The agentic industry learned this the hard way. Every publicly-documented agentic failure that involved an unauthorized action — the Chevrolet $1 Tahoe commitment, the Air Canada refund precedent, the Samsung source-code disclosure — would have been prevented by a policy engine with the right rule set. The architect’s job is to make the engine a first-class platform service, not an afterthought bolted onto individual tools.
Why a dedicated policy engine
The architect could, in principle, embed each rule in each tool handler — a hard-coded tenant check in the database tool, a hard-coded refund cap in the refund tool, a hard-coded working-hours check in the email tool. This inlining pattern is how most agents start and why most agentic security reviews fail. The rules become invisible, inconsistent, impossible to audit, and impossible to update without shipping code.
The alternative — a dedicated policy engine — inverts the relationship. Each tool emits a structured request: “agent A wants to call tool T with parameters P on behalf of user U in tenant T at time Z.” The policy engine evaluates this request against a central rule set and returns {decision: allow|deny|require_approval, reasons: [...], obligations: [...]}. The tool handler then executes only if allowed, records the reasons and obligations, and returns control to the agent loop. Rules change by updating the rule set; code does not change. Audit runs on a single rule repository. Compliance reviews inspect one service.
OPA, Cedar, and the ABAC shape
Two open-source engines dominate the policy-engine market and both are appropriate for agentic systems: Open Policy Agent (OPA), which uses the Rego language, and AWS Cedar, which AWS open-sourced in 2023. Both follow the attribute-based access control (ABAC) model: policies evaluate attributes of the request, the subject, the resource, and the environment, rather than binary role membership.
ABAC is the right model for agentic systems because the questions an agent asks are ABAC questions: not “is this agent in the admin group” but “is this agent acting for user U in tenant T during U’s tenant’s working hours, where the tool being called has risk class 3, the resource being accessed has data classification PII, and the agent has not exceeded the daily sensitive-action quota.” No role-based system can express that cleanly; ABAC systems can.
OPA’s strengths are ecosystem maturity, the Rego language’s expressive power, extensive integration with Kubernetes admission control, and a strong community. Cedar’s strengths are formal verification (Cedar policies have provable properties that OPA’s Rego policies do not), a simpler policy language closer to English, and strong multi-tenant semantics out of the box. Cedar is the newer entrant and adoption is growing; OPA is the default most teams reach for first. The architect should evaluate both against the specific policy-authoring complexity the organization will need — a team with heavy Kubernetes investment will find OPA a natural extension, while a team building a dedicated agentic platform may find Cedar’s simpler language easier to hand to non-platform engineers authoring policies.
Commercial alternatives — Styra DAS (OPA-based), Permit.io, Oso — wrap OPA or equivalents with management planes, policy templates, and audit UIs. For large-scale agentic platforms, a commercial product reduces the operational burden of running a policy engine at production quality. Build-your-own is viable when an existing identity platform (e.g., SpiceDB, Keycloak Authorization Services) already handles most of the organization’s authorization load and can extend to agentic.
Policy-authoring patterns for agentic systems
Four policy-authoring patterns appear repeatedly in production agentic systems. The architect specifies which apply to which tools.
Pattern 1 — Context-aware approval
Rules that evaluate request context rather than static attributes. “Allow the refund tool if the amount is under $100 and the customer has fewer than three refunds this year; require manager approval otherwise.” The context attributes — amount, refund count — come from the runtime’s request construction, not from the agent’s prompt. The agent cannot lie about refund count because the agent does not populate that field.
Pattern 2 — Time-bounded delegation
Rules that encode when an action is permitted. “Allow outbound email from the SDR agent during the tenant’s business hours in the recipient’s time zone” (relevant for EU GDPR + ePrivacy, and for US state-level outreach restrictions). “Block all production-database write tools during the organization’s change-freeze window.” Time-bounded rules sit in the policy engine, not in the agent prompt, because prompts can be hijacked but policy-engine clocks cannot.
Pattern 3 — Multi-tenant scoping
Rules that enforce tenant isolation. “Deny any tool call whose resource identifier does not match the tenant context in the request.” In multi-tenant agentic platforms this is non-negotiable — a single missing tenant check has caused production incidents. The policy engine is the right place to enforce it once and audit it centrally, rather than relying on each tool to remember.
Pattern 4 — Quota and rate control
Rules that cap the volume of sensitive actions per time window. “No single agent session may send more than 25 outbound emails per hour; the 26th call returns decision: deny, reason: quota_exceeded.” Rate limits at the policy engine are auditable and consistent; rate limits embedded in each tool are not.
Integration with the agent runtime
The policy engine’s integration surface with the agent runtime has four touch points.
Tool-call gate. Before any tool executes, the runtime calls the policy engine. This is the canonical gate and it runs on every tool call — including tools the architect thinks of as “read-only,” because read-only is often only read-only today. The gate must be fast (sub-10ms P99 for local OPA; sub-30ms for networked Cedar) to avoid dominating the tool-call latency budget.
Memory-write gate. Before any memory write, the runtime calls the policy engine with the write intent and classification. Memory-poisoning attacks (Article 7) can be prevented at this gate — “deny any memory write whose classification is higher than the writing agent’s clearance.”
Escalation gate. The policy engine is the arbiter of whether an action needs HITL approval. When the engine returns require_approval, the runtime routes the request to the approver queue; the approver’s decision feeds back into the audit log.
Cross-agent delegation gate. In multi-agent systems (Articles 11, 12, 29), one agent calling another is a policy-gated action. The policy engine evaluates whether the source agent is authorized to delegate the specified task to the target agent and whether the target’s authority is sufficient to receive it.
Policy versioning, testing, and rollback
Policies are code. They must be versioned in git, tested in CI, reviewed by peers, deployed through the same promotion pipeline as other runtime components, and rolled back when they cause incidents. The specific disciplines that matter for agentic policy:
Unit tests per rule. Each policy rule has at least one positive and one negative unit test. OPA’s built-in test framework and Cedar’s verification tools support this natively. The CI pipeline blocks merges that reduce rule coverage.
Policy simulations. Before deploying a rule change to production, run the proposed policy against a sample of recent production requests and report the decision-delta — how many previously-allowed requests would now be denied, how many previously-denied would now be allowed. This is the equivalent of a canary rollout for policy changes.
Policy rollback on incident. When a policy change causes a production regression (e.g., legitimate requests suddenly denied), the rollback mechanism must be fast — targets under 60 seconds from incident detection to previous-version restoration. OPA and Cedar both support hot policy reload without runtime restart.
Audit decisions, not just rules. The audit log records every decision the engine made, not just rule changes. Regulators increasingly ask “what did your system decide for this specific user on this specific date” — that question is answerable only if decisions are logged with enough context to reconstruct the rule evaluation.
The “obligations” output
A subtle but powerful policy-engine feature is the obligation: a condition the engine attaches to an allow decision that the runtime must fulfill. “Allow this refund, with the obligation that the action be logged to the compliance audit table with the refund amount, customer ID, and agent trace ID within 5 seconds.” Obligations let the architect factor audit requirements into the policy layer rather than into each tool, which keeps tools simple and audit coverage uniform.
Cedar supports obligations natively; OPA supports them via the decision response shape (Rego returns an object, and the runtime reads the obligations field). Either works. The test is whether the runtime enforces obligation fulfillment — an obligation that is declared but not enforced is a regulatory liability masquerading as a compliance control.
Anti-patterns
Three anti-patterns recur in agentic policy-engine deployments.
Anti-pattern 1 — “Policy as a second-chance check in the prompt.” The architect adds “you may not do X” to the system prompt and relies on the model to obey. Prompt injection defeats this in seconds. Policy engines enforce structurally; prompts do not.
Anti-pattern 2 — “Policy as a write-only audit sink.” The engine records decisions but the runtime doesn’t enforce them. The organization thinks it has a policy engine; it has an expensive log file.
Anti-pattern 3 — “Policy rules live in every team.” Fifteen product teams each wrote their own OPA policy for their own agent, and none coordinate. The platform team re-centralizes the rule set under a shared namespace with per-tool extensions; policies become auditable.
EU AI Act Article 14 mapping
EU AI Act Article 14 requires human oversight measures proportionate to the risk. A policy engine that routes sensitive actions to a human-approval queue is the architectural embodiment of proportionate oversight, and the conformity-assessment evidence pack (Article 23) should include the policy-engine configuration, the rule set as of the assessment date, the approval-queue records, and the change-control process for the rule set itself.
Learning outcomes
- Explain the ABAC policy-engine architecture and its advantages over RBAC and inline checks for agentic systems.
- Classify four policy patterns — context-aware, time-bounded, multi-tenant, quota — and apply each to a tool surface.
- Evaluate a proposed policy set for conflict, unreachable rules, and obligation-enforcement gaps.
- Design a policy specification for a given agent surface, including rule structure, attributes required, decision outputs, obligations, and audit requirements.
Further reading
- Core Stream anchors:
EATE-Level-3/M3.4-Art11-Agentic-AI-Governance-Architecture-Delegation-Authority-and-Accountability.md - AITE-ATS siblings: Article 6 (tool-call authorization and validation), Article 21 (sandboxing), Article 23 (EU AI Act Articles 14, 52, 43), Article 26 (registries), Article 27 (security architecture).
- Primary sources: Open Policy Agent public docs and Rego language reference; AWS Cedar public docs and Cedar formal-verification design; Styra DAS public materials.