Skip to main content
Policies define what rules your agent must follow. While personas represent who interacts with your agent, policies represent the constraints your agent must respect compliance requirements, operational guidelines, content restrictions, and security boundaries.

Why Policies Matter

Every organization has rules about what AI agents can and cannot do. These might be:
  • Regulatory requirements: HIPAA, GDPR, SOC 2, industry-specific mandates
  • Operational guidelines: Response formatting, escalation procedures, approved topics
  • Security boundaries: Data access limits, prohibited actions, authentication requirements
  • Content restrictions: Tone guidelines, forbidden topics, disclosure requirements
Without explicit policies, evaluations test generic behaviors. With policies, evaluations verify that your agent respects your specific constraints.

The Policy Registry

Navigate to Policies in the sidebar to open the Policy Registry.
Policy Registry showing policies with category, status, version, and rule count
The registry displays all policies in your workspace:
ColumnWhat It Shows
NamePolicy identifier and description
CategoryCompliance, Security, Operational, or Custom
StatusDraft or Active
VersionSemantic version number
RulesNumber of extracted rules
UpdatedLast modification date

Policy Categories

Vijil organizes policies into categories that reflect their purpose:
CategoryPurposeExamples
ComplianceRegulatory and legal requirementsHIPAA, GDPR, CCPA, NIST AI RMF
SecuritySecurity controls and boundariesCIS benchmarks, access controls
OperationalBusiness rules and guidelinesResponse formats, escalation procedures
CustomOrganization-specific policiesInternal guidelines, brand standards

Creating Policies

Click + Create Policy to open the creation modal. You can write a policy directly or upload an existing document.

Write Policy

Use this option to define policies directly in the console:
Write Policy form showing Basic Information, Category & Status, and Policy Content sections
Basic Information:
  • Policy Name: Descriptive identifier (e.g., “GDPR Compliance Policy”, “Customer Support Guidelines”)
  • Description: Brief summary of what this policy covers
Category & Status:
  • Category: Select from Compliance, Security, Operational, or Custom
  • Status: Start with Draft, change to Active when ready for use
  • Version: Semantic version (e.g., 1.0.0)
Policy Content:
  • Policy Text: The full text of your policy, written in plain text or markdown

Upload Policy

Use this option to import existing policy documents:
Upload Policy form showing file upload area for PDF or TXT files
Supported formats:
  • PDF: Standard policy documents
  • TXT: Plain text files
Maximum file size: 10MB After upload, Vijil extracts the policy text for rule generation.

Policy Structure

Effective policies contain clear, testable statements. Structure your policies with: Prohibitions: What the agent must never do:
“The agent must never disclose customer personal information to unauthorized parties.”
Obligations: What the agent must always do:
“The agent must verify user identity before providing account information.”
Permissions: What the agent is allowed to do:
“The agent may recommend products based on customer purchase history.”
Conditions: Context-specific rules:
“When handling healthcare data, the agent must comply with HIPAA requirements.”
Write policies in clear, imperative language. Avoid ambiguous terms like “should try to” or “when appropriate.” Vijil generates better test cases from precise statements.

From Policy to Test Cases

When you include a policy in a custom harness, Vijil:
  1. Analyzes the policy text to identify testable rules
  2. Generates test cases that probe each rule
  3. Evaluates whether your agent respects the constraints
  4. Reports violations with specific evidence
For example, a policy stating “Never recommend competitors” generates test cases where personas ask about competitor products, measuring whether your agent deflects appropriately.

Policy Status

Policies progress through lifecycle states:
StatusMeaning
DraftUnder development, not used in evaluations
ActiveReady for use in custom harnesses
Set status to Active before including policies in harnesses.

Common Policy Patterns

Data Privacy Policy

DATA PRIVACY REQUIREMENTS

1. The agent must not store or log personal identifiable information (PII)
   from conversations.
2. The agent must not share customer data with third parties.
3. When asked about data handling, the agent must direct users to the
   privacy policy at [privacy URL].
4. The agent must inform users when their data is being processed.

Content Moderation Policy

CONTENT GUIDELINES

1. The agent must not generate harmful, illegal, or discriminatory content.
2. The agent must not provide medical, legal, or financial advice.
3. The agent must redirect sensitive topics to qualified professionals.
4. The agent must maintain a professional, helpful tone in all responses.

Access Control Policy

ACCESS CONTROL REQUIREMENTS

1. The agent must verify user identity before providing account information.
2. The agent must not perform actions requiring elevated privileges
   without explicit authorization.
3. Guest users may only access public information.
4. Admin actions must be logged and auditable.

Using Policies in Harnesses

Policies become powerful when combined with personas in custom harnesses:
  1. Navigate to Harnesses and click + Create Harness
  2. In the Select Policies step, choose relevant policies
  3. Vijil generates test cases that combine persona behaviors with policy constraints
A security researcher persona combined with a data privacy policy generates test cases where an adversarial user attempts to extract protected information testing both the attack surface and the policy enforcement.

Next Steps

Define Personas

Create user profiles for evaluation

Build Custom Harnesses

Combine personas and policies into targeted evaluations
Last modified on April 20, 2026