Secure

Standard Entity Rules

Pre-trained detectors for the categories regulations care about.

Standard Entity Rules are pre-trained detectors for sensitive data categories - PII, payment data, government IDs, network identifiers. Each entity has a detector, a configurable confidence threshold, and an action that fires when the detector matches. This page is the per-entity reference; for the architecture, start with the Security Gateway overview.

How detection works

Detection runs on a Presidio-based stack underneath. For each entity type, Agent Handler scans tool inputs and outputs against:

  • Pattern recognizers - regex for things with structure (credit card numbers, SSNs, IBANs).
  • Named-entity recognizers - NLP-based for things that don’t have a clean pattern (person names, locations).
  • Context analyzers - words near the candidate match that increase confidence (“SSN” near a 9-digit number, ”@” near an email-shaped string).

Each match comes back with a confidence score from 0.0 to 1.0. Each rule has a threshold. Above the threshold, the rule’s action fires; below, the match is ignored.

Configurable per entity

For every entity type, you set:

SettingWhat it does
EnabledMaster switch for this entity type
ActionAllow / Redact / Block when the entity appears in tool arguments
Confidence thresholdLower = more recall, more false positives. Higher = more precision, more false negatives. Default 0.5.
RegionsFor region-specific entities (US SSN, EU IBAN), which regions the detector should fire in

Configuration lives at Security → Rules → Default rules.

The three actions

Each rule fires one of three actions per direction:

  • Allow. Match is logged as a violation; no data is altered or stopped. Use for monitoring without enforcement.
  • Redact. Match is replaced with a placeholder ([REDACTED:EMAIL], for example). The call proceeds.
  • Block. Call is canceled. Agent receives an error indicating a security rule fired.

Allow is for visibility. Redact is the right default for most categories. Block is for categories you absolutely don’t want crossing the boundary in either direction.

Entity catalog

Agent Handler ships detectors for the categories below. Some are region-specific; the regional toggle controls whether the detector fires.

Personal identity

EntityWhat it detects
PERSONPerson names. NLP-based; less precise than pattern entities, more prone to false positives on common words.
EMAIL_ADDRESSEmail addresses. High-precision regex; rarely false-positives.
PHONE_NUMBERPhone numbers, international and domestic. Configurable per region.
LOCATIONCities, countries, addresses. NLP-based; can match common product names.
NRPNationality, religious affiliation, political group. NLP-based; useful for HR contexts.
DATE_TIMEDates and times. Often disabled by default - most tool calls legitimately contain dates.

Government and financial IDs

EntityWhat it detectsRegion
US_SSNUS Social Security NumbersUS
US_ITINUS Individual Taxpayer Identification NumbersUS
US_PASSPORTUS passport numbersUS
US_DRIVER_LICENSEUS driver’s license numbersUS, varies by state
US_BANK_NUMBERUS bank account and routing numbersUS
IBAN_CODEInternational Bank Account NumbersGlobal, EU-heavy

Payment

EntityWhat it detects
CREDIT_CARDCredit card numbers across major networks (Visa, Mastercard, Amex, Discover, Diners, JCB). Validates with Luhn algorithm.
CRYPTOCryptocurrency wallet addresses (BTC, ETH, others).

Health

EntityWhat it detects
MEDICAL_LICENSEUS medical license / DEA numbers.

Network

EntityWhat it detects
IP_ADDRESSIPv4 and IPv6 addresses.
URLURLs. Frequently false-positives on internal slugs that look like URLs; consider raising the threshold or disabling.

Per-tool-pack overrides

Default rules apply org-wide. Per-tool-pack overrides change the action just for one pack - useful when one agent surface has a legitimate reason to bypass. Common patterns: block credit cards org-wide and allow on a payments pack; redact emails org-wide and allow on a CRM pack; block SSNs everywhere except a payroll pack.

Configure overrides on the Tool Pack’s Rules tab. Each override picks an entity and an action.

Choosing thresholds

The default 0.5 confidence threshold works well for high-precision entities (CREDIT_CARD, EMAIL_ADDRESS, IBAN_CODE) and is too aggressive for fuzzy entities (PERSON, LOCATION, URL).

If a rule is firing on legitimate traffic, raise its threshold. If a rule is missing data you’d expect it to catch, lower it.

The Rule Tester lets you paste a sample input and see exactly which entities and confidences come back. Use it to dial in thresholds before deploying changes.

For anything the standard catalog doesn’t cover - internal customer IDs, project codes, employee numbers - use Custom Regex Rules instead.

Next

Detect anything the standard catalog doesn’t cover with Custom Regex Rules.