Policy-as-code for AI agents
Most AI safety today is enforced inside the model. Policy-as-code moves enforcement out of the prompt and into infrastructure — versioned, reviewable, deterministic.
The problem with prompt-level safety
Policy-as-code is one layer in the broader picture of governance for AI agents. It sits at the action boundary — the place where the model's intent becomes a real-world side effect. The default pattern for "safe" AI agents looks like this: a long system prompt that describes what the agent is and isn't allowed to do, plus a hope that the model will follow it. That works until the input shifts, the model is updated, or an adversary writes "ignore previous instructions". The constraint lives in natural language, inside a probabilistic system, and there is no audit trail of why a specific decision was made.
For consumer chat that's an acceptable trade. For an agent that touches a production database, sends money, deploys infrastructure, or takes actions on a user's behalf, it isn't.
What policy-as-code means for AI agents
Policy-as-code is the same idea that runs your Kubernetes admission control, your microservice authorisation, and your cloud IAM: the rules that decide allow / deny / require-approval are written as code, version-controlled in git, code-reviewed, tested, and evaluated by a deterministic engine at runtime.
Applied to AI agents, the policy doesn't try to constrain the model's reasoning. It governs the actions the agent attempts to take. Every tool call, every sub-agent spawn, every delegation, every resource request becomes a structured event. The policy engine looks at the event plus the session context and returns a decision.
Why OPA/Rego specifically
OPA (Open Policy Agent) is a CNCF graduated project. Rego is its policy language. Together they're the de facto standard for policy-as-code across cloud-native infrastructure, with mature tooling for testing, decision logging, bundle distribution, and multi-tenant evaluation.
Choosing OPA for AI agent governance means:
- One policy language across the stack. Your platform team already writes Rego. Agent policy lives in the same repo, the same review process, the same CI.
- Deterministic decisions. Same input + same policy = same decision. Reproducible in tests, defensible in audits.
- Decision logs out of the box. Every evaluation can be recorded with the policy version and the input. That's the audit trail regulators ask for.
- No new DSL to learn. Engineers don't need to pick up a framework-specific dialect that only governs one library.
What you actually govern
Concretely, an AI agent governance policy answers questions like:
- Can this agent invoke
shell.execat all? With what arguments? - Is this file write inside an allowed directory?
- This agent wants to spawn a sub-agent — what scope is the child allowed? Is it a subset of the parent?
- Has this session already exhausted its token / API-call / wall-clock budget?
- This proposed plan contains 24 steps and three calls to a write tool. Is it allowed to run, or does it need human approval first?
- This data is classified as confidential — is the agent allowed to send it to an external tool tier?
- The same engine governs an MCP tool call identically to a native Python tool call.
None of those are "is this prompt unsafe?" questions. They're authorisation questions, and they have hard, code-shaped answers.
How this differs from output validation and prompt scanning
Tools like Guardrails AI validate the model's output. Tools like LLM Guard scan prompts and responses for content patterns. Tools like NeMo Guardrails script dialogue rails. None of those layers answer "is this agent allowed to invoke this tool right now?" — that's the question policy-as-code is built for.
Where Kite Logik fits
Kite Logik is the policy enforcement point for AI agents in Python. It plugs into your existing agent framework (OpenAI Agents SDK, LangChain, LangGraph, CrewAI, Pydantic AI, and others), turns runtime events into structured policy inputs, evaluates them against your Rego policies, and emits an immutable audit log of every decision.
The model still drives the agent. Policy decides whether the agent gets to act on what the model proposed.
Frequently asked questions
What is policy-as-code for AI agents?
Policy-as-code applied to AI agents means the rules that decide allow / deny / require-approval for an agent's actions are written as code, version-controlled in git, code-reviewed, tested, and evaluated by a deterministic engine at runtime — instead of being expressed as natural-language instructions inside the system prompt.
Why use OPA/Rego instead of a Python policy framework?
Three reasons. (1) OPA is a CNCF graduated standard already used at scale for Kubernetes, microservices, and cloud authorisation — your platform team likely already writes Rego. (2) Rego is purpose-built for deterministic decisions and has a mature test toolchain. (3) One policy language across your stack means one review process, one set of skills, and shared tooling.
What can you express in an AI agent policy?
Whether a tool can be called at all, with what arguments, by which agent, in which session. Whether a sub-agent can be spawned and with what scope. Delegation depth and scope-narrowing rules. Token / API-call / wall-clock budgets per session. Plan-level constraints (e.g. "deny plans with > 20 steps"). Data-classification flow rules (e.g. "PII stays in the primary session").
Does policy-as-code replace prompt-engineered safety?
It replaces prompt-based safety for the actions the agent takes. Constraints that live in natural language inside a probabilistic system are unenforceable under adversarial inputs. Policy-as-code enforces those constraints in infrastructure, with an audit trail. Prompt-level safety is still useful for the model's tone and refusal behaviour — it just shouldn't be the only line of defence.
Is policy-as-code overkill for a small AI agent?
If the agent only generates text, yes. If the agent calls real tools — files, shell, databases, payment APIs, infrastructure — then the moment the cost of one wrong call exceeds the cost of writing a policy, you want policy-as-code. For most production agents that's on day one.