

Available Fields

• query - The user's input query
• response - The LLM's response
• user.email - User's email address
• user.role - User's role
• user.department - User's department
• risk_score - Calculated risk score (0.0-1.0)
• request_type - Type of request
• connector - Target connector name
• cost_estimate - Estimated token cost

Policy Actions

Action	Description
block	Block the request with a message
redact	Remove sensitive content
alert	Send an alert notification
log	Log for audit purposes
route	Route to specific handler
modify_risk	Adjust risk score

Customer Portal UI

Enterprise Feature

The Customer Portal provides a unified visual interface for managing both static and dynamic policies. Learn more about enterprise features.

Enterprise customers can use the Customer Portal to:

• View all policies in a unified dashboard
• Create, edit, and test dynamic policies visually
• Monitor policy evaluation metrics
• Export/import policy configurations

Best Practices

1. Layer your policies - Use static policies for security baseline, dynamic policies for business rules
2. Set appropriate priorities - Higher priority policies are evaluated first
3. Test before enabling - Use the test endpoint to verify policy behavior
4. Monitor policy hits - Review audit logs to understand policy effectiveness
5. Version control - Export policies and store in version control for disaster recovery

Related

• Policy Syntax - Full policy YAML syntax reference
• Policy Examples - Real-world policy examples
• Policy Testing - Testing and validation guide