// GLOSSARY -- POLICY ENFORCEMENT

What is a Global Policy?

2 min read Updated

A global policy applies across all MCP servers in an Intercept configuration, enabling universal rules like rate limiting, mandatory audit logging, or organisation-wide access restrictions regardless of which server or tool is involved.

WHY IT MATTERS

Some policies are not specific to any particular MCP server — they reflect organisational requirements that apply everywhere. "Log every tool call" is a compliance requirement, not a server-specific decision. "Deny all tool calls between 2am and 4am during maintenance" applies universally. "Rate limit any agent to 100 tool calls per minute" is a safety mechanism that transcends individual servers.

Global policies sit at the top of the policy hierarchy. They are evaluated for every tool call, before server-level and tool-level policies. This ensures universal rules cannot be accidentally bypassed by an overly permissive server-level policy. When a global policy denies a call, no lower-level policy can override it.

Architecturally, global policies enable centralised governance in decentralised systems. Different teams might manage their own server-level and tool-level policies, but the security team controls global policies. This separation of concerns mirrors how organisations already manage infrastructure — platform teams set guardrails, application teams work within them.

HOW POLICYLAYER USES THIS

Intercept supports a dedicated global policy file that is evaluated for every tool call, regardless of which MCP server or tool is targeted. Global rules are evaluated before server-level and tool-level rules in the policy evaluation pipeline. A global deny cannot be overridden by a lower-level allow. Global policies support the same conditions and actions as other policy levels, making them suitable for rate limiting, time-based restrictions, mandatory logging, and universal argument constraints.

FREQUENTLY ASKED QUESTIONS

Can a server-level policy override a global deny?
No. Global policies have the highest priority in the evaluation hierarchy. If a global rule denies a tool call, that decision is final regardless of what server-level or tool-level rules say. This ensures organisational security requirements cannot be bypassed.
What are common use cases for global policies?
Mandatory audit logging of all tool calls, rate limiting per agent, time-based access windows (e.g. no tool calls during maintenance), denying access to specific argument patterns across all servers (e.g. blocking production credentials), and enforcing maximum payload sizes.
Do global policies affect performance?
Minimally. Global rules are evaluated first and short-circuit — if a global deny matches, Intercept skips server and tool-level evaluation entirely. The evaluation overhead is negligible compared to the network latency of actual tool calls.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.