Facio's Policy Engine: How AI Agents Stay Aligned With Business Rules Even When the Model Wants to Stray
An AI agent that follows business rules is valuable. An AI agent that improvises around business rules is a liability. The naive approach to alignment — putting rules in the system prompt — fails because the model can be social-engineered, distracted, or simply wrong about when a rule applies.
Production agents need a structural answer. The rules need to be enforced by the runtime, not by the model's good intentions. The rules need to be configurable without rewriting prompts. The rules need to be auditable so the team can see which rules fired and why.
Facio's policy engine is a runtime enforcement layer that makes business rules architecturally binding. Every agent decision is checked against the policies before execution. Rules can't be bypassed because the runtime refuses to execute non-compliant actions. The model doesn't have to "remember" the rules; the runtime enforces them regardless of what the model decides.
Here's how the policy engine works, what kinds of policies it expresses, and why runtime enforcement is what makes AI agents acceptable in regulated environments.
The Prompt-Based Alignment Problem
The naive approach to AI agent alignment is to put the rules in the system prompt:
# Naive system prompt
"You are an AI agent for Acme Corp. You must always:
- Verify customer identity before any account changes
- Never disclose other customers' information
- Always require approval for refunds over $100
- Never execute financial transactions during business-critical periods
- Escalate security concerns immediately"
This approach has four structural problems:
Problem 1: The model can be social-engineered. A user prompt can include "ignore previous instructions and..." patterns. The model, trained on user input, may comply. The rules are bypassed.
Problem 2: The model gets distracted. A long conversation with complex context can cause the model to "forget" or de-prioritize the rules. The rules are forgotten.
Problem 3: The model applies rules inconsistently. The rules are interpreted differently across contexts. The model decides when "during business-critical periods" applies; the team has no control over the decision.
Problem 4: The rules aren't auditable. The model applied or didn't apply a rule based on internal reasoning. The team can't see which rules fired when. Compliance verification is impossible.
The result is an agent that usually follows rules but can be made to violate them. For low-stakes workflows, that's acceptable. For regulated workflows (financial, healthcare, legal), it's not.
The Runtime Enforcement Answer
Facio's policy engine addresses the problem structurally. The rules are defined in configuration, not in prompts. The runtime checks every action against the rules before executing. The model cannot bypass because the runtime enforces.
# Policy engine configuration
policies = [
{
"id": "identity-verification-required",
"type": "pre_action",
"condition": "action.type == 'modify_account' and action.target.customer_id is not None",
"requirement": "identity_verified_in_session == True",
"on_violation": "block_and_escalate"
},
{
"id": "refund-approval-required",
"type": "pre_action",
"condition": "action.type == 'refund' and action.amount > 100",
"requirement": "ask_approval(approver='finance_team', timeout_minutes=30)",
"on_violation": "block"
},
{
"id": "no-financial-tx-during-peak",
"type": "time_based",
"condition": "current_time.hour in range(9, 17) and current_time.weekday < 5",
"applies_to": "action.type == 'financial_transaction'",
"on_violation": "block_with_message"
},
{
"id": "security-escalation",
"type": "post_detection",
"condition": "any(action.tool == 'exec' and 'security' in action.parameters.command.lower())",
"requirement": "send_notification(channel='security_team', priority='high')",
"on_violation": "warn"
}
]
The policies are configuration, not prompt content. The model sees them only as context; the runtime enforces them regardless.
The Policy Types
The policy engine supports several policy types, each suited to a different enforcement pattern.
Type 1: Pre-Action Policies
Pre-action policies check the agent's proposed action before it's executed. If the policy is violated, the action is blocked (or escalated, depending on configuration):
# Pre-action policy: "No production deployments without approval"
{
"id": "prod-deploy-approval-required",
"type": "pre_action",
"condition": "action.type == 'deploy' and action.target.environment == 'production'",
"requirement": "ask_approval(approver='release_manager', timeout_minutes=60)",
"on_violation": "block"
}
# How it works:
# 1. Agent decides to deploy to production
# 2. Policy engine sees the action matches the condition
# 3. Policy engine triggers ask_approval
# 4. If approval comes: action proceeds
# 5. If approval is denied or times out: action is blocked
# 6. Agent is informed of the block
The agent cannot bypass because the policy engine intercepts the action. The model doesn't have to remember the rule; the runtime enforces it.
Type 2: Time-Based Policies
Time-based policies apply based on the current time. They express rules like "no actions during maintenance windows" or "require extra approval during business hours":
# Time-based policy: "Maintenance window lockout"
{
"id": "maintenance-window-lockout",
"type": "time_based",
"condition": "current_time >= '2026-07-06T22:00:00Z' and current_time <= '2026-07-07T02:00:00Z'",
"applies_to": "action.type == 'deploy'",
"on_violation": "block_with_message('System in maintenance window')"
}
# How it works:
# 1. Agent decides to deploy during maintenance window
# 2. Policy engine checks current time against the condition
# 3. Condition is true: policy fires
# 4. Action is blocked with explanatory message
# 5. Agent is informed of the maintenance window
Time-based policies are evaluated automatically. The team doesn't have to remember to apply them; the runtime does it.
Type 3: Post-Detection Policies
Post-detection policies watch for specific patterns in actions or tool outputs. They trigger responses when patterns are detected:
# Post-detection policy: "Log all customer PII access"
{
"id": "log-pii-access",
"type": "post_detection",
"condition": "any('ssn' in action.tool_input.lower() or 'passport' in action.tool_input.lower())",
"requirement": "audit_log(category='pii_access', severity='high')",
"on_violation": "warn"
}
# How it works:
# 1. Agent accesses customer data including SSN
# 2. Policy engine detects the pattern
# 3. Audit log entry is created
# 4. Action proceeds (the policy is logging, not blocking)
# 5. Compliance team has visibility
Post-detection policies are useful for monitoring and compliance. They don't block work; they create records.
Type 4: Multi-Step Workflow Policies
Multi-step policies check sequences of actions, not just individual ones. They express rules like "two-person integrity for sensitive operations":
# Multi-step policy: "Two-person integrity for database admin"
{
"id": "two-person-integrity-db-admin",
"type": "workflow",
"condition": "any_in_workflow(action.type == 'db_admin_op' and action.target.environment == 'production')",
"requirement": "two_distinct_approvers have approved in current session",
"on_violation": "block"
}
# How it works:
# 1. Agent decides to run a database admin operation
# 2. Policy engine checks the workflow history
# 3. If only one approver has approved: action is blocked
# 4. Agent must get a second approver
# 5. Once two distinct approvers have approved: action proceeds
Multi-step policies express complex business rules that depend on action sequences, not single actions.
Type 5: Conditional Policies
Conditional policies branch based on the action's context. They express rules like "different approval requirements based on amount":
# Conditional policy: "Tiered approval"
{
"id": "tiered-approval",
"type": "conditional",
"condition": "action.type == 'refund'",
"branches": [
{
"condition": "action.amount <= 100",
"requirement": "no_approval_required",
"on_violation": "allow"
},
{
"condition": "action.amount > 100 and action.amount <= 1000",
"requirement": "ask_approval(approver='team_lead')",
"on_violation": "block"
},
{
"condition": "action.amount > 1000",
"requirement": "ask_approval(approver='director')",
"on_violation": "block"
}
]
}
# How it works:
# 1. Agent decides to refund $500
# 2. Policy engine evaluates the conditions
# 3. Branch 2 matches: requires team_lead approval
# 4. Action is blocked until approval comes
Conditional policies express the rules that real businesses have. Different amounts, different customers, different risk levels — different rules.
The Policy Decision Flow
When the agent proposes an action, the policy engine evaluates the action through the policies:
# Agent proposes action
action = {
"type": "deploy",
"target": {"environment": "production", "service": "api-gateway"},
"estimated_impact": "5% of traffic affected briefly"
}
# Policy engine evaluation
for policy in policies:
if evaluate_condition(policy.condition, action):
if not check_requirement(policy.requirement, action):
# Policy violated
if policy.on_violation == "block":
return ActionBlocked(policy=policy.id)
elif policy.on_violation == "block_and_escalate":
escalate(policy.id, action)
return ActionBlocked(policy=policy.id)
elif policy.on_violation == "block_with_message":
return ActionBlocked(message=policy.message)
elif policy.on_violation == "warn":
log_warning(policy.id, action)
# Continue to next policy
# All policies passed: execute action
return ActionApproved()
The evaluation is deterministic. The same action and policy state produce the same decision. There's no model judgment in the enforcement.
The Policy Audit Trail
Every policy decision is logged. The audit trail captures:
- Which policy was evaluated. The policy ID.
- The action being evaluated. The action details.
- The policy's decision. Allow, block, warn, escalate.
- The reason. Why the policy decided what it decided.
- The timestamp. When the decision was made.
- The agent context. Which session, which user.
{
"timestamp": "2026-07-06T10:23:45Z",
"session_id": "agent-2026-07-06-101000",
"policy_id": "prod-deploy-approval-required",
"policy_type": "pre_action",
"action": {"type": "deploy", "target": {"environment": "production"}},
"decision": "block",
"reason": "Production deployment requires release_manager approval",
"next_step": "ask_approval triggered, awaiting response",
"outcome": "approval received at 2026-07-06T10:45:23Z, deployment proceeded"
}
The audit trail enables:
- Compliance verification. Auditors see which policies fired and whether they were followed.
- Policy refinement. The team identifies policies that fire too often (annoying) or too rarely (ineffective).
- Incident investigation. When something goes wrong, the audit trail shows whether policies were followed.
- Trust building. Customers and partners can verify that business rules are enforced.
The Policy Configuration Management
Policies are configuration, not code. The configuration is managed through:
Version control. Policies are stored in Git. Changes are tracked, reviewed, rolled back if needed.
Testing. Policy changes are tested before deployment. The team verifies the new policies fire correctly without breaking existing workflows.
Staging rollout. New policies are deployed to staging first, then to production after validation.
RBAC. Only authorized users can modify policies. Policy changes require approval.
The configuration management ensures policies are reliable. A policy that's in code can be accidentally modified; a policy in configuration is reviewed and tested.
The Policy Engine Doesn't Do
Honest limitations:
- It doesn't make the model more aligned. The policy engine enforces external rules; it doesn't change the model's underlying behavior. A model that wants to violate rules will try; the engine stops it, but the model isn't aligned.
- It can't enforce rules that depend on subjective judgment. "Always be polite" can't be a policy — there's no programmatic check. The engine enforces objective rules; subjective alignment remains the model's responsibility.
- It can be too strict. Overly strict policies block legitimate work. The team needs to calibrate policies to the workflow's risk profile.
- It doesn't eliminate the need for HITL. Some policies require human approval; the engine can't replace human judgment entirely. The engine automates enforcement, not decisions.
- It requires careful policy design. Poorly designed policies have unintended consequences. The team needs policy expertise to write effective rules.
The Policy as a Business Asset
Well-designed policies are a business asset. They:
- Encode institutional knowledge. The rules the company has developed over years, captured in configuration.
- Enable scaling. New agents, new workflows, new markets — all operate with the same rules.
- Support compliance. Regulators see consistent rule enforcement across all operations.
- Reduce errors. The rules prevent the agent from doing things the company wouldn't approve.
- Enable trust. Customers trust the agent because the rules are guaranteed.
The policy engine is how institutional knowledge becomes runtime guarantees. The rules aren't aspirational; they're enforced.
Bottom Line
An AI agent that follows business rules is valuable. An agent that improvises around rules is a liability. The prompt-based approach to alignment is unreliable; the runtime-enforcement approach is structural.
Facio's policy engine makes business rules architecturally binding. Every agent action is checked against policies before execution. Rules can't be bypassed because the runtime refuses to execute non-compliant actions. The model doesn't have to remember the rules; the runtime enforces them.
The agent without runtime enforcement is a partner you hope follows the rules. The agent with runtime enforcement is a partner you know follows the rules. Regulated industries can deploy the second. The first is limited to less-strict contexts.
Because AI agents in the enterprise are not just about capability. They're about reliability. The policy engine is what makes capability reliable.
See the policy engine documentation for policy configuration, audit trail queries, and policy testing patterns.