Skip to main content
Controls what your agents can do. Every tool call passes through policy evaluation before executing — permitted, denied, masked, or routed to a human for approval. There is no additional code beyond the visiq() call shown in the Quickstart.

How action governance intercepts tool calls

visiq() wraps your tools’ dispatch methods — the functions your framework invokes to actually run a tool — so every call is evaluated before the tool function body runs. The same one-line install works across every supported framework (LangChain, LangGraph, Vercel AI SDK, Mastra, VoltAgent, OpenAI Agents SDK, LlamaIndex.TS, and bare tool objects); see the Quickstart for per-framework setup. The flow:
  1. Agent decides to call a tool (e.g., issue_refund with { amount: 500 })
  2. The harness evaluates the tool name + arguments against a locally cached rule bundle
  3. One of four outcomes applies:
A denial is returned to the model as the tool’s output — nothing is thrown — so the agent can read it and change course:
Evaluation is local and in-process: permit, deny, and mask decisions make no network call. The only decision-path network call is registering an approval request when a rule routes the action to a human. The rule bundle refreshes in the background every few seconds.

Key concepts

Rules

Define what each agent can and cannot do. Write rules in natural language (the platform compiles them into policies) or author policy source directly. Conditions match on tool name, arguments, agent trust tier and business function, and normalized event fields. Every organization starts with a curated catalog of 29 default rules.

Human-in-the-Loop

Route sensitive tool calls to humans for real-time approval over Slack (interactive buttons), Microsoft Teams (Adaptive Cards), or email (one-click links) — plus the dashboard queue. Configurable timeouts and per-agent owner routing.

Audit trail

Every decision is logged with the agent ID, the action (tool) and its arguments, the rule matched, and the outcome — queryable via the read-only API (GET /v1/allow/audit-log). Each decision also emits a cryptographically signed record envelope; see Audit Trail for the receipt and verification model.

Fail-closed

An agent confirmed in enforce that loses its cached bundle stays fail-closed — denying tool calls rather than running them unevaluated (G001). A never-confirmed agent cold-starts in monitor instead, observing without blocking. Once a bundle is cached, evaluation continues locally through backend outages.

Three modes

Mode is server-authoritative — resolved on the backend and shipped inside the rule bundle, so a change propagates to running SDKs on the next background refresh, within a few seconds. There is no SDK-side mode option. An agent’s mode either inherits an org-wide default (allow_settings.default_agent_mode, itself defaulting to monitor) or is overridden per agent from the Agents page (under Harness). It can also be pinned per operation — for example enforce actions while keeping retrievals in monitor — with any operation left unset inheriting the agent’s resolved mode.
Rollout is monitor-first by design. A never-before-seen agent_id is auto-provisioned in monitor mode on first contact, so the install observes real traffic without disrupting anything. Review what would have been blocked on the dashboard, tune coverage, then flip that agent to Enforce — the SDK picks up the change live.

Next steps

Rules

Define what your agents can and cannot do.

Human-in-the-Loop

Route sensitive actions to humans for approval.

API Reference

REST API for rules, decisions, agents, and audit log.

SDK Reference

Complete visiq() API — options, framework detection, error behavior.