Agent Governance Policies

When AI agents act autonomously, you need clear rules and boundaries — defined as code, not as a document. OpenClaw implements policy-as-code: machine-readable guidelines that are automatically enforced.

Policy-as-Code

Why Policy-as-Code?

Approach	Document-based	Policy-as-Code
Format	PDF, wiki page	YAML, JSON, OPA/Rego
Enforcement	Manual, after the fact	Automatic, real-time
Versioning	Hard to track	Git-versioned
Testability	Not testable	Unit tests possible
Auditability	Hard to trace	Complete audit trail

Policy Definition

# policies/support-agent.yml
policy:
  name: support-agent-governance
  version: "2.1"
  agent: support-agent-v3
  effective_date: "2026-01-15"

  permissions:
    allowed_tools:
      - knowledge_base_search
      - ticket_create
      - ticket_update
      - customer_lookup

    forbidden_tools:
      - database_write
      - payment_process
      - user_delete

    allowed_models:
      - gpt-4o
      - gpt-4o-mini

  boundaries:
    max_tokens_per_response: 1000
    max_tool_calls_per_interaction: 5
    max_interaction_duration: 300s
    allowed_languages: [de, en]

  content_rules:
    - name: no-legal-advice
      description: "Agent must not provide legal advice"
      check: output_not_contains_intent("legal_advice")
      action: escalate_to_human

    - name: no-price-commitments
      description: "Agent must not make price commitments"
      check: output_not_matches("\d+\s*(EUR|€|Dollar|\$).*guaranteed")
      action: rephrase_and_warn

Permission Boundaries

OpenClaw enforces granular permissions for each agent:

Tool Permissions

tool_permissions:
  knowledge_base_search:
    allowed: true
    rate_limit: 20/minute
    data_scope: public_only

  customer_lookup:
    allowed: true
    rate_limit: 5/minute
    fields_allowed: [name, email, plan]
    fields_blocked: [payment_info, ssn, password]

  ticket_create:
    allowed: true
    requires_approval: false
    auto_assign: true

  payment_process:
    allowed: false
    violation_action: block_and_alert

Data Access Boundaries

Read-only vs. read-write — Most agents only need read access
Field-level access — Access to specific fields, not entire records
Row-level security — Agent sees only its tenant's data
Time-limited access — Temporary access with automatic expiration

Escalation Rules

escalation:
  rules:
    - name: low-confidence
      condition: agent.confidence < 0.6
      action: transfer_to_human
      message: "Agent uncertain — transferring to employee"

    - name: angry-customer
      condition: sentiment.score < -0.7
      action: transfer_to_senior
      priority: high

    - name: legal-question
      condition: intent == "legal_advice"
      action: transfer_to_legal
      auto_response: "For legal questions, I'll connect you with our legal team."

    - name: repeated-failure
      condition: consecutive_failures >= 3
      action: pause_agent
      alert: critical

  fallback:
    default_action: transfer_to_human
    message: "I'll connect you with an employee."
    sla: 60s  # max wait time

Automatic Policy Enforcement

OpenClaw checks policies before and after every agent action:

Pre-Execution Check

Does the agent have permission for this tool?
Has the rate limit been reached?
Is the data access within boundaries?

Post-Execution Check

Does the output violate content rules?
Was PII detected in the response?
Is the confidence score above the minimum?
Was the maximum token usage respected?

Policy Violation Handling

Policy Violation Detected
─────────────────────────
Agent:    support-agent-v3
Policy:   no-price-commitments (v2.1)
Trace:    tr_8f2a9b01
Time:     2026-02-18T15:42:01Z
Output:   "I guarantee you a price of EUR 99/month"
Action:   Rephrase → "For current pricing, please visit our pricing page."
Status:   Auto-corrected, alert sent to team

Practical Tip: Start with restrictive policies and loosen them gradually. It's easier to grant an agent new permissions than to undo damage from permissions that were too broad.