ArmorIQ LogoArmorIQ Docs
Policies

Policy Enforcement

How policies are evaluated and enforced across the platform.

Policy Enforcement

Policies are enforced at multiple levels:

  1. Proxy Level - The proxy checks the token's allowed_tools claim against the requested tool
  2. Backend Level - Intent Assurance Plan (IAP) step verification validates the plan against all applicable policies
  3. CSRG Level - Per-node policy metadata is embedded in the Merkle tree for cryptographic enforcement

Policy Evaluation Order

When multiple policies apply to the same target:

  1. Policies are evaluated in priority order (highest first)
  2. The first matching rule determines access
  3. If no policy matches, access is denied by default (fail-closed)

Policies are bound to specific targets (MCP servers or agents). To protect a resource, create a policy and assign it to the target. Resources without policies allow access based on organization membership.

Policy Builder

Create policies visually with the canvas-based policy builder.

Policy Studio

Author and edit policies with a form-based editor, section-by-section fields, and live YAML preview.

On this page

Policy EnforcementPolicy Evaluation Order