Workspace Policies

Define and enforce organization-wide rules for AI agent behavior.

What Are Policies?

Policies are JSON documents that specify what agents can and cannot do in your workspace. When agents are pushed with --workspace, they're validated against the active policy.

Policy Structure

policy.jsonjson

{
  "policy_id": "policy_abc123",
  "workspace_id": "ws_xyz789",
  "version": "1",
  "status": "active",
  "content": {
    "agent": {
      "models": {
        "allowed_models": ["gpt-4", "gpt-4-turbo", "claude-3-opus"],
        "allowed_providers": ["openai", "anthropic"]
      },
      "capabilities": {
        "allowed_tools": ["calculator", "web_search"],
        "denied_tools": ["file_write", "shell_exec"]
      }
    },
    "compliance": {
      "frameworks": ["soc2"],
      "require_audit_logging": true
    }
  },
  "hash": "a1b2c3d4...",
  "signature": "e5f6g7h8...",
  "signing_key_id": "key_..."
}

Model Restrictions

Control which LLM providers and models agents can use:

json

"models": {
  "allowed_providers": ["openai", "anthropic"],
  "allowed_models": [
    "gpt-4",
    "gpt-4-turbo",
    "claude-3-opus-20240229",
    "claude-3-sonnet-20240229"
  ],
  "denied_models": ["gpt-3.5-turbo"]  // Explicitly block
}

ℹ️If allowed_models is empty, all models from allowed providers are permitted.

Capability Control

Restrict which tools and capabilities agents can register:

json

"capabilities": {
  "allowed_tools": [
    "calculator",
    "web_search",
    "http_request"
  ],
  "denied_tools": [
    "file_write",
    "file_delete",
    "shell_exec"
  ],
  "require_tool_approval": true
}

CLI Commands

Pull Active Policy

bash

sekuire policy pull --workspace ws_abc123

Validate Policy Integrity

bash

sekuire policy validate --file policy.json

Show Policy Summary

bash

sekuire policy show --file policy.json

Push with Policy Validation

bash

sekuire push --workspace ws_abc123

Policy Validation

When you push with --workspace, Sekuire validates:

Check	Description
Provider	Is the LLM provider in allowed list?
Model	Is the model in allowed list?
Tools	Are all tools permitted?
Capabilities	No denied capabilities?

If validation fails, the push is blocked (unless --force).

Next Steps

Compliance — HIPAA, SOC2, GDPR
CLI Policy — Full command reference