Why Policies?
Autonomy without governance is a liability. Consonant provides the external guardrails needed for enterprise agents.
The Prompt Injection Illusion
Most agent frameworks rely on "System Prompts" for safety (e.g., "Please do not share PII"). This is fundamentally insecure. Prompt injection can bypass these instructions, and LLMs are notorious for "forgetting" constraints under high context loads.
DO NOT RELY ON PROMPTS
LLMs are non-deterministic. If your security relies on an agent "choosing" to follow a rule, you have no security.
External Guardrails: Out-of-Band Enforcement
Consonant uses External Policies. The governance layer sits *outside* the agent's context window. Even if an agent is successfully "jailbroken" or hallucinates a dangerous action, the Control Plane blocks the API call before it ever reaches your infra.
Zero-Trust Actions
Every sensitive tool (DB writes, Email sends, Payments) must be white-listed in a central policy file.
Policy as Code (OPA)
We use Open Policy Agent (Rego) to define deterministic, audit-ready rules for every agent interaction.
Example: The $10,000 Safety Net
Imagine a "Customer Success" agent with access to a refund tool. You can define a policy that allows it to process refunds up to $50 automatically, but requires human approval for anything higher.
# Refund Approval Policy
default allow = false
# Allow agent to refund if amount is < $50
allow {
input.action == "process_refund"
input.amount < 50
}
# Require human sigh-off if amount >= $50
deny[msg] {
input.action == "process_refund"
input.amount >= 50
not input.metadata.human_approval_id
msg := "Refunds over $50 require a human_approval_id"
}