Skip to main content

What are Tool Policies?

Tool Policies allow you to monitor and control actions taken by AI coding tools in your organization. Create policies to track, warn on, or block terminal commands executed by AI agents or MCP tool calls made through integrated servers like GitHub, Linear, Sentry, and more. Gateway URL: https://gateway.getunbound.ai/policies/tool-policies

Tool Policies Dashboard

Click here to access the Tool Policies management interface

Policy Types

When you click Create Policy, you’ll be asked to choose what you want to monitor:

Terminal Commands

Monitor shell commands executed by AI coding tools like Claude Code, Cursor, Roo Code, and Cline.
  • Select a Command Family (e.g., delete_file, git_action, remote_access)
  • Define a Target Pattern to match specific paths, branches, or operations
  • Supports exact match, glob patterns (/etc/*), and regex (.*\.env$)

MCP Actions

Monitor tool calls made through MCP (Model Context Protocol) servers.
  • Select an MCP Server (e.g., GitHub, Linear, Sentry)
  • Select the MCP Tool to monitor (e.g., create_pull_request, create_issue)
  • Optionally filter by tool action type (e.g., read, write) to apply policies to all tools of a certain kind

Actions

Each tool policy has an action that determines what happens when a match is found:
  • Block — Reject the command or tool call entirely. The action is prevented from executing.
  • Warn — Allow the action but flag it for review. Users receive a warning notification.
  • Audit — Silently log the action for monitoring. No user-facing impact. Available for reporting and analytics.

Applying to Users

By default, a tool policy with no user groups applies to everyone in your organization. To restrict a policy to specific teams, assign it to one or more user groups during creation or editing.
  • No user groups selected — The policy applies organization-wide
  • User groups selected — The policy applies only to members of those groups
  • When a user group is modified, policy enforcement updates automatically for all affected users
You can manage user groups from the User Groups page. Create groups based on teams, roles, or projects to apply different policies to different sets of users.

Quick Example

Let’s create a policy to audit when AI tools delete files in sensitive directories:
  1. Go to Tool Policies and click Create Policy
  2. Select Terminal Commands
  3. Fill in the form:
    • Name: “Audit Sensitive File Deletions”
    • Command Family: delete_file
    • Target Field: path
    • Target Pattern: /etc/* or *.env
  4. Set Action to Audit
  5. Optionally select User Groups to limit the policy to specific teams
  6. Click Preview Impact to see historical matches
  7. Click Create Policy
Use Preview Impact when creating a policy to see how many historical commands match your pattern before deploying.

Tool Policies vs Security Policies

Tool policies and security policies serve different purposes and are managed independently:
Tool PoliciesSecurity Policies
PurposeControl terminal commands and MCP tool callsProtect sensitive data with guardrails, routing rules
CoversTerminal command families, MCP server/tool actionsPII detection, secrets detection, regex patterns, ban lists, routing
User group scopingDirectly on the tool policyDirectly on the security policy
ActionsBlock, Warn, AuditBlock, Redact, Warn, Route

Security Policies

Configure data protection guardrails and routing

Unbound CLI

Manage policies from the command line