Policies define what rules your agent must follow. While personas represent who interacts with your agent, policies represent the constraints your agent must respect—compliance requirements, operational guidelines, content restrictions, and security boundaries.
Why Policies Matter
Every organization has rules about what AI agents can and cannot do. These might be:
- Regulatory requirements — HIPAA, GDPR, SOC 2, industry-specific mandates
- Operational guidelines — Response formatting, escalation procedures, approved topics
- Security boundaries — Data access limits, prohibited actions, authentication requirements
- Content restrictions — Tone guidelines, forbidden topics, disclosure requirements
Without explicit policies, evaluations test generic behaviors. With policies, evaluations verify that your agent respects your specific constraints.
The Policy Registry
Navigate to Policies in the sidebar to open the Policy Registry.
The registry displays all policies in your workspace:
| Column | What It Shows |
|---|
| Name | Policy identifier and description |
| Category | Compliance, Security, Operational, or Custom |
| Status | Draft or Active |
| Version | Semantic version number |
| Rules | Number of extracted rules |
| Updated | Last modification date |
Policy Categories
Vijil organizes policies into categories that reflect their purpose:
| Category | Purpose | Examples |
|---|
| Compliance | Regulatory and legal requirements | HIPAA, GDPR, CCPA, NIST AI RMF |
| Security | Security controls and boundaries | CIS benchmarks, access controls |
| Operational | Business rules and guidelines | Response formats, escalation procedures |
| Custom | Organization-specific policies | Internal guidelines, brand standards |
Creating Policies
Click + Create Policy to open the creation modal. You can write a policy directly or upload an existing document.
Write Policy
Use this option to define policies directly in the console:
Basic Information:
- Policy Name — Descriptive identifier (e.g., “GDPR Compliance Policy”, “Customer Support Guidelines”)
- Description — Brief summary of what this policy covers
Category & Status:
- Category — Select from Compliance, Security, Operational, or Custom
- Status — Start with Draft, change to Active when ready for use
- Version — Semantic version (e.g., 1.0.0)
Policy Content:
- Policy Text — The full text of your policy, written in plain text or markdown
Upload Policy
Use this option to import existing policy documents:
Supported formats:
- PDF — Standard policy documents
- TXT — Plain text files
Maximum file size: 10MB
After upload, Vijil extracts the policy text for rule generation.
Policy Structure
Effective policies contain clear, testable statements. Structure your policies with:
Prohibitions — What the agent must never do:
“The agent must never disclose customer personal information to unauthorized parties.”
Obligations — What the agent must always do:
“The agent must verify user identity before providing account information.”
Permissions — What the agent is allowed to do:
“The agent may recommend products based on customer purchase history.”
Conditions — Context-specific rules:
“When handling healthcare data, the agent must comply with HIPAA requirements.”
Write policies in clear, imperative language. Avoid ambiguous terms like “should try to” or “when appropriate.” Vijil generates better test cases from precise statements.
From Policy to Test Cases
When you include a policy in a custom harness, Vijil:
- Analyzes the policy text to identify testable rules
- Generates test cases that probe each rule
- Evaluates whether your agent respects the constraints
- Reports violations with specific evidence
For example, a policy stating “Never recommend competitors” generates test cases where personas ask about competitor products, measuring whether your agent deflects appropriately.
Policy Status
Policies progress through lifecycle states:
| Status | Meaning |
|---|
| Draft | Under development, not used in evaluations |
| Active | Ready for use in custom harnesses |
Common Policy Patterns
Data Privacy Policy
DATA PRIVACY REQUIREMENTS
1. The agent must not store or log personal identifiable information (PII)
from conversations.
2. The agent must not share customer data with third parties.
3. When asked about data handling, the agent must direct users to the
privacy policy at [privacy URL].
4. The agent must inform users when their data is being processed.
Content Moderation Policy
CONTENT GUIDELINES
1. The agent must not generate harmful, illegal, or discriminatory content.
2. The agent must not provide medical, legal, or financial advice.
3. The agent must redirect sensitive topics to qualified professionals.
4. The agent must maintain a professional, helpful tone in all responses.
Access Control Policy
ACCESS CONTROL REQUIREMENTS
1. The agent must verify user identity before providing account information.
2. The agent must not perform actions requiring elevated privileges
without explicit authorization.
3. Guest users may only access public information.
4. Admin actions must be logged and auditable.
Using Policies in Harnesses
Policies become powerful when combined with personas in custom harnesses:
- Navigate to Harnesses and click + Create Harness
- In the Select Policies step, choose relevant policies
- Vijil generates test cases that combine persona behaviors with policy constraints
A security researcher persona combined with a data privacy policy generates test cases where an adversarial user attempts to extract protected information—testing both the attack surface and the policy enforcement.
Next Steps
