// GLOSSARY -- POLICY ENFORCEMENT

What is Default Deny Posture?

1 min read Updated

A policy configuration where all tool calls are rejected unless an explicit allow rule exists, ensuring that newly discovered or unclassified tools cannot be invoked without deliberate approval.

WHY IT MATTERS

The alternative — default allow — means every new tool is automatically accessible to every agent. In a fast-moving ecosystem where new MCP servers appear daily, this is dangerous. A newly installed server with destructive tools gets immediate, ungoverned access.

Default deny inverts this. Nothing works until someone writes a policy for it. This is more work upfront but prevents the class of incidents where 'we didn't know that tool existed.'

HOW POLICYLAYER USES THIS

Intercept supports both postures. For high-security environments, default: deny ensures only explicitly allowed tools are accessible.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.