// GLOSSARY -- POLICY ENFORCEMENT

What is Fail-Closed?

2 min read Updated

Fail-closed is a security posture where if Intercept cannot evaluate a policy — due to a configuration error, crash, or unexpected condition — the tool call is denied by default, ensuring no unvalidated operations reach the MCP server.

WHY IT MATTERS

Every security system must answer the question: "What happens when things go wrong?" There are only two answers. Fail-closed denies access when uncertain. Fail-open allows it. In the context of AI agents calling external tools with real-world consequences — creating charges, modifying files, deploying code — the safe answer is almost always fail-closed.

The reasoning is straightforward: the cost of a false denial (agent cannot complete a task, human intervenes) is almost always lower than the cost of a false allowance (agent executes an unvalidated operation with potentially irreversible consequences). A denied tool call is an inconvenience. An uncontrolled tool call could be a security incident, a financial loss, or a compliance violation.

Fail-closed is the default in mature security systems for good reason. Firewalls fail-closed. Kubernetes admission controllers fail-closed. Certificate validation fails-closed. These systems prioritise safety over availability because the consequences of uncontrolled access are worse than the consequences of denied access. The same logic applies to AI agent governance.

HOW POLICYLAYER USES THIS

Intercept defaults to fail-closed behaviour. If the policy evaluation pipeline encounters an error — malformed policy, unexpected argument type, internal error — the tool call is denied with a descriptive error message. This extends to startup: if policy files cannot be loaded or validated, Intercept refuses to start rather than operating without policies. Fail-closed behaviour is configurable per-server for development environments where fail-open may be preferred.

FREQUENTLY ASKED QUESTIONS

When should I use fail-open instead of fail-closed?
Only during development or policy prototyping, when you want agents to operate freely while you observe and build policies. In any environment where tool calls have real consequences — production, staging with real data — use fail-closed.
Does fail-closed mean my agent stops working if there is a bug in Intercept?
If Intercept crashes entirely, the MCP client cannot reach the server at all (the proxy is down). If Intercept encounters an error during policy evaluation for a specific call, that call is denied but others may succeed. Intercept is designed to isolate failures to individual evaluations.
How do I avoid false denials in fail-closed mode?
Thoroughly test policies using dry-run mode and policy testing before deploying to production. Monitor the decision log for unexpected denials. Use policy linting to catch configuration errors before they reach runtime.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.