
How it works
Every prompt sent to an LLM, every response returned, and every MCP tool call — input and output — flows through the platform’s inspection layer. The Data Control Center controls that layer through three building blocks:- Protection Profiles — define what to detect (email addresses, AWS keys, credit cards, custom patterns, etc.)
- MCP Policies and LLM Policies — define where to enforce and what action to take when a detection fires
- Field Controls — define which JSON fields to pass through or remove from specific tool outputs, independently of text-based detection
Core concepts
Protection Profile
A Protection Profile is a named detection engine. It bundles together a set of detection types (e.g., “Social Security Number”, “AWS Secret Access Key”) with the runtime stages it scans and the actions it supports. Profiles are reusable — create one and attach it to many policies. When the detection logic changes, update the profile and all policies using it inherit the change automatically. Built-in profile types:| Type | What it detects |
|---|---|
| Sensitive Identifiers | Social Security Numbers, credit cards, emails, phone numbers, passports, dates of birth |
| Names & Locations | Person names, organizations, addresses, locations |
| Secrets | Cloud keys (AWS, GCP, Azure), API tokens, database credentials, CI/CD secrets, cryptographic material |
| Prompt Injection | Prompt injection and jailbreak attempts |
| Custom Detections | Patterns your organization defines using regex or literal rules |
MCP Policy
An MCP Policy governs what happens when a protection profile’s detections fire on MCP tool calls — the structured calls AI agents make to connected servers (Salesforce, ticketing systems, internal APIs, and so on). Each policy specifies:- Which MCP Server(s) to apply to (or all servers)
- Which Protection Profiles to run
- The action to take when a detection fires
- Optionally, which groups or roles the policy scopes to
LLM Policy
An LLM Policy governs what happens when detections fire on traffic between agents and LLM providers (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI, Vertex AI, and others). Each policy specifies:- Which LLM providers to apply to (or all providers)
- The runtime stage: Requests (prompts), Responses, or both
- Optionally, a specific model alias to narrow scope
- Which Protection Profiles to run
- The action to take
- Optionally, which groups or roles to scope to
Field Controls
Field Controls give you precise, field-level governance over structured tool output — independently of text-based detection. Instead of scanning free text for patterns, you name exact JSON field paths to either remove or allow through. Each rule specifies:- The MCP Server and tool it targets
- The direction (input or output)
- The mode:
- Redact listed — the fields you name are removed; everything else passes through
- Allow only listed — only the fields you name pass through; everything else is removed
- Optionally, which groups or roles the rule scopes to
AnnualRevenue and BillingAddress from Salesforce Account records before an agent in the support group can read them.
Policy actions
| Action | Effect |
|---|---|
| Block | Rejects the entire request or response. The agent receives an error. |
| Redact | Replaces detected spans with a typed placeholder such as [EMAIL_ADDRESS]. The rest of the payload continues. |
| Tokenize | Replaces detected spans with a reversible token the platform can detokenize later. |
| Alert Only | Records a detection event and passes the payload through unchanged. Use for monitoring without enforcement. |
| Bypass | Explicitly exempts matching traffic from further enforcement. |
Dry run mode
Any policy can be toggled into dry run. In dry run the policy runs and logs detections but does not enforce them. Use this to validate a new policy before making it active. There is also a global dry run that applies to all policies at once.Runtime stages
| Stage | What it covers |
|---|---|
| Request | The message an agent sends to an LLM |
| Response | The text the LLM returns to the agent |
| Tool Input | The arguments an agent passes to an MCP tool |
| Tool Output | The data the MCP tool returns to the agent |
Enabling the runtime
The global Enabled toggle at the top of the Data Control Center controls whether the inspection layer runs at all. When disabled, no policies execute and all traffic passes through uninspected. Changes take effect within seconds.In this section
Protection Profiles
Create and manage detection engines that define what data to scan for.
MCP Policies
Govern enforcement on MCP tool call traffic.
LLM Policies
Govern enforcement on LLM gateway traffic.
Field Controls
Field-level JSON redaction for specific tools.