// GLOSSARY -- POLICY ENFORCEMENT

What is a Policy Dry Run?

2 min read Updated

A policy dry run is a mode where Intercept evaluates policies and logs the decisions that would be made, but does not enforce them — all tool calls are allowed to proceed regardless of the policy result.

WHY IT MATTERS

Deploying untested policies to production is reckless. A policy that accidentally denies a critical tool call can break an agent's workflow entirely. A policy with overly broad conditions might block legitimate operations. Dry run mode lets you deploy policies alongside live traffic, observe what would happen, and refine rules before they have any impact.

Dry run is particularly valuable when migrating from an uncontrolled environment to policy-enforced operations. You start with dry run enabled, observe the logs to understand your agent's actual tool call patterns, write policies based on real behaviour rather than assumptions, and then switch to enforcement once you are confident in the rules.

The dry run output is identical to normal operation — the same decision log entries, the same matched rules, the same evaluation pipeline — except the action is always "allow." This means you can directly compare dry run logs to what enforcement would look like, without any translation layer or mental model shift. When you are ready to enforce, you simply disable dry run.

HOW POLICYLAYER USES THIS

Intercept supports dry-run mode at the global, server, and individual rule level. In dry-run mode, policies are fully evaluated — conditions checked, rules matched, actions determined — but the final enforcement step is skipped. All tool calls proceed to the MCP server. The decision log records what would have happened, tagged with a dry-run flag. This lets you run dry-run and enforced policies side by side: enforce known-good rules while dry-running new ones.

FREQUENTLY ASKED QUESTIONS

Can I dry-run specific rules while enforcing others?
Yes. Intercept supports per-rule dry-run flags, so you can enforce established rules while observing the impact of new ones. This is ideal for incremental policy rollout — add a new rule in dry-run, review the logs, then enable enforcement.
Does dry run affect agent behaviour at all?
No. In dry-run mode, the agent receives the same responses as if no policies existed. The only difference is in Intercept's logs, where you can see what decisions would have been made. The agent's workflow is completely unaffected.
How long should I run policies in dry-run mode?
Until you have observed enough tool call variety to be confident in the rules. For most deployments, a few days of representative agent activity is sufficient. Check the logs for unexpected denials — each one is a potential false positive to investigate before enabling enforcement.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.