HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Glossary Architecture

PDP (Policy Decision Point)

The 'brain' that decides whether an agent action is allowed — evaluating the request against the agent's scope and guard rules and returning allow, deny, or needs-approval.

A Policy Decision Point (PDP) is where a policy decision is made. It doesn’t touch the action itself — it answers a question: given this agent, this role, and this request, is it allowed?

For each request it: identifies the agent and its role, loads the policy that applies (the agent’s scope plus its guard rules — spend caps, approved destinations, approval thresholds, blocked actions), evaluates the specific request, and returns a verdict — allow, deny, or needs approval — usually with a reason (e.g. “deny · over cap”).

Keeping the PDP separate from the enforcement point is what makes a control plane scale: policy lives in one authoritative place rather than scattered across agents, so the same rules apply across the whole fleet. Change a role in the PDP and every enforcement point applies it immediately, with no agent redeploy. Because decisions are centralized, they’re also versioned, testable, and logged — you can prove what the policy was at the time and why a call was denied.

In a HiveKey-style agent control plane, the policy engine is the PDP and the gateway is the PEP. The pattern comes from the XACML access-control model and zero-trust architecture (NIST 800-207), applied to AI agents.

Related terms

Agent control plane

The layer in the path of every agent action that decides, enforces, and records what each agent can do.

MCP (Model Context Protocol)

An open standard for how agents discover and call tools — powerful, and easy to over-grant without governance.

PEP (Policy Enforcement Point)

The component, in the path of every action, that enforces the policy decision — letting an action through, blocking it, or sending it for approval.

Attribution

Tracing every agent action back through the agent identity to the accountable human who owns it.

Put every agent your company runs under one policy.

Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.

Book your 30-min demo Talk to us