Policies & Rules
Policies & Rules
Alephant includes up to 18 configurable policies across 4 architectural tiers. Policies govern how requests are handled at the gateway layer.
For agent and workflow systems, policy is broader than model access. Alephant policies can decide which models, tools, workflows, paid endpoints, members, departments, and budgets are allowed before activity becomes expensive, risky, or hard to audit.
Policy Hierarchy
- System Policies (Always-On)
- Hard limits to prevent catastrophic billing errors, such as a Daily Hard Stop and Basic Rate Caps.
- Pro Policies
- Configurable limits like Token constraints, specific Model Restrictions, Retry Logic, and Basic Semantic Caching.
- Team Policies
- Member attribution enforcement, Team Rate Limiting, and collaborative guardrails.
- Enterprise Policies
- Advanced compliance features including PII (Personally Identifiable Information) detection, Data Residency requirements, IP Allowlisting, and SSO enforcement.
Department Overrides
On the Enterprise plan, Workspace-level policies can be overridden on a per-department basis. Override types include:
- Custom Rate Limits
- Model Whitelists (e.g., restrict to specific models)
- Custom Budget Alert thresholds
- Time Window restrictions (e.g., only allow requests during business hours)
- Max Tokens per request
- Concurrency limits
Agent Run Policy
Agent run policy controls what an agent or workflow can do during execution.
Common controls include:
- Budget limits at workspace, department, member, agent, or Virtual Key scope
- Rate limits and concurrency limits
- Model allowlists and provider restrictions
- Tool and external API permissions
- Paid endpoint access rules
- Prompt template restrictions
- Approval rules for sensitive or high-cost actions
- Hard stop, throttle, alert, or escalation behavior
Policy decisions should be visible in logs and run traces so teams can answer why a run was allowed, blocked, throttled, or escalated.
Alert Triggers
Policies can produce operational alerts when activity crosses risk thresholds:
Alerts should point back to the relevant workspace, department, agent, member, Virtual Key, policy, or run trace.
Paid Endpoint Policy
For monetized agent capabilities, payment verification is only one part of enforcement. Endpoint policy can also control:
- Buyer access
- Maximum price per call
- Endpoint rate limits
- Allowed agents or workflows
- Model and tool permissions
- Budget and margin guardrails
- Manual approval or review requirements
This keeps paid endpoints governed before execution and measurable after execution.