Agent Security
Policy Engine
Configure rules for how AI agent tool calls are handled - allow, block, approve, rate limit, and more.
Policy Engine
Bastio's policy engine lets you define rules for how tool calls are handled. Policies provide fine-grained control over which operations are allowed, blocked, or require human approval.
How Policies Work
When a tool call is validated, Bastio evaluates it against your policies in priority order:
- Match - Find policies that match the tool call
- Evaluate - Check policy conditions
- Apply - Execute the highest-priority matching policy's action
If no policies match, the default action (usually allow) is applied.
Policy Actions
| Action | Description |
|---|---|
allow | Permit the tool call to execute |
block | Prevent execution, return error to agent |
require_approval | Route to human reviewers before execution |
rate_limit | Throttle requests per time window |
sanitize | Clean dangerous content from arguments |
warn | Allow but flag for security review |
Creating Policies
Via Dashboard
Navigate to Agent Security > Policies in your dashboard to create and manage policies visually.
Via API
curl -X POST https://api.bastio.com/v1/guard/{proxyId}/policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Block Shell Commands",
"description": "Block all shell execution tools",
"tool_pattern": "execute_*",
"action": "block",
"priority": 100,
"is_active": true
}'Policy Configuration
Basic Fields
| Field | Type | Description |
|---|---|---|
name | string | Human-readable policy name |
description | string | Explanation of policy purpose |
tool_pattern | string | Glob pattern matching tool names |
action | string | Action to take when matched |
priority | integer | Higher priority = evaluated first |
is_active | boolean | Whether policy is enabled |
Tool Pattern Matching
Patterns use glob syntax to match tool names:
| Pattern | Matches |
|---|---|
execute_shell | Exact match |
execute_* | execute_shell, execute_python, etc. |
*_file | read_file, write_file, delete_file |
* | All tools |
db_* | db_query, db_insert, db_update |
Conditions
Add conditions to make policies context-aware:
{
"name": "Approve High-Risk Tools",
"tool_pattern": "*",
"action": "require_approval",
"conditions": {
"risk_score_min": 0.7
}
}Available Conditions
| Condition | Type | Description |
|---|---|---|
risk_score_min | float | Minimum risk score to match |
risk_score_max | float | Maximum risk score to match |
threat_types | array | Match specific threat types |
argument_pattern | string | Regex pattern for arguments |
time_window | object | Time-based restrictions |
end_user_id | string | Apply to specific user |
Time Windows
Restrict when policies apply:
{
"name": "Block After Hours",
"tool_pattern": "execute_*",
"action": "block",
"conditions": {
"time_window": {
"days": ["saturday", "sunday"],
"hours_start": 18,
"hours_end": 9,
"timezone": "America/New_York"
}
}
}Rate Limiting
Throttle tool call frequency:
{
"name": "Rate Limit API Calls",
"tool_pattern": "api_*",
"action": "rate_limit",
"rate_limit": {
"max_requests": 100,
"window_seconds": 60
}
}When rate limited, the response includes retry information:
{
"action": "block",
"message": "Rate limit exceeded",
"retry_after_seconds": 45
}Policy Templates
Bastio provides pre-built templates for common scenarios:
Strict Production
Maximum security for production environments:
{
"name": "Strict Production",
"rules": [
{ "tool_pattern": "execute_*", "action": "block" },
{ "tool_pattern": "*_file", "action": "require_approval" },
{ "tool_pattern": "http_*", "action": "require_approval" },
{ "tool_pattern": "*", "action": "allow", "conditions": { "risk_score_max": 0.3 } },
{ "tool_pattern": "*", "action": "require_approval" }
]
}Development Permissive
Allows most operations with warnings:
{
"name": "Development Permissive",
"rules": [
{ "tool_pattern": "*", "action": "warn", "conditions": { "risk_score_min": 0.5 } },
{ "tool_pattern": "*", "action": "allow" }
]
}Code Assistant
Tailored for coding assistants:
{
"name": "Code Assistant",
"rules": [
{ "tool_pattern": "read_file", "action": "allow" },
{ "tool_pattern": "write_file", "action": "allow" },
{ "tool_pattern": "execute_shell", "action": "block" },
{ "tool_pattern": "http_*", "action": "block" }
]
}Financial Compliance
PCI-DSS aligned for financial applications:
{
"name": "Financial Compliance",
"rules": [
{ "tool_pattern": "*", "action": "block", "conditions": { "threat_types": ["pii_exposure"] } },
{ "tool_pattern": "payment_*", "action": "require_approval" },
{ "tool_pattern": "customer_*", "action": "require_approval" },
{ "tool_pattern": "*", "action": "allow" }
]
}Managing Policies
List Policies
curl https://api.bastio.com/v1/guard/{proxyId}/policies \
-H "Authorization: Bearer YOUR_API_KEY"Update Policy
curl -X PUT https://api.bastio.com/v1/guard/{proxyId}/policies/{policyId} \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"is_active": false
}'Delete Policy
curl -X DELETE https://api.bastio.com/v1/guard/{proxyId}/policies/{policyId} \
-H "Authorization: Bearer YOUR_API_KEY"Reorder Priorities
curl -X POST https://api.bastio.com/v1/guard/{proxyId}/policies/reorder \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"policy_ids": ["pol_high", "pol_med", "pol_low"]
}'Policy Evaluation Order
Policies are evaluated in priority order (highest first):
┌─────────────────────────────────────┐
│ Tool Call: execute_shell │
│ Arguments: {"command": "ls"} │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Policy: "Block Dangerous Shells" │
│ Priority: 100 │
│ Pattern: execute_* │
│ Condition: risk_score > 0.7 │
│ Result: NO MATCH (score=0.15) │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Policy: "Allow Safe Shells" │
│ Priority: 50 │
│ Pattern: execute_shell │
│ Condition: risk_score < 0.3 │
│ Result: MATCH → allow │
└─────────────────────────────────────┘Best Practices
Next Steps
- Human-in-the-Loop - Configure approval workflows
- Tool Validation - Understand threat detection
- Chain Analysis - Detect multi-tool attacks