The control you're afraid to turn on.
For platform engineering and security — enforcement you can rehearse before you arm it.
A policy that blocks the wrong thing breaks real work, so the enforce switch stays off. You can't see what a rule would catch, which agents it would stop, or what flipping it to enforce would actually cost.
Enforcement is all-or-nothing.
Without a way to rehearse a policy, every rollout is a gamble between leaving a gap open and breaking a workflow.
Fear of breaking work
Flip a rule to enforce and you might block a legitimate agent mid-task. So the safe choice is to never flip it.
No preview
You can't see which agents a policy would stop or which actions it would gate before it's live.
Counts, not names
“This would affect 6 agents” isn't actionable. You need to know which six, and why.
Audit, assist, then enforce — try it before you arm it.
Audit
Run the policy in observe-only and see exactly what it would have blocked — named agents, named actions, no impact on live work.
Assist
Escalate to prompts and approval gates, so humans stay in the loop before anything is hard-blocked.
Enforce
Arm it with confidence, knowing the cost of flipping to enforce — coverage, tool-call diversity, and who it touches.
Turn on the control you've been avoiding.
Rehearse the policy, see the names, then arm it.