Open Organization Settings > Content Policy. Three tabs cover the surface: Categories, Custom Rules, and Activity Log. A Test Filters button in the header runs sample content against the active policy in either direction before you rely on it.
Where enforcement happens
Policy screening is not a single chokepoint. The same evaluator runs on every user message before it reaches a model, on streamed agent output (mid-stream and again on the final text), on knowledge chunks pulled in by retrieval, on uploaded documents at ingestion, on exported plans, and on the public API. A block mid-stream cuts the response and replaces it with a "Blocked by content policy" notice naming the category; the truncated message is persisted that way, so the block survives reload.

Categories
The Categories tab lists prebuilt filter categories grouped into Safety & Compliance, Data Protection, Professional & Workplace, and Industry-Specific. Toggle them per org and override the action per category. A small set of safety fallbacks (CSAM, weapons and violence, illegal activity, malware) enforces block-level rules even if the category catalog is unavailable: the platform fails closed on its worst cases.
Custom rules
- →Rule types: Keyword, Regex, Category, or Instructions (free-form guidance injected into the system prompt as content policy instructions).
- →Actions: Block, Redact, or Flag.
- →Direction: Input, Output, or Both.
- →Scope: Org rules apply to everyone; Personal rules apply to the rule's owner. Org-scope changes prompt an admin confirmation before they take effect.
Regex rules get a live match preview while you type, and user-supplied patterns are hardened against pathological regexes before they run. Rules can be toggled, edited, tested individually, or deleted from the table.
PII protection
PII detection runs on messages before they reach the model. Four modes: Off, Warn (detect and log, allow through), Redact (replace PII before sending to the LLM), and Block (reject messages containing PII). Detectable types: Social Security Numbers, Credit Card Numbers, Email Addresses, Phone Numbers, API Keys, AWS Access Keys, and Private Keys. Every detection is written to the audit log with the types found and the mode applied; a test box lets you paste sample text and see exactly what would match.
Output Redaction
The Categories tab ends with Output Redaction: server-side stream filters that strip sensitive material from agent responses regardless of rules. Toggles cover Config Files (agent config file references), Internal Paths, Tool XML (raw tool call tags), API Keys (Output), and Infrastructure Details (container names, registry URLs, cloud endpoints).
The Activity Log tab records what the policy matched and did, with auto-refresh and expandable entries. Matched snippets are masked before storage: a blocked credit card number is not re-exposed verbatim to every admin who reads the log.