LoomStack
Platform/Policy Engine
Policy Engine

Define exactly when AI acts autonomously — and when it doesn't.

Evaluates risk against your configured thresholds at every workflow transition. Most work ships autonomously. Humans are involved when your org config says they should be — at whichever step that is.

policy · evaluation
evaluating...
change
Modify auth token expiry logic
risk classification
HIGH
auth-service · token-handling · security-critical
policy matched
require-review-above-medium
action
→ route to human review@security-team
evaluated in 12mspolicy v2.4.1
Key Capabilities

Risk-calibrated autonomy, not binary human gates.

The Policy Engine evaluates each workflow against configurable rules — service criticality, change scope, regulatory constraints, historical incidents — and determines the right autonomy level automatically.

Signal 01

Multi-Dimensional Risk Classification

Evaluates service criticality, change scope, affected dependencies, regulatory constraints, and historical incident patterns. Not a binary safe/unsafe — a nuanced risk score.

Signal 02

Four Autonomy Levels

Autonomous execution, async notification, soft review, and active checkpoint. Each change gets the minimum oversight its risk profile demands — no more, no less.

Signal 03

Per-Team, Per-Service Configuration

Your payments team has different thresholds than your docs team. Configure policies by service, team, environment, change type, and compliance domain.

Signal 04

Regulatory Constraint Enforcement

SOC 2, HIPAA, and GDPR constraints are encoded as policies. Compliance isn't a manual checklist — it's enforced automatically at the workflow level.

Autonomy Distribution

How changes distribute across autonomy levels

AutonomousShip without human involvement
Docs, config, dependency bumps, low-risk feature code72%
Async NotifyShip, then inform the team lead
Feature code in non-critical services16%
Soft ReviewReviewer notified, workflow can proceed
Medium-risk changes, auth-adjacent code9%
Active GateHard stop — human must approve
DB migrations, infra changes, payment logic3%
Evaluation Pipeline

How policy evaluation works

01

Transition reached

At every step in the workflow — not just at the end — the Policy Engine evaluates the current state.

02

Signals extracted

Service, change type, scope, affected deps, team, environment, and any new findings (e.g. security scan results) are analyzed.

03

Risk scored

Multi-factor classification produces a risk score against your configured thresholds.

04

Action determined

The appropriate autonomy level is applied at this transition — proceed, notify, or route the right human.

Architecture Principle
Autonomous-first

Routine changes designed to ship without human involvement. Higher-risk work routes to the right reviewers automatically — not blanket review on every change.

Autonomous by default. Human-involved when risk demands it.

Configure policies that match your organization's risk appetite — not someone else's.