What is policy as code for AI agents?

Policy as code for AI agents means expressing the agent's behaviour contract as a machine-readable, versioned, declaratively enforced specification — not as natural language instructions that the agent interprets probabilistically. In practice, it consists of three components: (1) a step order contract specifying which steps the agent may execute and in what sequence, (2) a function/action type map specifying which action categories are permitted for each function, and (3) a runtime enforcement gate that evaluates every agent action against the policy before execution, returning ALLOW or DENY with a signed receipt. The policy is stored and versioned like code. The enforcement gate treats it as authoritative. Any deviation — wrong step order, disallowed action type, replayed request — is denied before execution, not flagged after the fact.

How is policy as code for AI agents different from DevOps policy as code?

DevOps policy as code (OPA, HashiCorp Sentinel, AWS SCP) evaluates configuration at deployment time — it checks whether a proposed infrastructure change conforms to policy before it is applied. AI agent policy as code evaluates behaviour at runtime — it checks whether an agent action conforms to policy before that action executes. The scope is different: DevOps PaC governs static resource configuration; agent PaC governs dynamic, per-action decisions made during a running session. The enforcement point is also different: DevOps PaC is checked once at deploy time; agent PaC is checked on every action, with a signed receipt written each time, building an auditable chain across the entire session.

Why can't AI agent policy live in the agent's system prompt?

A system prompt is a probabilistic instruction. The model reads it, infers intent, and approximates compliance on each generation. Prompt-based policy has no enforcement mechanism: if the model misinterprets the instruction, or a prompt injection overrides it, or the model simply generates a non-compliant output, nothing stops execution. Policy as code for AI agents requires an external enforcement gate — independent of the model — that the agent cannot override, misinterpret, or hallucinate past. The gate evaluates the declared policy against the actual action payload before execution. The model's understanding of the policy is irrelevant; the gate's evaluation is authoritative.

What does policy as code look like for EU AI Act Article 9 compliance?

EU AI Act Article 9 requires risk management systems that identify, analyse, and mitigate risks associated with high-risk AI systems. For agentic AI, policy as code satisfies this by (1) expressing the permitted behaviour contract as a versioned, auditable specification rather than natural language guidelines, (2) enforcing that contract at runtime before each action via an independent gate, and (3) producing a signed receipt for every enforcement decision as evidence that the risk control ran. Article 9 risk management documentation can then point to the policy version in effect, the enforcement gate records, and the receipt chain — all of which are independently verifiable without re-running the system.

How is the policy versioned and audited in AgenticRail?

AgenticRail's policy consists of two components: the step order string (e.g. 'intake,disruption,instability,state_read,internal_driver,execution,boundary,settle') and the function/action_type map (which action categories each function permits). Both are stored as environment variables on the enforcement worker, versioned with the worker deployment, and auditable via the deployment history. Every receipt references the key_id of the signing key in effect at decision time. An auditor reviewing receipts from any session can determine which policy version was active when each decision was made — the policy is not just declared, it is stamped into every receipt that proves it ran.

What happens when an agent action violates the policy?

When an agent action violates the policy, the enforcement gate returns DENY before execution — the action never runs. Specific denial reason codes are returned: SEQUENCE_VIOLATION (step submitted out of order), ACTION_NOT_ALLOWED (action type not permitted for that function), NO_POLICY_MATCH (function not recognised), REPLAY_NONCE (nonce already used in this session), SEALED_SEQUENCE (session already completed), or STALE_TIMESTAMP (request timestamp outside the 5-minute freshness window). A signed receipt is written for every denial, creating an immutable record that the policy ran and what it rejected. The sequence either corrects and continues, or halts — but the denied action never executes.

Governance 2026-05-12 Kade Cowper

Policy as Code for AI Agent Enforcement: What It Means and How It Works

Policy as code is arriving in AI agent governance — Kyndryl, Microsoft, and Altimetrik are all publishing on it in 2026. Most of what they describe is declaration: expressing agent policy as structured configuration rather than prose. The part most implementations leave out is enforcement: a runtime gate that evaluates the policy against every action before execution and produces a signed receipt as proof.

The Problem With Prompt-Based Policy

Most AI agent "policies" today live in the system prompt. The prompt tells the agent what it's allowed to do, what steps to follow, what data it may access. This is policy-as-natural-language: readable by humans, interpretable by the model, unenforceable by anything.

A system prompt is a probabilistic instruction. The model reads it and approximates compliance on each generation. There is no mechanism that prevents a non-compliant action from executing — if the model generates a bad output, the action runs. If a prompt injection overwrites the instruction, the agent follows the injection. If the model simply hallucinates a step that isn't in the policy, nothing stops it.

Policy expression	Machine-readable	Versioned	Enforced before execution	Auditable evidence
System prompt / guidelines	No — natural language	No — lives in model context	No — probabilistic	No — model output only
Post-hoc evaluation (LLM judge)	Partial — structured prompt	Partial — prompt versioning	No — runs after execution	Partial — evaluation records
Policy as code — enforcement gate	Yes — structured contract	Yes — versioned with deployment	Yes — gate fires pre-execution	Yes — signed receipt per decision

What Agent Policy as Code Actually Is

Policy as code in the DevOps sense (Open Policy Agent, HashiCorp Sentinel) evaluates infrastructure configuration at deploy time — checking whether a proposed change conforms to policy before it is applied. That is useful, but it is a one-shot check at a single point in a deployment pipeline.

Agent policy as code is a continuous runtime check. The policy is evaluated on every action, during a live session, in the critical window between the agent's decision to act and the action's execution. The enforcement point is not "before deploy" but "before each tool call."

Three components are required:

1 — Step Order Contract

Declares the permitted sequence of steps
Machine-readable string or config
Versioned with the enforcement worker
Violations → SEQUENCE_VIOLATION

2 — Action Type Map

Declares which action categories each function permits
Versioned policy map (not prompt instructions)
Violations → ACTION_NOT_ALLOWED
Unknown functions → NO_POLICY_MATCH

3 — Enforcement Gate

Independent of the agent — cannot be overridden
Evaluates policy before execution
Returns ALLOW or DENY
Writes signed receipt at decision time

The policy is not "what the agent believes it should do." The policy is what the gate evaluates against. The agent's understanding is irrelevant — the gate's decision is authoritative.

AgenticRail's Sequence Contract

AgenticRail implements policy as code as a two-part contract: the step order and the function/action_type map.

The step order is declared as an ordered list. For an 8-step MSMD spine:

Step order policy — versioned environment variable

SLP8_STEP_ORDER_MSMD="intake,disruption,instability,state_read,internal_driver,execution,boundary,settle"

This string is the policy. It is stored as an environment variable on the enforcement worker, deployed as part of the worker version, and auditable via the deployment history. Every receipt written by the gate references the key_id of the signing key in effect at decision time — tying the receipt to the policy version that produced it.

The function/action_type map declares which action categories each function permits:

Policy map — function → permitted action types

// intake permits state checks — not writes
"intake": ["CHECK_STATE", "READ_INPUT"]

// execution permits writes and external calls
"execution": ["WRITE_DB", "CALL_EXTERNAL_API", "EMIT_EVENT"]

// settle permits only finalisation
"settle": ["SEAL_SEQUENCE", "WRITE_SUMMARY"]

An agent attempting to call WRITE_DB during intake — regardless of what its prompt or reasoning said was appropriate — receives DENY: ACTION_NOT_ALLOWED before the write executes.

The Enforcement Gate: Where Policy Becomes Code

The gate is what separates policy-as-code from policy-as-documentation. Without a gate, you have a policy document. With a gate, you have enforcement.

The gate sits between the agent and every downstream action. The agent does not call tools directly — it calls the gate, which evaluates the declared policy and decides whether the action may proceed. The agent cannot route around the gate; it cannot modify the policy at runtime; it cannot bypass the nonce check or the step order constraint.

Key property

The agent is the regulated system. The gate is the regulator. A system cannot regulate itself — the independence of the gate is what makes the policy enforceable rather than advisory.

Every gate decision produces a signed receipt, written before the action executes:

ALLOW receipt — policy check passed, action authorised

{
  "sequence_id": "loan-approval-20260512-001",
  "step": "execution",
  "function": "execution",
  "action_type": "WRITE_DB",
  "decision": "ALLOW",
  "policy_version": "k1_2026-02-22_01",
  "ts_ms": 1715508000000,
  "hmac_sig": "sha256=9e2f4b..."
}

Denial Codes: What Policy Violations Look Like

When the policy is violated, the gate returns a specific reason code. Each code maps to a distinct policy rule:

SEQUENCE_VIOLATION

Step submitted out of declared order. Step order policy enforced.

ACTION_NOT_ALLOWED

Action type not in the permitted set for this function.

NO_POLICY_MATCH

Function name not recognised in the policy map.

REPLAY_NONCE

Nonce already used in this session. Replay protection policy enforced.

SEALED_SEQUENCE

Session reached final step and was sealed. No further actions permitted.

STALE_TIMESTAMP

Request timestamp outside the 5-minute freshness window.

Each denial produces a signed receipt — immutable, pre-execution evidence that the policy ran and what it rejected. These receipts are what compliance auditors, EU AI Act Article 9 documentation, and ISO 42001 evidence packages require.

Version Control and Auditability

Because the policy is expressed as code — not embedded in a prompt — it has all the properties of code:

Versionable: every policy change is a deployment. The git history and worker deployment log are the policy audit trail.
Diffable: you can compare two policy versions and see exactly what changed — which steps were added, which action types were permitted or revoked.
Attributable: each receipt references the key_id of the signing key active at decision time. An auditor reviewing receipts from any session can determine which policy version was in effect for each decision.
Testable: the policy can be tested in isolation from the agent. Submit a sequence with a deliberate SEQUENCE_VIOLATION — the gate must return DENY. The policy is verifiable independently of the model that calls it.

6 Specific DENY reason codes

Pre-exec Receipt written before action runs

Versioned Policy stamped into every receipt

Compliance Mapping

Framework	Requirement	How policy as code satisfies it
EU AI Act Article 9	Risk management system — identify, analyse, mitigate risks	Policy contract is the declared risk boundary; gate receipts prove it was enforced
EU AI Act Article 12	Automatic logging enabling reconstruction of events	Pre-execution receipts are the reconstruction anchors — not post-hoc observations
ISO/IEC 42001 A.6.1.6	Controls for AI system operation — documented and evidenced	Policy document + receipt chain = documented control + evidence it ran
NIST AI RMF Govern 1.2	Accountability mechanisms for AI system decisions	Every gate decision attributed to a policy version, signed, and stored immutably
OWASP ASI01 (Goal Hijack)	Prevent agent from being redirected to unauthorised objectives	Step order and action type policy enforced externally — prompt injection cannot override

The Part Most Implementations Skip

The industry conversation about policy as code for AI agents tends to stop at declaration. Expressing agent governance as structured configuration rather than prose is valuable — it is readable by tools, comparable across versions, and unambiguous in intent.

But declaration without enforcement is documentation. A policy document does not prevent a non-compliant action from executing. It describes what should happen; it does not guarantee what does happen.

The enforcement gate is what makes the code operative. Without it, "policy as code" is a better way of writing the same unenforceable guidelines that used to live in the system prompt.

See policy as code in action

Run a sequence through the AgenticRail gate — submit a step out of order and inspect the SEQUENCE_VIOLATION receipt.

Open Demo Read Docs

← All posts