How Enforcement Works

The Flow

Every tool call your LLM agent makes goes through the SASY policy engine before execution.

Customer sends a message

“Hi, I need to cancel my reservation RKLA42.”
Agent reasons and calls a tool

The agent decides to look up the reservation: get_reservation_details(reservation_id="RKLA42")
SASY checks the policy

SASY evaluates the call against the loaded Datalog. For get_reservation_details(RKLA42), the demo’s default-allow rule (IsAuthorized(idx) :- Actions(idx, _).) fires, and no Unauthorized rule targets this tool — so the call is authorized. If any Unauthorized rule had matched, it would have overridden the default; denials win on conflict.
Decision: AUTHORIZED or DENIED
- AUTHORIZED — the tool executes normally. The agent sees the result.
- DENIED — the tool does NOT execute. The agent sees the denial message and suggestion instead.
Agent responds to the customer

If denied, the agent explains why and suggests alternatives — using the @deny_message and @suggestion from the policy rules.

What the Agent Sees

On AUTHORIZED:

The tool runs and returns its normal result. The agent doesn’t know SASY was involved.

On DENIED:

The agent receives a structured denial:

{
  "authorized": false,
  "denial_reasons": [
    "Only gold members or members with travel
     insurance can cancel reservations"
  ],
  "suggestions": [
    "Purchase travel insurance or upgrade to
     gold membership"
  ]
}

The agent can use these to craft a helpful response.

Observability

Every tool call, policy decision, and tool result is recorded in SASY’s message dependency graph. You can query it to understand what happened:

What tools did the agent call?
Which calls were authorized vs. denied?
What data influenced the policy decision?
Did the agent follow the expected sequence?

This gives you full audit trail visibility over your agent’s behavior.