Policy Builder

The Policy Builder is where Authorization intent becomes an enforceable Policy. Instead of requiring knowledge of a policy language or abstract access rules, the Policy Builder is designed around the agentic ecosystem itself, including users, Agents, tools, and data, as they exist in your Environment.

The experience is visual, composable, and aligned with how AI systems operate.

Using the Policy Builder

Understanding OPA, Rego, or any underlying Policy syntax is not required. The PlainID Authorization Platform manages that complexity. You work with a purpose-built data model that reflects real-world AI workflows and enables intuitive access decision modeling.

Visual and AI Assisted Policies

The Policy Builder supports two complementary approaches for defining Policies, and you can switch between them at any time:

• Structured visual modeling using drag and drop components on the canvas.
• AI-assisted authoring using natural language to describe what you want to allow. See the AI Policy Assistant section for more information.

Both approaches generate the same underlying Policy model. You can move between AI-assisted and visual policy creation without being restricted to a single method.

At every stage, the AI assistant can help you add components, clarify intent, or complete missing elements in the model. When you request additions such as Identities, Agents, or controls, the canvas updates immediately.

Policy Structure

Policies are built from the top down, following the natural flow of an AI interaction:

• Identities: Who or what initiates the request
• Agents: Which AI Agents can be invoked
• Controls and Guardrails: What data, tools, constraints, or conditions apply

Each Policy defines both:

• Who: A combination of Identities and Agents.
• What: The Actions, tools, or Assets that are allowed.

Policy Validity and Enforcement

To ensure that a Policy is meaningful and enforceable, it must include at least one of the following:

• Identity
• Agent
• Control or Guardrail, such as MCP controls, RAG controls, input guardrails, or output guardrails

A Policy that defines WHO without defining WHAT is not valid. Similarly, access to tools or data cannot be granted without clearly specifying which Identities and Agents the access applies to.

This structure ensures that every Policy represents a complete, least privileged Authorization decision.

AI Policy Assistant

Each section of the Policy Builder includes an AI Policy Assistant. It is an embedded chat interface designed to help you efficiently build and refine Authorization Policies.

The AI Policy Assistant serves two primary purposes:

• Contextual guidance and knowledge access
  The assistant is aware of:

  • Available MCP tools
  • Supported Policy components and guardrails
  • Relevant Policy metadata and constraints
    This enables accurate, context-aware recommendations

• Policy authoring and risk-aware creation
  The assistant helps construct Policies directly within the MCP context, with attention to:

  • Appropriate guardrails and constraints for sensitive access scenarios
  • Best practices for structuring Identities, resources, Actions, and Conditions

Using the AI Policy Assistant

1. Click a Policy component, such as Identities, Resources, or a Guardrail. The configuration panel opens.
2. In the upper corner of the panel, click the AI Assistant icon.
3. The AI Policy Assistant chat opens and is automatically scoped to the selected component.

This allows you to ask the assistant to generate or refine Policy logic for specific components, request explanations of how a component behaves, and iteratively build Policies using natural language.

In the following sections, you will explore each building block in detail, beginning with Identities and Agents, which together define who is permitted to initiate AI interactions in your Application.