Policy Engine Guide
Policies are rules that control how AI agent actions are processed. Each policy has conditions (when it triggers) and a decision (what happens). Policies are evaluated in priority order, and the strictest decision wins: block > escalate > allow.
Key concepts
- Trigger — which action types this policy applies to (empty = all actions)
- Conditions — all conditions must match (AND logic) for the policy to fire
- Decision — block, escalate, or allow
- Priority — higher priority policies are evaluated first
- Without any policies, all actions are approved by default
Condition Types
| Field | Operators | Example Value | Description |
|---|---|---|---|
| risk_score | above, below | 0.8 | Content verification risk score (0-1) |
| action | is, is_not | send_email | The action type from the intent |
| channel | is, is_not | slack | The channel from the intent |
| content | contains, not_contains, regex | competitor | The text content of the intent |
| param | gt, lt, is, contains | 200 | A specific parameter value (set paramName) |
| time | outside_hours | 09:00-17:00 | Current time vs business hours |
Example Policies
1. Block all high-risk actions
If the content verification risk score is above 80%, block the action. This prevents agents from sending unverified or hallucinated information.
{
"name": "Block high risk actions",
"trigger": [],
"conditions": [
{ "field": "risk_score", "operator": "above", "value": 0.8 }
],
"decision": "block",
"priority": 10
}curl -X POST https://your-domain.com/api/policies \
-H "Authorization: Bearer hg_sk_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"name": "Block high risk actions",
"trigger": [],
"conditions": [
{ "field": "risk_score", "operator": "above", "value": 0.8 }
],
"decision": "block",
"priority": 10
}'2. Escalate external emails for review
Any email sent to a gmail.com address requires human approval first. The param field checks the to parameter.
{
"name": "Escalate external emails",
"trigger": ["send_email"],
"conditions": [
{ "field": "param", "operator": "contains", "value": "gmail.com", "paramName": "to" }
],
"decision": "escalate",
"priority": 5
}3. Block messages mentioning competitors
Prevents agents from referencing competitor products in outgoing messages.
{
"name": "Block competitor mentions",
"trigger": ["send_message", "reply_ticket", "send_email"],
"conditions": [
{ "field": "content", "operator": "regex", "value": "CompetitorA|CompetitorB|CompetitorC" }
],
"decision": "block",
"priority": 8
}4. Require approval for large refunds
If the refund_amount parameter exceeds $200, escalate for human review.
{
"name": "Escalate large refunds",
"trigger": ["issue_refund"],
"conditions": [
{ "field": "param", "operator": "gt", "value": 200, "paramName": "refund_amount" }
],
"decision": "escalate",
"priority": 7
}5. Block actions outside business hours
No automated actions allowed outside 9 AM - 5 PM.
{
"name": "Block outside business hours",
"trigger": [],
"conditions": [
{ "field": "time", "operator": "outside_hours", "value": "09:00-17:00" }
],
"decision": "block",
"priority": 9
}6. Escalate medium-risk Zendesk replies
Combine multiple conditions. Both must match (AND logic): action is reply_ticket AND risk is above 0.4.
{
"name": "Review risky Zendesk replies",
"trigger": ["reply_ticket"],
"conditions": [
{ "field": "channel", "operator": "is", "value": "zendesk" },
{ "field": "risk_score", "operator": "above", "value": 0.4 }
],
"decision": "escalate",
"priority": 6
}Policy API
List all policies
curl https://your-domain.com/api/policies \
-H "Authorization: Bearer hg_sk_your_api_key"Enable/disable a policy
curl -X PATCH https://your-domain.com/api/policies/{policyId} \
-H "Authorization: Bearer hg_sk_your_api_key" \
-H "Content-Type: application/json" \
-d '{ "enabled": false }'Delete a policy
curl -X DELETE https://your-domain.com/api/policies/{policyId} \
-H "Authorization: Bearer hg_sk_your_api_key"Dashboard
You can also create and manage policies visually from the Policies dashboard. The visual condition builder lets you create rules with dropdowns instead of writing JSON.