Standard Entity Rules

Pre-trained detectors for the categories regulations care about.

Standard Entity Rules

Pre-trained detectors for the categories regulations care about.

Standard Entity Rules are pre-trained detectors for sensitive data categories - PII, payment data, government IDs, network identifiers. Each entity has a detector, a configurable confidence threshold, and an action that fires when the detector matches. This page is the per-entity reference; for the architecture, start with the Security Gateway overview.

How detection works

Detection runs on a Presidio-based stack underneath. For each entity type, Agent Handler scans tool inputs and outputs against:

Pattern recognizers - regex for things with structure (credit card numbers, SSNs, IBANs).
Named-entity recognizers - NLP-based for things that don’t have a clean pattern (person names, locations).
Context analyzers - words near the candidate match that increase confidence (“SSN” near a 9-digit number, ”@” near an email-shaped string).

Each match comes back with a confidence score from 0.0 to 1.0. Each rule has a threshold. Above the threshold, the rule’s action fires; below, the match is ignored.

Configurable per entity

For every entity type, you set:

Setting	What it does
Enabled	Master switch for this entity type
Action	Allow / Redact / Block when the entity appears in tool arguments
Confidence threshold	Lower = more recall, more false positives. Higher = more precision, more false negatives. Default 0.5.
Regions	For region-specific entities (US SSN, EU IBAN), which regions the detector should fire in

Configuration lives at Security → Rules → Default rules.

The three actions

Each rule fires one of three actions per direction:

Allow. Match is logged as a violation; no data is altered or stopped. Use for monitoring without enforcement.
Redact. Match is replaced with a placeholder ([REDACTED:EMAIL], for example). The call proceeds.
Block. Call is canceled. Agent receives an error indicating a security rule fired.

Allow is for visibility. Redact is the right default for most categories. Block is for categories you absolutely don’t want crossing the boundary in either direction.

Entity catalog

Agent Handler ships detectors for the categories below. Some are region-specific; the regional toggle controls whether the detector fires.

Personal identity

Entity	What it detects
PERSON	Person names. NLP-based; less precise than pattern entities, more prone to false positives on common words.
EMAIL_ADDRESS	Email addresses. High-precision regex; rarely false-positives.
PHONE_NUMBER	Phone numbers, international and domestic. Configurable per region.
LOCATION	Cities, countries, addresses. NLP-based; can match common product names.
NRP	Nationality, religious affiliation, political group. NLP-based; useful for HR contexts.
DATE_TIME	Dates and times. Often disabled by default - most tool calls legitimately contain dates.

Government and financial IDs

Entity	What it detects	Region
US_SSN	US Social Security Numbers	US
US_ITIN	US Individual Taxpayer Identification Numbers	US
US_PASSPORT	US passport numbers	US
US_DRIVER_LICENSE	US driver’s license numbers	US, varies by state
US_BANK_NUMBER	US bank account and routing numbers	US
IBAN_CODE	International Bank Account Numbers	Global, EU-heavy

Payment

Entity	What it detects
CREDIT_CARD	Credit card numbers across major networks (Visa, Mastercard, Amex, Discover, Diners, JCB). Validates with Luhn algorithm.
CRYPTO	Cryptocurrency wallet addresses (BTC, ETH, others).

Health

Entity	What it detects
MEDICAL_LICENSE	US medical license / DEA numbers.

Network

Entity	What it detects
IP_ADDRESS	IPv4 and IPv6 addresses.
URL	URLs. Frequently false-positives on internal slugs that look like URLs; consider raising the threshold or disabling.

Per-tool-pack overrides

Default rules apply org-wide. Per-tool-pack overrides change the action just for one pack - useful when one agent surface has a legitimate reason to bypass. Common patterns: block credit cards org-wide and allow on a payments pack; redact emails org-wide and allow on a CRM pack; block SSNs everywhere except a payroll pack.

Configure overrides on the Tool Pack’s Rules tab. Each override picks an entity and an action.

Choosing thresholds

The default 0.5 confidence threshold works well for high-precision entities (CREDIT_CARD, EMAIL_ADDRESS, IBAN_CODE) and is too aggressive for fuzzy entities (PERSON, LOCATION, URL).

If a rule is firing on legitimate traffic, raise its threshold. If a rule is missing data you’d expect it to catch, lower it.

The Rule Tester lets you paste a sample input and see exactly which entities and confidences come back. Use it to dial in thresholds before deploying changes.

For anything the standard catalog doesn’t cover - internal customer IDs, project codes, employee numbers - use Custom Regex Rules instead.

Detect anything the standard catalog doesn’t cover with Custom Regex Rules.

How detection works

Detection runs on a Presidio-based stack underneath. For each entity type, Agent Handler scans tool inputs and outputs against:

Pattern recognizers - regex for things with structure (credit card numbers, SSNs, IBANs).
Named-entity recognizers - NLP-based for things that don’t have a clean pattern (person names, locations).
Context analyzers - words near the candidate match that increase confidence (“SSN” near a 9-digit number, ”@” near an email-shaped string).

Each match comes back with a confidence score from 0.0 to 1.0. Each rule has a threshold. Above the threshold, the rule’s action fires; below, the match is ignored.

Configurable per entity

For every entity type, you set:

Setting	What it does
Enabled	Master switch for this entity type
Action	Allow / Redact / Block when the entity appears in tool arguments
Confidence threshold	Lower = more recall, more false positives. Higher = more precision, more false negatives. Default 0.5.
Regions	For region-specific entities (US SSN, EU IBAN), which regions the detector should fire in

Configuration lives at Security → Rules → Default rules.

The three actions

Each rule fires one of three actions per direction:

Allow. Match is logged as a violation; no data is altered or stopped. Use for monitoring without enforcement.
Redact. Match is replaced with a placeholder ([REDACTED:EMAIL], for example). The call proceeds.
Block. Call is canceled. Agent receives an error indicating a security rule fired.

Allow is for visibility. Redact is the right default for most categories. Block is for categories you absolutely don’t want crossing the boundary in either direction.

Entity catalog

Agent Handler ships detectors for the categories below. Some are region-specific; the regional toggle controls whether the detector fires.

Personal identity

Entity	What it detects
PERSON	Person names. NLP-based; less precise than pattern entities, more prone to false positives on common words.
EMAIL_ADDRESS	Email addresses. High-precision regex; rarely false-positives.
PHONE_NUMBER	Phone numbers, international and domestic. Configurable per region.
LOCATION	Cities, countries, addresses. NLP-based; can match common product names.
NRP	Nationality, religious affiliation, political group. NLP-based; useful for HR contexts.
DATE_TIME	Dates and times. Often disabled by default - most tool calls legitimately contain dates.

Government and financial IDs

Entity	What it detects	Region
US_SSN	US Social Security Numbers	US
US_ITIN	US Individual Taxpayer Identification Numbers	US
US_PASSPORT	US passport numbers	US
US_DRIVER_LICENSE	US driver’s license numbers	US, varies by state
US_BANK_NUMBER	US bank account and routing numbers	US
IBAN_CODE	International Bank Account Numbers	Global, EU-heavy

Payment

Entity	What it detects
CREDIT_CARD	Credit card numbers across major networks (Visa, Mastercard, Amex, Discover, Diners, JCB). Validates with Luhn algorithm.
CRYPTO	Cryptocurrency wallet addresses (BTC, ETH, others).

Health

Entity	What it detects
MEDICAL_LICENSE	US medical license / DEA numbers.

Network

Entity	What it detects
IP_ADDRESS	IPv4 and IPv6 addresses.
URL	URLs. Frequently false-positives on internal slugs that look like URLs; consider raising the threshold or disabling.

Per-tool-pack overrides

Configure overrides on the Tool Pack’s Rules tab. Each override picks an entity and an action.

Choosing thresholds

The default 0.5 confidence threshold works well for high-precision entities (CREDIT_CARD, EMAIL_ADDRESS, IBAN_CODE) and is too aggressive for fuzzy entities (PERSON, LOCATION, URL).

If a rule is firing on legitimate traffic, raise its threshold. If a rule is missing data you’d expect it to catch, lower it.

The Rule Tester lets you paste a sample input and see exactly which entities and confidences come back. Use it to dial in thresholds before deploying changes.

For anything the standard catalog doesn’t cover - internal customer IDs, project codes, employee numbers - use Custom Regex Rules instead.

Detect anything the standard catalog doesn’t cover with Custom Regex Rules.

Standard Entity Rules

Standard Entity Rules

How detection works

Configurable per entity

The three actions

Entity catalog

Personal identity

Government and financial IDs

Payment

Health

Network

Per-tool-pack overrides

Choosing thresholds

Next

How detection works

Configurable per entity

The three actions

Entity catalog

Personal identity

Government and financial IDs

Payment

Health

Network

Per-tool-pack overrides

Choosing thresholds

Next