AI Policy Generation
Draft policies faster. Keep humans responsible.
Hexarch integrates AI-powered policy generation—describe what you want in plain language, and the system produces structured, validated policy configurations. Your team reviews intent and approves what ships.
How it works
- Describe — Write a natural language prompt: “Create a rate-limiting policy for mobile apps at 100 requests per minute”
- Generate — Hexarch translates the prompt into a structured policy configuration
- Validate — The generated policy is schema-validated before it’s usable
- Review — Your team inspects the configuration, adjusts if needed
- Deploy — Approved policies apply immediately—no code push required
The machine writes the boilerplate. Humans own the decision.
What gets generated
Every generated policy includes:
| Field | Description |
|---|---|
name | Human-readable policy name |
type | Security, Traffic Control, Transformation, Protocol Mediation, Custom |
scope | Global, API, Version, Plan, or Route-level |
phase | Pre-Request, Post-Request, or Error Handling |
failureMode | Fail Open (permissive) or Fail Closed (deny by default) |
config | Type-specific settings (thresholds, timeouts, mappings) |
Policy types
Security Policies
- OAuth2 introspection and token validation
- JWT verification with configurable claims
- API key validation
Traffic Control
- Rate limiting with configurable windows
- Spike arrest for burst protection
- Edge caching with TTL and key patterns
Transformation
- PII masking for sensitive fields
- Payload modification and enrichment
- Header manipulation
Protocol Mediation
- REST-to-SOAP bridging
- Format conversion (JSON ↔ XML)
- Legacy system integration
Custom Extensions
- Business logic filters
- Custom validation rules
Example prompts
Rate limiting:
“Create a rate-limiting policy for the /api/orders endpoint that allows 1000 requests per minute with a 50-request burst buffer”
PII masking:
“Create a transformation policy that masks credit card numbers and SSNs in API responses”
OAuth validation:
“Create a security policy that validates OAuth2 tokens against our authorization server with a 500ms timeout”
Schema validation
Generated policies are validated against a strict schema before they’re usable:
- Policy name must be at least 3 characters
- Type must be one of the defined policy types
- Scope must be valid (Global, API, Version, Plan, Route)
- Phase must be Pre-Request, Post-Request, or Error Handling
- Failure mode must be specified
If generation fails validation, Hexarch returns safe defaults with clear error messages.
Guardrails, not magic
AI generation is a drafting tool, not a replacement for review:
- Generated policies are not auto-deployed
- Every policy goes through your approval workflow
- The audit trail records who approved what, and when
- You can edit generated policies before deployment
All the rigor. Less YAML archaeology.
Try it
The AI Policy Architect is available in the Hexarch application under the Policies section. Describe what you need, review the output, and deploy when ready.
Next steps
- Proof Demo — see decision assurance in action
- API Reference — endpoints for policy management
- Cryptographic Audit Chains — how policy changes are recorded