Skip to main content
Policies are governance rules evaluated on every LLM request that flows through the MeshAI proxy. When a request violates a policy, the proxy returns a 403 response and logs an audit event.

Policy Types

TypeDescriptionExample
model_allowlistRestrict which models an agent can useOnly allow gpt-4o and claude-sonnet-4-20250514
block_providerBlock an entire LLM providerBlock all requests to openai
require_approvalRequire HITL approval before the request proceedsAll production agents need approval
budget_limitEnforce a monthly spend cap (USD)$500/month per agent
rate_limitThrottle requests per minute60 requests/min
require_human_reviewFlag the agent for periodic human reviewHigh-risk agents reviewed weekly

Create a Policy

curl -X POST https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-model-allowlist",
    "description": "Only approved models in production",
    "policy_type": "model_allowlist",
    "config": {
      "allowed_models": ["gpt-4o", "claude-sonnet-4-20250514", "gemini-2.0-flash"]
    },
    "scope": "global",
    "enabled": true
  }'

{
  "success": true,
  "data": {
    "id": "pol_abc123",
    "name": "production-model-allowlist",
    "policy_type": "model_allowlist",
    "config": {
      "allowed_models": ["gpt-4o", "claude-sonnet-4-20250514", "gemini-2.0-flash"]
    },
    "scope": "global",
    "enabled": true,
    "created_at": "2026-03-17T10:00:00Z"
  }
}

Policy Examples

Block a Provider

curl -X POST https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "block-openai",
    "policy_type": "block_provider",
    "config": { "provider": "openai" },
    "scope": "global",
    "enabled": true
  }'

Require Approval (HITL)

curl -X POST https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-approval",
    "policy_type": "require_approval",
    "config": { "environment": "production" },
    "scope": "global",
    "enabled": true
  }'

Budget Limit

curl -X POST https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "agent-budget-cap",
    "policy_type": "budget_limit",
    "config": { "monthly_limit_usd": 500 },
    "scope": "agent",
    "agent_id": "agt_abc123",
    "enabled": true
  }'

Rate Limit

curl -X POST https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "api-rate-limit",
    "policy_type": "rate_limit",
    "config": { "requests_per_minute": 60 },
    "scope": "global",
    "enabled": true
  }'

Require Human Review

curl -X POST https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "high-risk-review",
    "policy_type": "require_human_review",
    "config": { "review_interval_days": 7 },
    "scope": "agent",
    "agent_id": "agt_abc123",
    "enabled": true
  }'

List Policies

curl https://api.meshai.dev/governance/policies \
  -H "Authorization: Bearer msh_YOUR_API_KEY"

Update a Policy

curl -X PATCH https://api.meshai.dev/governance/policies/pol_abc123 \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "enabled": false }'

Delete a Policy

curl -X DELETE https://api.meshai.dev/governance/policies/pol_abc123 \
  -H "Authorization: Bearer msh_YOUR_API_KEY"

What Happens When a Policy Is Violated

When a proxy request violates a policy, the agent receives: 
{
  "error": "Policy violation: model_allowlist — model 'gpt-3.5-turbo' is not in the allowed list",
  "policy_id": "pol_abc123",
  "status": 403
}
An audit event is logged automatically with event type policy.violated.