Your policy runs before the action does.
Scope says what an agent could do. Guard decides whether this specific action is allowed right now — approved domains, spend caps, destructive-action blocks, approval thresholds — evaluated in the path, with no way around it.
The rules security teams actually ask for.
Guard rules are conditions on the action and its context. They compose, they're versioned, and they run on every single call.
Approved domains
mail_send and webhooks may only reach an allow-list of domains. Everything else is denied in the path.
Spend caps
Per-agent and per-day ceilings on payments_pay. A single charge over the cap is blocked, not flagged after the fact.
Block destructive actions
crm_delete, prod deploys, vault writes — denied outright or gated behind approval, per role.
Approval thresholds
Above a value or risk level, the action pauses for a named human to approve — in Slack or the console.
Rules read like the sentences you'd say out loud.
"Send only to approved domains." "Cap spend at $500 a day." "Anything over $200 needs sign-off." Each rule is a condition, an action, and a fallback.
if to_domain in {acme.com, *.acme.io} if sum(payments, 24h) + amount ≤ $500 if amount > $200 if action == crm_delete if target == staging A denied action, step by step.
billing-bot tries to pay an invoice that breaks the daily cap. Watch the request hit the guard and stop before any money moves.
// agent request
{
"agent": "billing-bot",
"action": "payments_pay",
"to": "vendor@acme.com",
"amount": 540
} Guard · evaluate
- R1 domain ok
- R2 cap exceeded
- $480 spent + $540 > $500
No money moved. The denial is logged and attributed to billing-bot's owner.
The difference enforcement makes.
- Agent holds a raw key — every action it can reach, it can do.
- A bad prompt or bug can pay anyone, delete anything.
- Limits live in agent code, scattered and unverifiable.
- You find out something went wrong after the money's gone.
- Every action checked against policy before it runs.
- Destructive and high-value actions blocked or gated by default.
- One policy, versioned and reviewable, applied to the whole fleet.
- Denials caught in the path — and recorded for the record.
We don't just log it. We enforce it.
Guard isn't advice you read later. Every check runs in the path — allow, block, or route for approval — before the action happens.
- Real-time allow / block / approve on every tool & MCP call
- Least-privilege scoping — agents get only the tools they're provisioned for
- Per-agent spend caps, rate limits & budget ceilings
- Sequencing rules — can't call X until Y is human-approved
- Dual-control / four-eyes on high-risk actions (wires, key ops)
- Instant kill switch & circuit breaker when a breach is detected mid-run
- Secret & credential egress blocks + destination allow-lists
- Policy dry-run against real traffic before you turn enforcement on
- Behavioral anomaly detection — flag when an agent deviates from its normal pattern
- Prompt-injection & jailbreak detection at the tool boundary
- Semantic data-egress controls — stop PII leaving the boundary
- Quarantine / step-down — degrade a breaching agent to read-only, not just kill it
These ship monitor-first — observe and flag, then enforce — so detection earns its place before it can block real work.
Put every agent your company runs under one policy.
Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.