Policies control what your agents can access. Without a policy, an agent can’t do anything — Anti AI uses a deny-by-default model.
Using the AI Policy Builder
- Go to Policies → New Policy
- Click AI Suggest
- Describe what you want in plain English:
“Allow this agent to read customer data from Stripe but only during business hours”
- Review the generated Rego, then click Save
Writing a policy manually
package oculus.authz
default allow = false
allow {
input.action == "stripe:customer:read"
input.subject.status == "active"
}
allow {
input.action == "stripe:charge:write"
"payment-processor" in input.subject.tags
input.subject.status == "active"
}
stripe:customer:read ← read Stripe customers
stripe:charge:write ← create Stripe charges
github:repo:read ← read GitHub repos
db:read ← read from the database
Test before activating
- In the Policy Editor, click Simulate
- Enter a mock request (agent ID, action, scope)
- See whether the policy allows or denies it
Use Shadow Mode to run a new policy in production without enforcing it. Watch the audit log for 24 hours, then activate when confident.
Assign to an agent
Go to your agent → Settings → Policies and add the policy. Changes take effect within 60 seconds.