HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Glossary Architecture

PEP (Policy Enforcement Point)

The component, in the path of every action, that enforces the policy decision — letting an action through, blocking it, or sending it for approval.

A Policy Enforcement Point (PEP) is where a policy decision is acted on. It sits directly in the path of an agent’s action: it intercepts the call, asks the policy engine for a verdict, and then enforces that verdict — allowing the action, blocking it, or routing it for human approval.

The PEP is the reason governance is enforcement rather than advice. Because it’s in the path, no action can reach a resource — sending mail, moving money, hitting an MCP server — without first being checked. There’s no path around it, even if the agent is confused, jailbroken, or prompted by someone hostile.

A typical action lifecycle: the agent makes a call → the PEP intercepts it → it asks the PDP (Policy Decision Point) for a decision → it enforces the answer → the result is written to the audit trail.

In a HiveKey-style agent control plane, the gateway is the PEP. Keeping it distinct from the decision-making PDP is what lets you change a policy centrally and have every enforcement point apply it instantly — no agent redeploy. The terms come from the XACML access-control model and are core to zero-trust architectures (NIST 800-207), applied here to AI agents.

Related terms

Agent control plane

The layer in the path of every agent action that decides, enforces, and records what each agent can do.

MCP (Model Context Protocol)

An open standard for how agents discover and call tools — powerful, and easy to over-grant without governance.

PDP (Policy Decision Point)

The 'brain' that decides whether an agent action is allowed — evaluating the request against the agent's scope and guard rules and returning allow, deny, or needs-approval.

Attribution

Tracing every agent action back through the agent identity to the accountable human who owns it.

Put every agent your company runs under one policy.

Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.

Book your 30-min demo Talk to us