Engineering · Policy & Enforcement
Govern what agents are allowed to do — watch, then assist, then automate.
Policy is about behavior and capability first. We're in audit mode now; this is exactly what an enforcing policy would have intervened on.
Bottom line
In audit mode. An enforcing policy would have intervened on 6 actions this period: 3 ungoverned agents, 2 running as root, 1 --yolo/sandbox-bypassed, plus unbounded spend on data-pipeline-agent. Start with a tool allow-list.
Enforcement mode
Audit live · Assist/Enforce projectedAudit
Observe every action. Build the inventory and surface what a policy would catch — no intervention.
live now
Assist
Warn and prompt for human approval on high-impact actions. Humans stay in the loop.
projected
Automate
Block disallowed capabilities, off-policy tools, and over-budget runs automatically.
projected
Dry run — what an enforcing policy would have intervened on
computed from live telemetry · 6 would-intervene · 0 actually blockedToday we only observe. These are the behaviors and capabilities a policy in Enforce mode would have gated — led by what agents are allowed to do.
3
Ungoverned agents
Acting without any registered policy binding.
would: require registration before run
2
Agents running as root
A compromised prompt would inherit full host privilege.
would: drop to low-privilege account
1
--yolo / sandbox bypassed
Approvals and sandbox disabled — any action, no gate.
would: force approval + sandbox
5
No tool-approval policy
High-impact tool calls fire with no human in the loop.
would: gate high-impact tools
1
Unbounded consumption
data-pipeline burned 9.2M tokens with no per-agent ceiling.
would: cap spend per agent
6
Sensitive-file reads
Secret / credential paths pulled into agent context.
would: deny credential paths
Policies — capability & action first
Tool / MCP allow-list
projectedScope which tools and MCP servers each agent may call. Anything off-list is denied — the core of capability control.
Human-in-the-loop approvals
projectedGate high-impact actions — writes, deploys, external calls — behind an explicit human approval before they run.
Per-agent spend ceiling
projectedSet a token / cost ceiling per agent and alert or halt when it is reached. Stops unbounded consumption.
Egress allow-list
detection liveMinor, supporting control: restrict which network destinations an agent may reach. Detection is live; blocking is not yet built.
Kill switch
roadmapImmediately revoke an agent's credentials and halt its runs across the fleet — a single action to stop a misbehaving actor. Not yet built.
Fields: agents.governed · agents.factors · agents.user · findings (LLM10 Unbounded Consumption) · dlp.sensitive_paths — from app/data/c16-fleet.ts (qcontrol /api shape). Enforcement actions are projected; audit is live.