What is a Tool-Level Policy?

2 min read Updated

A tool-level policy targets a specific MCP tool (e.g. create_payment_intent on the Stripe server) rather than an entire server, providing the most granular level of policy enforcement available in PolicyLayer.

WHY IT MATTERS

MCP servers expose multiple tools, each with different risk profiles. A GitHub server exposes both list_repos (read-only, low risk) and delete_repo (destructive, high risk). A server-level policy that allows or denies the entire server is too blunt. Tool-level policies let you make precise decisions: allow listing, deny deletion, log creation.

This granularity maps to how organisations actually think about permissions. A junior developer might be allowed to read files but not deploy. A billing agent might create invoices but not issue refunds above a threshold. Tool-level policies express these nuanced permissions declaratively, without requiring changes to the MCP server or the agent's code.

Tool-level policies can include argument conditions for even finer control. Rather than simply allowing or denying create_charge, you can allow it only when amount < 1000 and currency == "GBP". This layering of tool selection and argument constraints creates a powerful and readable policy language that scales from simple use cases to complex enterprise requirements.

Tool-Level Policy isn't theory — define it as policy in PolicyLayer and it's enforced on every tool call.

ENFORCE THIS WITH POLICY →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

In PolicyLayer, tool-level policies are defined as rules within a policy file that specify a tool name or pattern. They take precedence over server-level defaults through the policy inheritance mechanism. Tool-level rules support exact tool name matching, glob patterns (e.g. read_*), and can include any number of argument conditions. When multiple tool-level rules could match, policy priority determines which one applies.

IN THE CATALOGUE

Across the 254,056 classified tools in PolicyLayer's published scan reports, this is how the risk surface actually distributes.

17,638 destructive or financial tools (6.9% of all tools)
20,783 execute tools — run code or trigger actions
4,846 servers expose at least one critical tool

FREQUENTLY ASKED QUESTIONS

How do tool-level policies interact with server-level policies?
Tool-level policies override server-level defaults. If the server-level policy denies all tools by default, a tool-level allow rule creates an exception for that specific tool. This inheritance model lets you set safe defaults and explicitly open access where needed.
Can I target multiple tools with one rule?
Yes, using glob patterns. A rule targeting 'list_*' applies to all tools starting with 'list_'. For more complex groupings, define multiple rules or use server-level defaults with specific tool-level overrides.
What is the most secure approach for tool-level policies?
Deny all tools at the server level, then explicitly allow only the tools your agent needs with tool-level rules. This whitelist approach ensures new tools added to an MCP server are blocked by default until explicitly reviewed and permitted.

FURTHER READING

Take your agents live. Without losing control.

Route your MCP traffic through PolicyLayer. Every tool call is checked against your policy before it runs: allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

Instant setup, no code required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.