This page documents the governance policy taxonomy and the standard execution policies defined by the Agent Format standard. For a narrative overview of how execution policies work, see Execution Policies.
Policy Types Taxonomy
Governance policies in the Policy Registry fall into six categories. Each category maps to specific enforcement mechanisms in the SDK.
Budget Policies
| Aspect | Detail |
|---|
| Purpose | Control resource consumption (tokens, time) |
| Constraint overrides | budget.max_token_usage, budget.max_duration_seconds |
| Composition | min(all values) -- tightest wins |
| Example | "All agents in finance zone: max 50,000 tokens per run" |
Access Control Policies
| Aspect | Detail |
|---|
| Purpose | Restrict which tools, domains, or agents can be used |
| Constraint overrides | allowed_tools, deny_tools, allow_domains, deny_domains |
| Composition | Allowlists: intersection. Denylists: union. |
| Example | "Agents tagged external cannot access internal MCP servers" |
Data Handling Policies
| Aspect | Detail |
|---|
| Purpose | Control data flow -- PII detection, classification, retention |
| Enforcement | Guardrail interceptor with specialized handlers |
| Composition | Union -- all guardrails apply |
| Example | "Agents handling confidential data must redact PII from outputs" |
Guardrail Policies
| Aspect | Detail |
|---|
| Purpose | Content safety, hallucination detection, prompt injection prevention |
| Enforcement | Guardrail interceptor chain |
| Composition | Union -- all guardrails apply |
| Example | "All production agents must pass output through content safety filter" |
Approval Workflow Policies
| Aspect | Detail |
|---|
| Purpose | Require human approval for specific actions or outputs |
| Enforcement | Approval provider SPI |
| Composition | Union -- if any source requires approval, approval is required |
| Example | "Agents modifying production systems require approval" |
Audit Policies
| Aspect | Detail |
|---|
| Purpose | Control logging, retention, and alerting |
| Enforcement | Recording interceptor, trace store |
| Composition | Union -- more logging, not less |
| Example | "All compliance-zone agents must have full trace logging for 365 days" |
Taxonomy Summary
| Type | Composition | Enforcement Point |
|---|
| Budget | min(all values) | Budget interceptor |
| Access Control | Allowlist intersection, denylist union | Action resolver, tool filter |
| Data Handling | Union of guardrails | Guardrail interceptor |
| Guardrail | Union of guardrails | Guardrail interceptor |
| Approval | Union (any requires = all require) | Approval provider |
| Audit | Union (more logging, not less) | Recording interceptor |
Standard Execution Policies
All compliant runtimes MUST implement at least agf.react. For condition matching used by agf.loop and agf.conditional, see the Condition Matcher Reference.
Shared Types
PolicyStep
Used by agf.sequential, agf.parallel, and agf.loop to define sub-agent invocations.
| Field | Type | Required | Description |
|---|
agent | string | Yes | Alias of the sub-agent to invoke (must match a local_agents[].alias). |
input_mapping | map[string -> string] | No | Maps agent input fields to path expressions (e.g., parent.input.query, researcher.output.findings). |
OutputFrom
Used by agf.sequential, agf.parallel, and agf.loop to declare how the policy's final output is derived.
String shorthand: An agent alias (e.g., "reviewer"), or a strategy keyword: "last", "merge", "first".
Object form (mutually exclusive fields):
| Field | Type | Description |
|---|
agent | string | Alias of the sub-agent whose output becomes the policy output. |
strategy | string (enum: last, merge, first) | Built-in output strategy. |
custom_transform | string | Reference to a runtime-registered transformation function. Convention: <org>.<transform-name>. |
description | string | Human-readable description of the output selection logic. |
agf.react -- ReAct
The agent iterates through reasoning and acting cycles, using tools to gather information before producing a final response. Fields are categorized as Constraint (runtime MUST honor) or Preference (runtime SHOULD honor but MAY override).
Constraint fields -- the runtime MUST honor these values:
| Config Field | Type | Default | Description |
|---|
max_steps | integer (>=1) | 10 | Maximum number of reasoning-acting cycles before the agent must produce a final answer. |
Identity field -- the runtime MUST pass this to the model verbatim:
| Config Field | Type | Default | Description |
|---|
instructions | string | -- | System prompt defining the agent's persona, capabilities, and behavioral guidelines. The runtime MUST NOT modify this value (governance policies may augment it). |
Preference fields -- the runtime SHOULD honor these when possible, but MAY override based on deployment policy, model availability, or organizational rules:
| Config Field | Type | Default | Description |
|---|
provider | string | -- | Model provider identifier (e.g., google, openai, anthropic). Preference -- the runtime may override based on deployment policy. |
model | string | -- | Model identifier within the provider (e.g., gemini-2.5-pro, gpt-4o, claude-sonnet-4-20250514). Preference -- the runtime may override. |
temperature | number (0.0--2.0) | -- | Sampling temperature. Lower values (0.0--0.3) produce more deterministic outputs; higher values (0.7--1.5) produce more creative outputs. |
top_p | number (0.0--1.0) | -- | Nucleus sampling probability. Typically used as an alternative to temperature. |
top_k | integer (>=1) | -- | Top-k sampling -- limits token selection to the k most probable candidates at each step. If the underlying model does not support top-k, the runtime SHOULD silently ignore this field. |
max_output_tokens | integer (>=1) | -- | Maximum number of tokens the model may generate in a single response. |
stop_sequences | string[] | -- | Sequences that cause the model to stop generating further tokens. |
tool_choice | string (enum: auto, required, none) | -- | Controls how the LLM selects tools. auto: LLM decides. required: must call at least one tool per step. none: text generation only. |
user_prompt_template | string | -- | Mustache-style template for the initial user message. Placeholders: {{field_name}}. When absent, the runtime converts input to a natural-language prompt. |
agf.sequential -- Sequential
Steps execute in order. Each step is a PolicyStep sub-agent invocation. Output from one step can be mapped as input to the next via input_mapping.
| Config Field | Type | Required | Default | Description |
|---|
steps | PolicyStep[] | Yes | -- | Ordered list of sub-agent invocations. Steps execute sequentially; each step completes before the next begins. |
output_from | OutputFrom | No | "last" | Determines the policy's final output. Default: the last step's output. |
agf.parallel -- Parallel
Multiple sub-agents execute concurrently. All results are combined when all complete.
| Config Field | Type | Required | Default | Description |
|---|
agents | PolicyStep[] | Yes | -- | List of sub-agent invocations to run concurrently. Order in the array does not imply execution order. |
output_from | OutputFrom | No | "merge" | Determines the policy's final output. Default: merge all sub-agent outputs into a single object keyed by agent alias. |
agf.batch -- Batch
A single sub-agent processes each item from an input collection independently. The policy output is always an array of per-item results.
| Config Field | Type | Required | Default | Description |
|---|
agent | string | Yes | -- | Alias of the sub-agent that processes each item (must match a local_agents[].alias). |
input_mapping | map[string -> string] | Yes | -- | Maps the sub-agent's input fields to path expressions. Must contain at least one field with [] array iteration syntax (e.g., parent.input.items.[].value). |
max_batch_count | integer (>=0) | No | 0 | Maximum number of items to process. 0 means unlimited -- process the entire input array. |
agf.loop -- Loop
Steps repeat each iteration until exit_condition is satisfied or max_iterations is reached. The exit_condition uses ConditionGroup matchers (see Condition Matcher Reference).
| Config Field | Type | Required | Default | Description |
|---|
steps | PolicyStep[] | Yes | -- | Steps to execute per iteration. All steps run sequentially within each iteration. |
max_iterations | integer (>=1) | No | 10 | Maximum number of loop iterations. Acts as a safety bound even if exit_condition is never met. |
exit_condition | ConditionGroup or ConditionGroup[] | No | -- | Condition evaluated after each iteration. The loop exits when matched. A single group (AND) or array of groups (OR-of-ANDs). When absent, the loop runs for exactly max_iterations. |
output_from | OutputFrom | No | "last" | Determines the policy's final output. Default: the last iteration's last step's output. |
agf.conditional -- Conditional
Evaluates conditions in order and routes to the first matching sub-agent. Conditions use ConditionGroup matchers (see Condition Matcher Reference).
| Config Field | Type | Required | Default | Description |
|---|
routes | ConditionalRoute[] | Yes | -- | Ordered list of condition-agent pairs. The first matching route is executed. |
default_agent | string | No | -- | Alias of the fallback sub-agent when no route condition matches. When absent and no route matches, the runtime MUST return an error. |
ConditionalRoute:
| Field | Type | Required | Description |
|---|
when | ConditionGroup or ConditionGroup[] | Yes | Condition evaluated using ConditionGroup matchers. A single group (AND) or array of groups (OR-of-ANDs). Path expressions in field names reference parent input. |
agent | string | Yes | Alias of the sub-agent to invoke when the condition matches. |
input_mapping | map[string -> string] | No | Maps the sub-agent's input fields to path expressions. When absent, the parent's full input is passed through. |