// AGENT TYPE / INTERNAL COPILOTS

Your internal copilot answers for the whole company. Scope it to each person.

An internal copilot reaches Slack, Notion, Drive, and your systems through MCP. Route it through PolicyLayer and every call is scoped to who is asking and checked against your policy before it runs.

SCOPE YOUR COPILOT → Free to start. No card required.

For platform and security teams running AI agents in production.

// THE PROBLEM

An internal copilot can quietly answer beyond its asker's clearance.

It rarely looks like a leak. It looks like a thorough answer.

One copilot, everyone's data

Connect your company systems and the copilot can read across HR, finance, and engineering for whoever asks.

The scope is the whole corpus

Without per-person scoping, a junior employee's question can surface a document only executives should see.

It just answers

Sensitive content lands in a reply, and nothing recorded who was allowed to see what.

// THE SURFACE AREA

The tools an internal copilot reaches for.

The reads and writes a company copilot makes across your stack. PolicyLayer governs each one.

Google Drive

gd_delete_file CRITICAL
gd_unshare_file CRITICAL

Slack

slack_get_full_conversation HIGH
slack_send_message HIGH

Notion

update HIGH
delete CRITICAL

Jira

manage_jira_issue HIGH
manage_jira_media CRITICAL

Browse every MCP tool →

// HOW POLICYLAYER WORKS

PolicyLayer sits between your copilot and your company data.

Drop PolicyLayer into your MCP request path. Your agents keep their tools. You keep control. Core concepts →

⬡

AGENT

Calls tools via MCP

tool_call

◆

POLICYLAYER

Enforces before execution

postgres.run_query read_only = true

ALLOW DENY RATE-LIMIT APPROVE

if allowed

⬢

MCP SERVER

Stripe, AWS, Postgres...

Add Stripe, GitHub, Postgres, Slack, AWS, or any other MCP server.

Define policy

Set defaults, rate limits, denials, approvals, hidden tools, and argument-level conditions.

Issue grants

Give each person, agent, CI job, or environment its own scoped token tied to a named policy.

Connect client

Paste the PolicyLayer proxy URL into your MCP client config. Agents keep the same tools. PolicyLayer enforces your rules before calls execute.

// ON EVERY CALL

What PolicyLayer enforces, on every call.

Scoped to the asker

Policy evaluates who is asking on every call, so the same copilot returns different results by identity and an out-of-scope read is denied.

Read-only by default

Grant reads and leave it there. Writes and deletes stay denied unless you explicitly allow them.

Argument-level rules

Inspect the call: restrict reads to allowed sources, redact sensitive fields from results, deny writes to systems of record. Writing policies →

Rate caps

Cap queries a minute, so a copilot cannot sweep your whole corpus in one run.

Deterministic, deny by default

Rules run as code, first denial wins. The same call gets the same decision every time.

// POLICY EDITOR

You decide what every copilot call can reach.

Build policy around the fields that matter (source, identity, sensitivity) in the visual editor. Allow, deny, rate-limit, or require approval, per tool. Writing policies →

PolicyLayer visual policy editor with allow, deny, hide and custom rules

Scope reads to the asker

Return only what the person asking is allowed to see.

Read-only default

Allow reads; deny writes and deletes.

Redact sensitive fields

Strip salary, PII, and secret fields from results.

Source allowlist

Allow reads only from approved systems.

Query throttle

No more than 60 queries a minute, per token.

// THE PLATFORM

Not just rules. A platform.

Whatever your agents touch, the same engine, audit, and access model is doing the work underneath every rule you write.

Deterministic engine

Rules run as code, not model judgement: argument-level conditions, quotas, deny-by-default. The same call gets the same decision every time.

Writing policies →

Separation of duties

Your security or compliance team writes and attaches policy without ever holding the upstream credentials or grant tokens.

Roles →

Tamper-proof audit

Every call is logged with its decision and the rule that fired, attributed to the identity, in an append-only record. Argument values are redacted, never stored.

Logs & security →

Credentials never reach the agent

Upstream secrets are encrypted at rest and injected by the gateway. The agent only ever holds a scoped token.

Logs & security →

Per-identity access

Every person and agent connects with its own scoped grant. Rotate or revoke any one of them instantly, without disrupting the rest.

Core concepts →

Live in minutes

Hosted gateway. Point your clients at it, register a server, issue a token. Nothing to install.

Quick start →

//FAQ

Internal copilots and MCP questions.

How does PolicyLayer scope answers to each person?+

Each person's copilot connects with its own scoped grant token. Policy evaluates who is asking on every call, so the same copilot returns different results by identity and an out-of-scope read is denied before it runs.

Does PolicyLayer slow down copilot calls?+

Policy is evaluated in memory before the call is forwarded, so the overhead is negligible. Allowed calls pass straight through to your workspace.

Where do my workspace credentials live?+

Upstream credentials are encrypted at rest and injected by the gateway. Your agents only ever hold a scoped token, never your workspace credentials.

Do my agents lose any tools?+

No. Agents keep the same tools and schemas. PolicyLayer enforces policy on each call (allow, deny, rate-limit, or require approval), apart from any tools you deliberately hide.

Can I see what my agents actually did?+

Yes. Every call through the gateway is logged with the tool, its arguments, and the allow or deny decision. State-changing dashboard actions are recorded in a separate admin audit log.

// RELATED

Govern the same calls from another angle.

Let a copilot answer only within each person's reach.

Per-person scopes, read-only defaults, field redaction, and a tamper-proof audit log on every call your internal copilot makes. Route your existing MCP servers through the gateway, live in minutes.

SCOPE YOUR COPILOT →

Free to start. No card required.