// GLOSSARY -- POLICY ENFORCEMENT

What is a Decision Log?

2 min read Updated

A decision log is a specific audit log entry that records why a tool call was allowed or denied, including which policy rule matched, what conditions were evaluated, and the reasoning chain that produced the final action.

WHY IT MATTERS

Knowing that a tool call was denied is useful. Knowing why it was denied is essential. The decision log captures the full reasoning chain: which rules were candidates, which conditions were evaluated, which passed, which failed, and which rule ultimately produced the action. This transforms policy enforcement from a black box into a transparent, debuggable system.

Decision logs are indispensable during policy development. When a new policy unexpectedly denies a legitimate tool call, the decision log tells you exactly which rule matched and which condition failed. Without it, debugging policies requires guesswork — disabling rules one by one until the denial stops, then working out which condition was wrong.

For compliance and security, decision logs provide the evidentiary chain that auditors require. When asked "why was this agent allowed to create a charge for £5,000?", the decision log shows: tool-level rule X matched with priority Y, condition amount < 10000 evaluated to true, action was allow. This level of detail transforms compliance from a manual attestation process into an automated, verifiable one.

HOW POLICYLAYER USES THIS

Every tool call processed by Intercept generates a decision log entry embedded within the audit log. The entry includes: candidate rules considered (with IDs and source files), conditions evaluated (with argument values and results), the winning rule, and the final action. In verbose mode, the decision log includes the full priority-sorted rule list and the short-circuit point where evaluation stopped. Decision logs can be queried by rule ID, enabling impact analysis — "which tool calls were affected by rule X?"

FREQUENTLY ASKED QUESTIONS

How do I use decision logs to debug a denied tool call?
Find the decision log entry for the denied call (filter by tool name and timestamp). It shows which rule matched and which condition caused the denial. Check whether the condition is correct, the argument value is expected, and the rule priority is appropriate. Adjust the policy and use dry-run to verify.
Are decision logs generated for allowed tool calls too?
Yes. Every tool call generates a decision log entry regardless of the outcome. This is important for audit completeness — you need to prove not just that denials were correct, but that allowances were intentional and policy-compliant.
Can I disable decision logging for performance?
You can reduce the log level to minimal, which omits the full evaluation trace but still records the matched rule and action. However, the performance impact of full decision logging is negligible (structured JSON serialisation of in-memory data), and disabling it significantly reduces your debugging and audit capabilities.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.